We would like to create a software for the automated creation of routes for the school buses. We would use Google Maps api to create the individual routes to pass on addresses of the students (without names) to these api. What should we pay attention to?
You should pay attention to Google Maps API privacy notice, you should inform your user (school bus drivers) about geo-localization data and, of course, keep security measures about student’s address which are data (they may be considered as sensitive data under Article 9 GDPR in case they refer to minors). Pseudonymization or anonymization technique could help to increase security.
I would recommend doing a Data Protection Impact Assessment (DPIA) under Article 35 GDPR in order to verify how the software will impact personal data and whether there is any risk for the freedom and rights of individuals involved arising from the processing of their data (bus drivers and students).
The Article 29 Working Party is a group of experts issued by the EU Commission in order to help controllers to comply with GDPR in the early stage. Now its functions have been transferred to the European Data Protection Board (EDPB). The Article 29 Working Party developed in 2018 Guidelines on Data Protection Impact Assessment (DPIA) https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=611236