By Yair Knijn · July 17, 2025

The telematics data that priced the fleet became a GDPR problem the risk manager never assessed

The risk manager did the deal that every CFO loves. The insurer offered usage-based fleet cover priced on telematics, the broker plugged the box-feed straight into the underwriter, and the renewal came back several points cheaper. The wrong assumption was buried in the win: that the data flowing out was vehicle data, an operational asset of the company, free to share to get a better number. It was not. It was the driving behaviour and movements of named employees, and nobody had asked the question that turns a discount into an investigation.

The data protection officer found out when a driver filed a subject access request, then a complaint. By then the feed had been live for two renewals, with no lawful basis recorded for the drivers, no DPIA, and no transparency notice. The premium saving was real. So was the works-council grievance and the regulator's letter.

Why fleet telematics is personal data, not just vehicle data

The EDPB settled this argument in Guidelines 01/2020 on connected vehicles. Location, speed, distance and driving-behaviour signals are personal data once they can be linked to a natural person, and in a fleet they almost always can. You know which driver had which vehicle on which shift. A harsh-braking score, an idle-time log, a 22:40 position outside a customer site reads as an operational metric on the insurer's dashboard and as surveillance of a specific person to the regulator. The box does not stop being a tracker because you call it telematics.

The moment that feed leaves your boundary and reaches the underwriter, you have a second controller processing your employees' behaviour for their own pricing models. That is a data-sharing arrangement with its own legal weight, not an extension of the policy schedule.

Lawful basis, DPIA, and driver transparency for usage-based fleet cover

Three things should have existed before the first packet moved. A documented lawful basis for sharing driver data with the insurer, almost certainly legitimate interests backed by a written balancing test, not consent. A DPIA, because systematic monitoring of employees at scale is a textbook trigger under Article 35. And a transparency notice telling drivers exactly what is collected, who receives it, and why.

Consent is the trap people reach for and the one that fails. An employee asked to consent to insurer monitoring is not in a position to refuse, so the consent is not freely given and collapses under challenge. If the program only stands up because drivers "agreed," it does not stand up. Legitimate interests can carry safety and insurance use cases, but only if the balancing test is on paper before the data flows, not reconstructed after the complaint lands.

The works council / employee-consent trap in driver monitoring

In much of the EU the GDPR question arrives with a labour-law question attached. Systematic monitoring of employees frequently requires consultation or co-determination with the works council, and in some jurisdictions an agreement before you switch it on. Skip that and the exposure is not only a fine; it is a grievance that can force the monitoring off and unwind the discount that justified it. The risk manager owned the premium line and never saw the employment-law line, because the two sat in different functions and nobody mapped the data flow across both.

Structuring a telematics data flow the DPO will sign off

Treat the insurer feed as a regulated processing operation from the design stage, not a procurement nicety. Before any data moves:

• Write down the lawful basis per data category, with the legitimate-interests balancing test attached.
• Run the DPIA and have the DPO sign it, covering retention and minimisation, not just collection.
• Share the narrowest dataset that prices the risk; aggregated or pseudonymised scores often suffice where raw position trails do not.
• Issue a driver-facing transparency notice and complete works-council consultation where local law requires it.
• Put a data-sharing or controller-to-controller agreement in place with the insurer defining purpose limitation and onward use.

The deeper failure was structural. The fleet schedule, the telematics feed, the driver roster and the legal basis lived in four places, and no single record tied a vehicle to its driver, its data flow, and the consent and DPIA status behind it. When those records reconcile in one fleet program, the DPO can see what is shared and why before a feed goes live, and the cheap renewal stops being a liability waiting on a subject access request. That reconciliation is the work FleetLedger exists to do.