Is location data personal data under LGPD?

Yes, location data linked to an identified person is personal data and requires legal basis, specific purpose and compatible protection measures.

Is explicit consent required to track?

For reimbursement purposes, the legal basis can be contract execution; even so, the company must clearly inform the processing via privacy notice.

How long can the data be retained?

Keep for the period required for tax purposes (five years in Brazil) and dispose of or anonymize after that per documented policy.

LGPD compliance with location data

Marina Costa — Brazilian Tax & Compliance Specialist

Published: 8/28/2025 • Last reviewed: 6/13/2026 • 6 min read

Understand how to ensure LGPD compliance when collecting location data for reimbursement.

What data privacy law changes about location tracking

Data protection laws—GDPR in Europe, CCPA in California, and similar frameworks elsewhere—establish strict rules about collecting and using personal data, and location information is clearly within that scope.[^lgpd-anpd-20] When a company tracks routes by GPS for mileage reimbursement, it begins handling data that reveals where an employee was, at what times, and how often.

For that reason, GPS-based reimbursement is not just an operational matter: it is also a privacy matter. Treating this data with the same rigor applied to financial information protects both the company and the employee and helps avoid regulatory penalties.

Explicit consent is the starting point

Companies must obtain explicit consent from employees before collecting GPS data. That consent must be freely given, informed, and specific—meaning the employee should understand exactly what they are authorizing and be able to decline without retaliation.

Quilometragem implements a clear consent notice that explains what data will be collected, for what purpose, and how long it will be retained. Rather than a generic clause buried in a contract, the ideal is to present the information directly at the moment tracking is activated.

Purpose limitation and data minimization

Privacy law requires that data be collected for legitimate and specific purposes. In the case of reimbursement, the purpose is to verify the distance driven for business—and nothing more. Collecting location outside working hours or during personal trips exceeds the declared purpose.

The principle of minimization calls for collecting only what is necessary. A good system lets the employee start and stop tracking per trip, avoiding continuous and unnecessary monitoring throughout the day.

Secure storage and access control

Location data must be stored securely, using encryption both in transit and at rest. This means protecting information while it travels across the network and also while it sits on the servers.

Access must be restricted to authorized people only, such as managers responsible for approving reimbursements and the finance team. The fewer people with access, the lower the risk of a leak or misuse of the information.

Data subject rights in practice

Employees have the right to access their data, request corrections, and even delete it when there is no longer a retention need. Handling these requests cannot be a slow, bureaucratic process; the law sets deadlines and requires an effective response.

Implement clear processes to receive and respond to these requests. A defined channel, with a named owner, demonstrates that the company takes data subject rights seriously and makes it easier to prove compliance during any inspection.

Records, auditing, and accountability

Maintain records of all data processing operations, including audit logs that show who accessed which information and when. That trail is fundamental to the principle of accountability set out in privacy law.

In the event of an inspection, you will need to demonstrate compliance with all privacy principles. Having documented policies, archived consent notices, and organized logs turns a potentially stressful audit into a controlled process.

How Quilometragem helps maintain compliance

Quilometragem was designed with privacy in mind: clear consent, encryption, access control, and organized export to Clara. The employee retains control over when tracking is active, and the company receives only the data needed to approve reimbursement.

The combination of the right technology and well-defined processes is what sustains compliance day to day. A secure tool without a clear policy, or a policy without a tool, leaves gaps. Addressing both together is the safest path to handling location data responsibly.

It also pays to revisit compliance periodically rather than treating it as a one-time setup. Regulations evolve, teams change, and new use cases emerge, so a process that was compliant last year may need updates. Scheduling a regular review of consent language, retention periods, and access lists keeps the program current and signals to employees that their privacy is taken seriously over the long term.

[^lgpd-anpd-20]: LGPD — Lei nº 13.709/2018 [^anpd-orientacao-20]: ANPD — Orientações sobre tratamento de dados