In Finland one of the first fines handed out to a water supply management company which used location data in the vehicles used by employees which is considered systematic monitoring. A DPIA should be conducted.
Taken from DLA Piper blog
Followed from a complaint made by an individual. Kymen Vesi processed location data of its employees by locating their vehicles. This location data was used to monitor the employees’ working hours.
The Data Protection Ombudsman stressed in its decision that a data controller must carry out a DPIA when the processing likely results in high risk to the rights and freedoms of data subjects. Kymen Vesi should have carried out a DPIA since the processing of location data concerned data subjects in a vulnerable position (employees) and the data was used for systematic monitoring. In reference to the criteria list set in WP29 guidelines on DPIA and determining whether processing is likely to result in high risk, the processing conducted by Kymen Vesi satisfied three of the criteria (processing of location data, data subjects in vulnerable position and systematic monitoring of data subjects) when usually a DPIA is already required when two of the criteria are satisfied.
Read the rest of the blogpost from DLA Piper blog.