Industry Insights

GDPR and nDSG Compliance for Logistics Software: Practical Guide

Driver GPS tracking, customer delivery records, and route data are all personal data under GDPR and Swiss nDSG. Here's what compliance requires in practice for logistics operators.

Dr. Klaus Bauer · Data Protection & Compliance Lead
October 27, 20257 min read

GDPR and nDSG Compliance for Logistics Software: Practical Guide

Logistics operations generate significant personal data: driver locations, delivery recipient names and addresses, vehicle telemetry, and customer contact data. Under EU GDPR and Swiss nDSG (revised Federal Act on Data Protection, effective September 2023), this data must be handled lawfully.

This guide explains the compliance requirements in practical terms — not legal theory.

What Data in Logistics Is Personal Data

Employee/driver data:

  • GPS location data (personal data as it identifies where a specific person is)
  • Working hours and route logs
  • Performance metrics (deliveries per hour, speeding incidents, brake behavior)
  • Vehicle inspection records linked to a specific driver

Customer data:

  • Delivery recipient name and address
  • Phone number (for delivery notifications)
  • Email address (for POD/invoice delivery)
  • Delivery history and preferences

Operational data (often overlooked):

  • CCTV footage in vehicles or warehouses (if individuals are identifiable)
  • Signature capture at delivery (contains biometric-adjacent data)
  • Voice recordings from dispatch radio/calls

Key GDPR/nDSG Compliance Requirements

1. Lawful Basis for Processing

Every data processing activity must have a lawful basis. For logistics:

Driver GPS tracking: Lawful basis is legitimate interest (operational necessity, vehicle security) OR employment contract (if tracking is explicitly in the employment agreement). Swiss nDSG aligns with GDPR on this.

Customer delivery data: Contractual necessity (you need the address to deliver). Straightforward.

Performance metrics from telematics: This is where operators often have problems. Using telematics data to evaluate driver performance requires explicit employee notice in Switzerland and either consent or legitimate interest documentation under GDPR.

2. Data Minimization

Collect only what's necessary. Examples of excessive data collection in logistics:

  • Storing continuous GPS pings at 5-second intervals for 3 years (monthly aggregates are sufficient for billing and audit)
  • Recording in-cab audio continuously (only record incidents if required by insurance)
  • Retaining full customer delivery histories indefinitely (most contracts specify 7-year retention for VAT compliance, then delete)

3. Retention Limits

Swiss nDSG and GDPR both require defined retention periods:

Data Type Recommended Retention
GPS route data 90 days operational; 7 years for billing audit
POD signatures/photos 7 years (VAT/legal evidence)
Driver performance logs 12 months rolling
Customer contact data Duration of business relationship + 2 years
Incident data (accidents) Duration of insurance/legal proceedings

Configure your logistics software to auto-delete beyond defined retention periods.

4. Data Subject Rights

Under both GDPR and nDSG, individuals can request:

  • Access: All data you hold about them
  • Correction: Fix inaccurate data
  • Deletion: Delete data where no legal retention obligation exists
  • Portability: Provide data in machine-readable format

For logistics operators:

  • Drivers can request their GPS history, performance logs, and any disciplinary records derived from data
  • Customers can request their delivery history and contact data

You must respond within 30 days (nDSG) / one month (GDPR). Your software must be able to export per-person data sets quickly.

5. Data Processing Agreements (DPAs)

If your logistics software vendor processes personal data on your behalf (cloud hosting, ML analytics), you need a signed DPA. This is mandatory under both GDPR Article 28 and nDSG.

Key DPA requirements:

  • Data location: EU/EEA or CH for Swiss operators
  • Sub-processor list and notification procedure
  • Security measures specification
  • Breach notification timeline (72 hours to authority)

6. Employee Notification Requirements

Under Swiss nDSG and GDPR, employees must be informed about:

  • What data is collected (GPS, telematics, performance metrics)
  • Purpose of collection
  • Retention period
  • Their rights

This must be in writing, ideally as a specific data privacy notice in the employment contract or a standalone document. "Notice" in a general privacy policy that employees don't specifically acknowledge is not sufficient.

7. Cross-Border Data Transfers

For Swiss operators working with EU or non-EU software vendors:

  • Data transfers from Switzerland to EU: treated as adequate under Swiss law (EU has adequacy decision for CH)
  • Data transfers from Switzerland to non-EU countries (US, India): requires standard contractual clauses (SCCs) or other safeguards
  • Check your software vendor's data transfer documentation

Swiss nDSG-Specific Requirements

Switzerland's revised nDSG (effective September 1, 2023) introduced requirements not in the old DSG:

  1. Privacy by design and by default: Software configurations must default to privacy-protective settings. Opt-out model required (not opt-in) for data collection beyond what's strictly necessary.
  1. Data Protection Impact Assessment (DPIA): Required for high-risk processing including systematic employee monitoring. Driver GPS tracking typically triggers DPIA requirement.
  1. Data breach notification: Report to FDPIC (Federal Data Protection and Information Commissioner) within 72 hours if breach likely causes "high risk" to persons.
  1. No profiling without clear legal basis: Automated driver scoring based on telematics data is profiling under nDSG — requires either consent or documented legitimate interest.

Practical Compliance Checklist for Logistics Operators

  • [ ] Written privacy notice for all drivers (covering GPS, telematics, performance data)
  • [ ] Data retention schedule configured in logistics software
  • [ ] DPA signed with software vendor
  • [ ] Process for handling data subject access requests (target: 30-day turnaround)
  • [ ] Data minimization audit: are you collecting more than necessary?
  • [ ] DPIA completed for driver monitoring
  • [ ] Cross-border transfer documentation (if using non-EU SaaS)
  • [ ] Incident response plan for data breaches

8Move and Data Compliance

8Move Fleet Planner, 8Move Driver Pro, and 8Move BackOffice are designed for Swiss data compliance:

  • Data hosted in Swiss/EU data centers
  • Configurable retention periods per data type
  • Per-person data export for subject access requests
  • DPA available for all enterprise customers
  • Privacy-by-default settings in all modules

FAQ

Is driver GPS tracking legal in Switzerland?

Yes, with proper notice to employees and lawful basis documentation (legitimate interest or employment contract clause). Continuous tracking without employee knowledge is not permitted.

What happens if we have a data breach in our logistics software?

Under nDSG: report to FDPIC within 72 hours if the breach creates high risk to persons. Notify affected individuals if required. Document the breach internally regardless.

Do we need a data protection officer (DPO)?

Under GDPR: mandatory for certain high-risk processors. Under Swiss nDSG: not mandatory, but a designated data protection contact is recommended for companies processing significant personal data.

Can we use US-based cloud logistics software?

Yes, but you need Standard Contractual Clauses (SCCs) between the EU/CH entity and the US vendor, plus a Transfer Impact Assessment under current GDPR guidance. Some US vendors have EU subsidiaries that process EU/CH data — verify the data flow.

Frequently Asked Questions

See Also

Blog