Do I need a DPO if I use GPS in a multinational fleet?

Under GDPR, yes once systematic monitoring covers more than a few dozen people. Under LGPD, recommended.

Can I use one policy for both regimes?

Yes — designed to the stricter of each point. It's the practical approach for companies in both jurisdictions.

Do I need a DPO if I use GPS in a multinational fleet?

Under GDPR, yes once systematic monitoring covers more than a few dozen people. Under LGPD, recommended.

Yes — designed to the stricter of each point. It's the practical approach for companies in both jurisdictions.

GDPR + LGPD: cross-border GPS data on driver mileage

Valentina Osorio — Colombian Tax Specialist (DIAN)

Published: 4/24/2026 • Last reviewed: 4/24/2026 • 8 min read

When a driver crosses borders, two data-protection regimes meet. How to handle it.

The cross-border problem

A Brazilian sales rep based in São Paulo drives to Buenos Aires for a client meeting. Their employer's mileage app records GPS coordinates throughout the trip. Whose data-protection rules apply?

For employers operating in multiple countries — even just one trip per year — this question matters. Getting it wrong creates:

- LGPD penalties up to 2% of Brazilian revenue per offense. - GDPR penalties up to 4% of global revenue per offense. - Civil claims from the employee. - Reputation cost in case of breach.

The good news: the regimes overlap heavily. The bad news: the differences are sharp on a few specific issues that recur in cross-border mileage.

The basics: where each regime applies

**LGPD** (Brazil, Lei 13.709/2018): applies to processing in Brazil, processing of data collected in Brazil, or processing for offering goods/services to people in Brazil — regardless of the controller's location.

**GDPR** (EU): applies to processing in the EU, processing by an EU-established controller, or processing for offering goods/services to people in the EU or monitoring their behavior in the EU.

For a Brazilian rep driving in Argentina (LATAM, no LGPD or GDPR equivalent yet), only LGPD applies (the data is collected by a Brazilian employer in Brazil at the start, then continues to be processed by the Brazilian employer).

For a Brazilian rep driving in Portugal (EU): LGPD applies (Brazilian employer collecting data on Brazilian employee), and GDPR applies because data is collected in the EU. Both regimes apply concurrently.

For an employee of a Spanish company driving in Brazil: GDPR applies (Spanish controller), and LGPD applies (data is collected in Brazil).

Where the regimes diverge

Legal basis for tracking

- **LGPD**: 'execution of contract' (Art. 7-V) is a strong basis for mileage tracking; 'legitimate interest' (Art. 7-IX) requires a Data Protection Impact Assessment (RIPD). - **GDPR**: same two bases (Art. 6-1-b 'performance of contract', Art. 6-1-f 'legitimate interest'), but the *necessity* test is stricter. The European Data Protection Board has published guidance making clear that location tracking outside the work day cannot rest on 'performance of contract'.

In practice, both regimes accept performance of contract for *work-hours* tracking. Both reject performance of contract for *24/7* tracking, requiring legitimate interest with a heavy balancing test.

Cross-border transfer

- **LGPD**: international data transfers from Brazil are restricted to (a) countries with adequate protection (the ANPD has a list), (b) standard contractual clauses approved by the ANPD, (c) explicit informed consent, or other tools. The EU is on the adequacy list as of 2024. - **GDPR**: international transfers from the EU require (a) adequacy decision (Brazil has *partial* adequacy in negotiation), (b) Standard Contractual Clauses, (c) Binding Corporate Rules, or other safeguards.

For a Brazilian employer storing the trip data in a Brazilian cloud and processing it in Brazil, no transfer mechanism is needed even when the trip itself crossed into the EU. The data was *collected* on EU territory but the processing happens in Brazil; the EU regulator may still claim jurisdiction over the EU-collected data, but transfer mechanisms are not the main lever.

The cleanest approach: use a controller-to-processor agreement that includes both LGPD and GDPR clauses, with Standard Contractual Clauses where transfer is involved.

Subject access

- **LGPD**: 15 days to respond to access requests. - **GDPR**: 1 month, extendable to 3 months for complex cases.

Design the access process to meet the *shorter* deadline (LGPD's 15 days) for any cross-jurisdiction employee. This satisfies both regimes.

Breach notification

- **LGPD**: 3 business days to notify the ANPD when the breach can cause material harm (Resolução CD/ANPD 15/2024). - **GDPR**: 72 hours to the supervisory authority (Art. 33).

Design the breach response to meet 72 hours (GDPR's stricter timeline). LGPD requires 'reasonable time' but the 3-day rule sets a firm outer bound.

Special categories

Location data combined with timing can reveal sensitive information (visits to a hospital → health; visits to a religious site → religion). Both regimes treat sensitive data as restricted.

- **LGPD** Art. 11 requires explicit consent or a narrower set of bases for sensitive data. - **GDPR** Art. 9 requires explicit consent or one of nine narrow exceptions.

In practice, mileage trackers should configure to *not* infer sensitive content from location patterns. The driver's 'personal mode' (post 109) is the operational defense.

A practical cross-border policy

For companies with cross-border drivers, the workable policy is:

1. **Single global privacy notice** that lists both LGPD and GDPR rights, with the shorter deadline (15 days) and the stricter breach window (72 hours). 2. **One legal basis per processing activity**: performance of contract for work-hours tracking; legitimate interest with documented assessment for any extended tracking. 3. **Personal mode** that drivers can activate freely. 4. **Data residency**: store the data primarily in the country of the employer's main establishment; document data flows and any transfer mechanisms. 5. **One subject-access workflow**: handles both LGPD and GDPR requests with the same 15-day SLA. 6. **One breach response plan**: 72-hour notification to the relevant authorities (ANPD, the EU supervisor where applicable). 7. **DPIA / RIPD that covers both**: a single document that satisfies the two regimes, refreshed annually.

Vendor selection

When choosing a mileage app for cross-border use, check:

- Hosting region (matters for transfer mechanism selection). - Sub-processor list (matters for Standard Contractual Clauses). - Encryption in transit (TLS 1.2+ minimum) and at rest (AES-256). - Granular permission controls so different teams see only their data. - Audit log retention aligned to the longer of the two retention requirements (5 years LGPD tax window vs 6 months under GDPR for many uses).

Common cross-border mistakes

1. Storing EU-collected data in a US cloud with no transfer mechanism (broken Privacy Shield, Schrems II). 2. Issuing a single privacy notice that mentions only the local regime, hiding the other. 3. Asking employees for 'consent' as the legal basis when it's not free in employment. 4. Logging detailed visit-level data including GPS coordinates outside the work day. 5. No documented DPIA / RIPD for the cross-border setup.

Bottom line

Cross-border mileage tracking is a manageable problem when you build to the *stricter* of the two regimes on each issue: 15-day access response, 72-hour breach notification, work-hours-only tracking, and a single DPIA/RIPD covering both. The vendor stack matters more than the policy text — pick a mileage app with proper hosting controls, sub-processor transparency, and granular permissions, and most of the cross-border work disappears.