Lexicon > Geolocation

IT Glossary


Geolocation is a technology that allows to determine the location of a thing or a person in space.

It can be ensured by various means, including GPS (Global Positioning System) technology, Wi-Fi or by using the triangulation technique based on the antennas of telecommunication operators.

It can also be extracted as metadata, especially from photographs.

Geolocation allows telecom providers and operators to get an intimate view of the habits and behavioral patterns of the people concerned and thus to build very precise profiles.

It is indeed possible to deduce a lot of personal data from the use of geolocation alone. For example, information can be collected about health, residence, habits, occupations, surroundings, place of worship, etc.

Geolocation can thus be part of the surveillance of a data subject, and in particular of profiling in order to predict elements concerning the personal preferences, interests, behavior and movements of this person.

In any case, as soon as geographical data from geolocation relate to an identified or identifiable natural person, their processing may be subject to the application of the GDPR.

Thus, the vehicle geolocation systems made available to employees by their employer in order to track their movements in time and space do constitute processing of personal data.

The latter must therefore imperatively comply with certain rules and principles, which derive in particular from the RGPD, but also from the labor code.

RGPD Point

“For the purposes of this Regulation, the following definitions apply: “personal data” means any information relating to an identified or identifiable natural person (hereinafter referred to as “data subject”); an “identifiable natural person” shall be deemed to be a natural person who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity”

Article 4.1 of the GDPR

Point of jurisprudence

The CNIL was able to consider that “In addition, images may contain metadata, such as geolocation metadata, which are also included in the result of a search and make it possible to complete a person’s profile.

Such a search result also allows to identify the behavior of a person on the Internet, by analyzing the information that this person has chosen to put online as well as their context. Indeed, the posting of photographs online constitutes in itself a behavior of the person concerned, by reflecting choices on the level of exposure that he or she wishes to give to elements of his or her private or professional life.

Therefore, the search result that is associated with a photograph should be considered, at least in part, as a behavioral profile of the person concerned, since it contains a lot of information about that person and in particular about his or her behavior. Even if the purpose of the processing itself is not behavioral tracking, the means used to enable Clearview’s biometric identification system imply the creation of such a profile, and the processing can be considered as “linked to the tracking of the behavior” of the data subjects.

CNIL, November 26, 2021, N° MED-2021-134

The Bouchara firm assists you in particular in :

  • Making your organization RGPD compliant;
  • The drafting of data protection policies (privacy policy, computer charter …);
  • Documentation of your processing (register of processing activities, register of violations, privacy impact analysis, prior consultation…);
  • Obtaining certifications and adhering to codes of conduct;
  • The study of the legal feasibility of the implementation of a new personal data processing;
  • The drafting and transmission of your codes of conduct to the CNIL for approval;
  • Legal analysis of the compliance of your data processing, including data transfers outside the European Economic Area;
  • Drafting and negotiating your data processing agreements (DPA);
  • Drafting your Binding Corporate Rules (BCR) and Codes of Conduct;
  • Training and awareness of your employees.

We are also the external Data Protection Officer of many data processors and subcontractors.