Every carrier thinks it doesn't handle sensitive personal data — until it looks at its own tracking dashboard. Each dot on the map is the real-time location of an individual. Each driver has a driver's license, tax ID, working hours, telemetry biometrics and, quite often, health data from toxicology testing. Each shipper customer hands over contacts, addresses and, in the last mile, the name and phone number of the final recipient. The LGPD made no exception for the sector: it applies end to end across your chain.
This is an actionable checklist — not a summary of the law. It covers the six points an operations director needs to resolve: map where personal data lives, justify each processing activity with a legal basis, assess risk where the risk is high (tracking falls here), define retention, lock down technical security and have a response plan for when something leaks. Privacy by design, not by patch.
Why a carrier is a sensitive LGPD case
The sector concentrates precisely the categories the ANPD watches most closely. It's worth understanding what you already process, even without realizing it:
- Geolocation of individuals. Vehicle tracking (SASCAR, Autotrac, Omnilink, Onixsat, Cobli, Geotab) doesn't track a truck — it tracks the driver driving the truck. Continuous location of an identified person is personal data, and the movement history reveals patterns of life.
- Driver data. Tax ID, driver's license, photo, working hours, behavioral telemetry (braking, speed, fatigue) and, in toxicology tests and the occupational health certificate, sensitive personal health data — which has its own, stricter rules.
- Customer and recipient data. In B2B you have the shipper's contacts; in the last mile, the name, address and phone number of people who never hired you directly.
- Image and voice. Cabin cameras (DMS/ADAS), gatehouse footage and call center recordings.
Add to this the fact that this data doesn't sit still: it moves between the telemetry equipment, the TMS (RODOPAR), the ERP (SAP, TOTVS, Sankhya, Omie) and spreadsheets along the way. Each hop is a point where compliance can break.
1. Map where personal data lives
You can't protect what you can't see. The first item — and the one most companies skip — is the personal data inventory (the ROPA, the record of processing activities). For each flow, answer:
- What data? Tax ID, driver's license, location, telemetry, recipient contact.
- Whose? Driver, customer, recipient, applicant.
- Where does it live? Tracking platform, TMS, ERP, BI, and — be honest — which spreadsheets and emails.
- For how long? And who has read access?
- Where does it go? Sharing with insurer, shipper, ANTT, risk manager, integrators.
In practice, the blind spot is almost always the integration: the data that leaves SASCAR and lands in RODOPAR through a script nobody documented, or the BI report someone exports to WhatsApp. Mapping is also the moment to eliminate what doesn't need to exist — the spreadsheet along the way is, at once, an operational risk and an LGPD risk.
2. Define the legal basis for each processing activity
Every processing activity needs a legal basis among the ten in Article 7. The common mistake is to rest everything on consent — which is fragile, revocable and, in the context of an employment relationship, legally questionable. For a carrier, the bases that actually sustain the operation are usually:
- Contract performance — tracking the cargo and processing recipient data to complete the delivery.
- Legal/regulatory obligation — ANTT, tax and labor requirements.
- Legitimate interest — asset security, cargo theft prevention, fleet management. Here the rule is clear: legitimate interest requires a documented balancing test (LIA), showing that the purpose doesn't override the driver's rights.
- Protection of life — in emergency situations (accident, vehicle hijacking).
Sensitive health data (toxicology, occupational health certificate) has its own set of rules and, as a rule, cannot rest on legitimate interest. Mapping the correct basis for each flow is what separates a solid defense from a fine.
3. Run a DPIA where the risk is high
The Data Protection Impact Assessment (DPIA / RIPD) is your written risk assessment. It isn't required for everything — it's required (and strongly recommended) when the processing is high-risk. In a carrier, this lights up for:
- Systematic and continuous monitoring of driver location.
- Behavioral telemetry and fatigue cameras that infer a person's state.
- Processing of sensitive health data at scale.
A good DPIA describes the processing, assesses necessity and proportionality, lists the risks to the data subject and — most importantly — records the mitigation measures. It's the document the ANPD asks for first in an audit. Having it ready before the incident is worth more than any pretty policy in the website footer.
4. Establish a retention and disposal policy
Personal data is not a dead archive: keeping it beyond its purpose is, in itself, a violation. The principle is necessity — keep it for as long as needed, then delete or anonymize. Define a clear period per category:
- Tracking history — how long does point-by-point location need to exist? After the operational/legal period, aggregate or anonymize.
- Data of non-hired applicants — dispose of it after the process, unless there's consent for a talent pool.
- Data of former drivers — retain only what labor legislation requires; delete the rest.
Ideally, disposal is automatic, executed by the system itself — from collection to disposal, without depending on someone remembering to delete a spreadsheet. Keeping data "just in case" is exactly the opposite of privacy by design.
5. Lock down technical security
The LGPD requires technical and administrative measures "capable of protecting" the data. Translated to the operation:
- Role-based access control. Whoever operates the yard doesn't need to see every driver's location history. Least privilege, always.
- Encryption in transit and at rest — including in the integrations between tracker, TMS and ERP.
- Logs and audit trail. Knowing who accessed what and when isn't a luxury: it's what proves diligence in an audit.
- Anonymization and pseudonymization in BI and test environments — the metrics dashboard rarely needs the tax ID.
- Vendor management (processors). The tracking platform and the integrator are processors; the contract must set out the protection obligations. Responsibility doesn't end at your door.
This is where security and data governance meet — and where a pentest reveals what a policy on paper can't see.
6. Have an incident response plan
A leak isn't a remote hypothesis; it's a matter of when. The LGPD requires you to notify the ANPD and the data subjects within a reasonable time when the incident may create relevant risk. Without a plan, the company improvises at the worst moment. The minimum:
- Who alerts whom — a clear flow between IT, legal, the data protection officer and leadership.
- A named and published data protection officer (DPO) — a visible contact channel for the data subject to exercise their rights.
- A notification template ready, so you don't draft under pressure.
- The ability to identify the scope — which data subjects and which data were affected. Without the inventory from item 1, this is impossible.
The six items support each other: mapping feeds the DPIA, security protects what was mapped, and the response plan only works if you know what you have. It's a system, not a loose list of tasks.
How Meta Dados handles this in practice
A carrier's compliance almost always stalls at the same point: the personal data is scattered across the tracker, TMS, ERP and spreadsheets, and no one has the full map. It's exactly the terrain where we combine two fronts — integration engineering and cybersecurity.
Our security method is born of scientific training (USP Doctorate, ITA Engineering) and the Israeli school of offensive cybersecurity (Ben-Gurion): we test the operation the way an attacker would, before they test it for you. On the data front, we do the mapping (ROPA), the legal basis definition, the DPIA for high-risk flows, the retention policy with automated disposal and the technical hardening of the integrations — including the end of spreadsheets along the way. Privacy by design, not by patch.
It starts with a free assessment in 48 hours: we look at your real personal data flows and point out where the concrete risk lies — no vague promises, with evidence that leadership understands.
Frequently asked questions
Does a carrier really need to comply with the LGPD?
Yes, and it's among the most exposed sectors. Tracking is geolocation of individuals, and driver data includes sensitive health information (toxicology test, occupational health certificate). The LGPD applies from the shipper to the final recipient, with no sector exception.
Is driver tracking considered personal data under the LGPD?
Yes. The continuous location of an identified person is personal data, and the movement history reveals patterns of life. Because it's systematic monitoring, it usually requires a legitimate-interest legal basis with a documented balancing test and, in many cases, a DPIA.
Can I use legitimate interest to track my fleet?
Generally yes, for asset security and cargo theft prevention. But legitimate interest isn't automatic: it requires a written balancing test (LIA) showing that the purpose doesn't override the driver's rights, along with transparency about the monitoring.
How long can I keep the tracking history?
Only for as long as necessary for the purpose and any legal obligations. There's no single period in the law — you define it per category and document it. Once the period has passed, the recommendation is to anonymize or aggregate the location history, rather than keeping it identified just in case.
What is a DPIA and is a carrier required to do one?
A DPIA (or RIPD) is the impact report that assesses the risk of a processing activity and records the mitigation measures. It's strongly recommended and frequently required for high-risk processing — such as the continuous monitoring of drivers and the processing of health data. It's the first document the ANPD asks for in an audit.
How long does it take to bring a carrier into LGPD compliance?
It depends on maturity and the number of integrated systems, but the initial assessment is ready in 48 hours and shows where the concrete risks are. Compliance is usually phased — starting with the mapping and the highest-risk flows — without stopping the operation.