Corporate Car Sharing and GDPR: What Your Fleet Software Must Handle

Corporate car sharing systems collect personal data by design: who booked which vehicle, when, for how long, how many kilometers were driven. Under GDPR, this data carries specific obligations — and the wrong software setup can create serious legal exposure.

What Data Does Corporate Car Sharing Software Process?

Before addressing compliance, identify what you’re actually collecting:

Direct personal data:

• Employee name and contact details (registration)
• Booking history (who drove what, when)
• Odometer readings tied to individual drivers
• Damage reports associated with specific drivers
• Login events and session data

Potentially sensitive operational data:

• Traffic fines (linked to driver identity)
• Incident reports
• Driver license check history and validity

Under GDPR Article 4, all of the above is personal data. Your organization is the data controller. Your fleet software vendor (if SaaS) is a data processor — and that relationship requires a Data Processing Agreement (DPA).

The Six Core GDPR Requirements for Fleet Software

1. Legal Basis for Processing (Art. 6 GDPR)

You need a valid legal basis to process employee fleet data. The most common applicable bases:

• Legitimate interest (Art. 6(1)(f)): Managing company assets and ensuring lawful vehicle use
• Legal obligation (Art. 6(1)(c)): Driver license verification under §21 StVG (Germany) and equivalent laws in other jurisdictions
• Contract (Art. 6(1)(b)): Fulfillment of employment contract terms

Document which basis applies to each processing activity. This documentation should live in your Record of Processing Activities (RoPA).

2. Purpose Limitation and Data Minimization (Art. 5)

Collect only what is necessary for the stated purpose. If the purpose is managing vehicle bookings, you don’t need real-time location tracking. If the purpose is driver license compliance, you don’t need permanent retention of all booking history.

A well-designed fleet software allows you to configure:

• Which data fields are mandatory vs. optional
• How long different data categories are retained
• What data is pseudonymized after a defined period

3. Data Subject Rights (Art. 15–22)

Employees have the right to:

• Access all personal data you hold about them (Art. 15)
• Rectification of inaccurate data (Art. 16)
• Erasure (“right to be forgotten”) (Art. 17)
• Portability of their data (Art. 20)
• Object to specific processing (Art. 21)

Your fleet software must be able to:

• Export all data for a specific individual on request
• Delete all personal data for a specific individual
• Provide data in a machine-readable format

If your SaaS vendor cannot perform these operations on demand, you are exposed to compliance risk.

4. Pseudonymization and Anonymization (Art. 25 — Data Protection by Design)

Best practice for fleet data: pseudonymize driver data after a defined retention period. Booking records become “Driver #4721 drove Vehicle X on Date Y” rather than “Thomas Müller drove Vehicle X.”

This satisfies the data minimization principle while preserving operational reports for auditability. MobilityManager implements configurable pseudonymization with user-defined retention windows.

5. Data Processing Agreement (Art. 28)

If you use a SaaS fleet management tool, the vendor processes personal data on your behalf. This legally requires a written DPA covering:

• What data is processed
• For what purpose
• What technical and organizational security measures are in place
• Subprocessor relationships
• Data breach notification procedures

If you use on-premise software, there is no data processor — your organization processes its own data on its own infrastructure. No DPA required.

6. International Data Transfers (Art. 44–49)

SaaS platforms with infrastructure outside the EU must have an appropriate transfer mechanism (Standard Contractual Clauses, adequacy decision). For German and EU organizations handling employee data, US-hosted SaaS vendors require careful scrutiny even post-Data Privacy Framework.

On-premise software eliminates this concern entirely: data never leaves your jurisdiction.

On-Premise vs SaaS: The GDPR Tradeoff

GDPR Requirement	SaaS	On-Premise
Data Processing Agreement required	✅ Yes	❌ No
Transfer mechanisms for non-EU hosting	✅ May be required	❌ Not applicable
Data residency guarantee	⚠️ Depends on contract	✅ By design
Pseudonymization configuration	⚠️ Vendor-dependent	✅ Fully configurable
Data subject request fulfillment	⚠️ Via vendor	✅ Direct database access
Works council / Betriebsrat approval	⚠️ Harder	✅ Generally easier

For organizations with a works council (Betriebsrat), an on-premise solution typically faces lower approval hurdles — because employee data stays within the organization’s control.

Practical Checklist: GDPR-Ready Fleet Software

Before deploying any fleet management software, verify:

• Record of Processing Activities (RoPA) updated with fleet data flows
• Legal basis for each data category documented
• Data Processing Agreement signed (SaaS) or confirmed unnecessary (on-premise)
• Retention periods defined and configured in software
• Pseudonymization enabled for historical booking data
• Data subject request workflow tested (export, delete, rectify)
• Works council informed and Betriebsvereinbarung drafted (if applicable)
• Privacy notice for employees updated to include fleet data processing
• Data breach notification procedure in place

Conclusion

GDPR compliance for corporate car sharing is manageable — but it requires intentional software selection and configuration. The easiest path to compliance is on-premise deployment with a software that makes pseudonymization, retention rules, and data subject requests first-class features. MobilityManager was designed with these requirements from the ground up.

30-minute demo: see MobilityManager’s GDPR features in action →