By FleetSuppliers Editorial Team · Updated 20 June 2026
Is vehicle tracking legal in the UK?
The short answer to is vehicle tracking legal is yes. Fitting telematics or GPS devices to vehicles you own or operate is lawful across the UK, and thousands of fleets do it every day to manage fuel, safety, routing and duty of care. The qualification matters more than the headline, though. Because a tracker collects location data that can be linked to an identifiable driver, you are processing personal data the moment an employee gets behind the wheel. That pulls the whole exercise inside data protection law, and lawful use depends on meeting a defined set of conditions rather than simply buying hardware and switching it on.
From a procurement standpoint, the practical question is not whether you may track, but whether you can demonstrate you are tracking responsibly. Regulators expect evidence, not good intentions.
The legal framework: UK GDPR and the Data Protection Act
Two instruments sit at the heart of vehicle tracking laws UK buyers need to understand. The UK GDPR sets out the principles for handling personal data, and the Data Protection Act 2018 tailors those rules for domestic use. Together they require that any data you gather from a vehicle is handled fairly, kept to what you genuinely need, held no longer than necessary and protected against loss or misuse.
Several principles bear directly on telematics:
- Lawfulness and fairness - you need a valid reason to process location data and must not use it in ways drivers would find unexpected.
- Purpose limitation - data captured for route efficiency should not quietly become a tool for unrelated disciplinary fishing expeditions.
- Data minimisation - collect what the stated purpose requires, not everything a device is technically capable of recording.
- Accountability - you must be able to show how and why you comply, with documentation to back it up.
Throughout, the principle of GDPR vehicle tracking compliance is proportionality: the intrusion has to be justified by the business benefit.
Legitimate interest and the DPIA
Most fleet operators rely on legitimate interests as their lawful basis rather than consent. To use it, you carry out a balancing exercise that weighs your operational need against the privacy impact on drivers, and you document the outcome. Typical legitimate interests include protecting lone or mobile workers, safeguarding valuable assets, verifying service delivery and meeting insurance or duty-of-care obligations.
Because location monitoring is considered higher risk, a Data Protection Impact Assessment (DPIA) is strongly expected before you deploy. A DPIA forces you to describe what you are collecting, why, what could go wrong for the individual and what safeguards reduce that risk. It is also one of the first documents a regulator will ask to see, so treating it as a procurement deliverable rather than an afterthought protects the organisation.
Transparency: telling your drivers
Covert tracking of staff is a serious compliance failure in all but the rarest, narrowly evidenced circumstances. The expectation under the rules on tracking employees law UK is openness. Before a device starts reporting, drivers should know it exists, understand what it records, learn how that information will be used and be told who to approach with questions or objections.
In practice this means a clear tracking or telematics policy, ideally referenced in employment documentation, plus a privacy notice written in plain language. Consultation matters too: involving drivers, and any recognised representatives, early tends to reduce friction and demonstrates the fairness regulators look for. Transparency is not a box-ticking nicety here - it is the difference between a defensible programme and an unlawful one.
Private use, out-of-hours and privacy mode
The picture changes the instant a vehicle is used personally. Where employees drive company vehicles outside working hours, or where grey-fleet and pool arrangements blur the line, continuous tracking can capture journeys that are none of the employer's business. Monitoring someone's movements on a weekend trip is rarely justifiable and quickly becomes disproportionate.
This is where a privacy mode earns its place. A privacy or out-of-hours switch lets the driver suspend location reporting during personal use while the system still logs the data the employer legitimately needs, such as overall mileage for tax purposes. Building this capability into your specification at the buying stage is far easier than retrofitting it after a complaint.
Data retention, security and consent vs legitimate interest
Two further duties round out a compliant deployment. First, retention: telematics data should be kept only as long as the purpose requires, then deleted on a defined schedule, rather than accumulating indefinitely. Second, security: location records are sensitive, so access should be restricted to those who need it, transmissions encrypted and the supplier's storage arrangements scrutinised.
On the consent question, it is worth being clear why most fleets avoid relying on it. In an employment relationship the power imbalance means consent is rarely considered freely given, and it can be withdrawn at any time, which would leave your monitoring without a basis overnight. Legitimate interests, properly assessed and documented, is generally the more robust footing. The table below summarises the contrast.
| Factor | Consent | Legitimate interest |
| Suitability for staff | Often weak due to power imbalance | Usually the stronger basis |
| Can be withdrawn | Yes, at any time | Subject to objection, not withdrawal |
| Documentation needed | Records of consent | Balancing test plus DPIA |
How a good supplier helps you stay compliant
The right supplier should make compliance easier, not harder. When you compare providers, look beyond price to the features that keep you on the right side of vehicle tracking laws UK. Strong candidates offer configurable privacy modes, granular access permissions, encryption, clear retention controls and template policy or privacy-notice wording you can adapt. A supplier who can explain how their platform supports your DPIA, and who treats data protection as a shared responsibility, is signalling maturity.
Comparing several suppliers side by side is the most reliable way to judge this. It lets you test how each handles private-use journeys, where data is stored, what reporting drivers can see about themselves and how easily information can be deleted on request.
Best-practice compliance checklist
- Confirm and document your lawful basis, usually legitimate interests.
- Complete a DPIA before any device goes live.
- Publish a clear tracking policy and a plain-language privacy notice.
- Tell drivers openly and consult them and their representatives.
- Provide a privacy or out-of-hours mode for personal journeys.
- Set and enforce a defined data-retention schedule.
- Restrict access and ensure data is encrypted and securely stored.
- Review your approach periodically as duties and operations change.
This article is general guidance for procurement purposes and is not legal advice; consult a qualified professional about your specific circumstances.
Ready to put compliant tracking in place? Compare free, no-obligation quotes from up to 5 trusted suppliers using the form below, and choose a partner who helps you meet your obligations from day one.
