Many companies track their employees in the field. Few do so in a legally compliant manner.
The Data Protection Authority has already fined companies for geolocation systems operating without a privacy notice, without documented consent, or with data retained for longer than necessary. Fines can reach up to €20 million or 4% of global turnover.
The problem isn’t the technology. It’s not knowing exactly what you’re allowed to do, how to document it, and how to respond if someone asks for an explanation.
If the privacy notice and the Article 4 file are still drafts, fourteen days set up a clock-in that ships with both.
No credit card, up and running in 2 minutes.
This guide answers the questions every business owner should ask themselves before activating any tracking system.
Is it legal to track employees using GPS?
Yes, but under specific conditions.
The GDPR (EU Regulation 2016/679) and the Italian Privacy Code (Legislative Decree 196/2003, updated by Legislative Decree 101/2018) do not prohibit the geolocation of employees. They permit it when:
- there is a valid legal basis (employment contract, documented legitimate interest, or explicit consent where applicable)
- the employee is informed clearly and in advance — mandatory information notice pursuant to Article 13 of the GDPR
- the data is processed only for the stated purposes (verification of attendance in the field, security, operational optimisation)
- the data is not retained for longer than is strictly necessary
- the system complies with the principle of data minimisation: it collects only what is necessary, nothing more
Please note: the employee’s consent alone is not sufficient if the employment relationship creates an imbalance of power. The Data Protection Authority has clarified that in many contexts the correct legal basis is not consent, but the performance of the contract or a legitimate interest — documented and proportionate.
The most common mistakes (and the ones that cost the most)
1. Missing or generic privacy notice
It is not enough to write “we use GPS” in the contract. The privacy notice must specify the purposes, legal basis, retention periods and the data subject’s rights.
2. Continuous tracking even outside working hours
A system that records location 24 hours a day, including during leisure time, is unlawful. Tracking must be limited to working hours and, where possible, must be deactivatable by the employee when off duty.
3. Failure to notify trade union representatives or the Labour Inspectorate
In many cases, the introduction of remote monitoring systems requires trade union agreement or authorisation from the Labour Inspectorate (Article 4 of the Workers’ Statute). Bypassing this step exposes the employer to criminal penalties, not just administrative ones.
4. Data used for undeclared
disciplinary monitoring If you use GPS data to challenge lateness or absences without having declared this in the privacy notice, you are processing the data for a purpose other than that communicated. This constitutes a direct breach of the GDPR.
5. Unlimited data
retention Location data must be deleted in accordance with a defined retention policy. “We keep it for as long as we need it” is not an acceptable response during an audit.
Are you using a geolocation system for your field staff?
GeoTapp has been designed to be GDPR-compliant by design: it tracks only during working hours, generates tamper-proof reports and does not collect unnecessary data.
The real issue isn’t tracking, but proving it
Many companies think that installing a GPS app solves everything. It doesn’t.
GPS tells you where an employee was. It doesn’t tell you what they did. It doesn’t provide evidence that stands up to a challenge — from a customer, an employee, or a regulatory body.
Consider these real-life scenarios:
- A customer claims the service wasn’t carried out. You have the GPS showing the operator was there. He says he was sitting in the car. How do you prove it?
- An employee contests a disciplinary action. They claim they were present and working. You only have a GPS coordinate. That’s not enough.
- The Labour Inspectorate requests attendance records for the last six months. Your data is in a consumer app with no structured export option. How do you respond?
Geolocation for its own sake is just data. Verifiable evidence is something else: it combines GPS position, timestamps, georeferenced photos and a digital signature on the report, all within a system that cannot be altered after the event.
The difference between “I tracked it” and “I can prove it” is what matters when things go wrong.
GeoTapp does not replace a GPS app. It introduces a higher level: certification of the work carried out. Every job leaves a trail that includes where, when, who, and what — verifiable, exportable, defensible.
What to do now to comply
A practical, not theoretical, checklist:
- Check your privacy policy — does it include geolocation among the purposes of processing? Does it have an explicit legal basis?
- Check if a trade union agreement is required — if you use GPS for remote monitoring, Article 4 of the Workers’ Statute applies
- Define a retention policy — how long do you keep location data? Is this documented anywhere?
- Ensure the system switches off outside working hours — or at least that the reason why it does not is documented
- Prepare a record of processing activities — mandatory for companies that systematically process employee data
Frequently asked questions
Is it legal to track employees using GPS?
Yes, provided there is a valid legal basis, the employee is informed via a specific notice under Article 13 of the GDPR, and the tracking is limited to working hours and the stated purposes. It is not automatically lawful simply because it is written in the contract.
Is the employee’s consent required?
It depends. In many work contexts, consent is not the correct legal basis, because the employment relationship renders it non-voluntary. The most appropriate legal basis is often the performance of the contract or the company’s legitimate interest, which must be documented and proportionate.
What happens if the Labour Inspectorate carries out an inspection?
They must find: an up-to-date privacy notice, a documented legal basis, any trade union agreement or authorisation (if the system is considered remote monitoring), a defined data retention policy, and an up-to-date record of processing activities. In the absence of any of these elements, penalties range from formal warnings to fines of up to €20 million.
Does GPS count as ‘remote monitoring’ under Article 4 of the Workers’ Statute?
It depends on how it is used. If the system is also used to verify the performance of work duties — and not just for organisational or safety purposes — the Data Protection Authority and case law tend to consider it a remote monitoring system. In that case, an agreement with the trade union representatives or authorisation from the Labour Inspectorate is required.
Can I use GPS data to take disciplinary action against an employee?
Only if this purpose is explicitly stated in the privacy notice and the system documentation. Using the data for a purpose other than that communicated is a direct breach of the GDPR.
Do you want a system that complies with the GDPR and generates verifiable evidence of the work carried out?
GeoTapp is used by cleaning, maintenance and logistics companies to certify every job carried out in the field — in a legally defensible manner.
How to Communicate Geolocation to Your Team Without Creating Resistance
Regulations are one thing; corporate culture is another. Even with a fully compliant GDPR policy, the introduction of geolocation can generate resistance if it isn’t communicated in the right way. Employees who fear surveillance aren’t being irrational — they’re right to wonder how their data will be used. The way you present the system determines whether it’s accepted calmly or experienced as oppressive control.
The most effective message is one that highlights the benefits for the employees themselves. GPS clocking in and out objectively records their hours — no one can accuse them of non-existent lateness or of leaving early. The photo report documents their work and protects them from clients who might dispute services that were actually provided. Privacy is guaranteed: the system records location only at clock-in times; it does not monitor movements between sites.
GDPR Documentation Ready for Any Audit
Having a proper geolocation policy is not enough — you must also be able to demonstrate compliance in the event of an audit by the Data Protection Authority or an employee’s appeal. With GeoTapp, the necessary documentation is already built into the system. The consent form is digitally signed upon the employee’s onboarding and automatically archived. The processing register updates automatically. Geolocation data is retained for the periods required by law and automatically deleted upon expiry.
You don’t need a dedicated DPO to manage all this — GeoTapp has been designed for SMEs without an in-house legal department. The default settings are already compliant with the Italian GDPR, and the system automatically generates the documentation you need to demonstrate that compliance. It’s the difference between being compliant ‘on paper’ and being able to prove it in ten minutes if someone asks you to.
n
Geolocation and the GDPR: what the Data Protection Authority’s guidelines say
nnnn
The Data Protection Authority’s guidelines on geolocation specify that the processing of employees’ location data is permitted only if strictly necessary for the stated purposes. The principle of data minimisation requires that only essential data be collected: start and end-of-shift coordinates are legitimate; continuous tracking every few seconds is not — unless there are specific, documented and proportionate requirements.
nnnn
The GDPR on employee geolocation stipulates that the employer cannot rely on the employee’s consent as the sole legal basis: the employment relationship renders consent potentially non-free. The correct legal basis is almost always the performance of the employment contract or legitimate interest — both of which must be documented in the Record of Processing Activities pursuant to Article 30 of the GDPR.
nnnn
In summary, the three cumulative conditions that the Data Protection Authority verifies during an inspection:
nnnn
- A complete privacy notice pursuant to Article 13 of the GDPR provided prior to the system’s activation
- Documented legal basis (contract, legitimate interest or trade union agreement for monitoring systems)
- Proportionality: the data collected must be limited to what is necessary for the stated purpose
n
Guidelines from the Data Protection Authority on the geolocation of workers
The Data Protection Authority has published specific guidelines on the geolocation of workers via GPS. The main provisions state that an employer may collect employees’ location data only for purposes related to work performance, with adequate prior notification and — in cases where the GPS device involves remote monitoring of work activities — subject to a trade union agreement or authorisation from the Labour Inspectorate pursuant to Article 4 of the Workers’ Statute.
The Authority’s guidelines also require that the data collected be limited to what is necessary (principle of data minimisation) and retained for no longer than is strictly necessary. GeoTapp is designed to meet these requirements: GPS tracking is active only during working hours, information is provided via forms included in the platform, and data is managed in accordance with retention policies compliant with the GDPR.
Employee geolocation via smartphone: what changes in practice
Geolocation via a company smartphone or BYOD (the employee’s personal device) follows the same rules as vehicle GPS, but with some practical differences. If you use an app installed on an employee’s smartphone to track their location, you must:
- Provide a clear privacy notice describing the purposes, methods and duration of the processing
- Check whether the monitoring constitutes remote monitoring under Article 4 of the Workers’ Statute (if so, a trade union agreement or INL authorisation is required)
- Ensure that tracking is active only during working hours — never outside working hours
- Use technical tools that prevent data collection outside working hours
GeoTapp TimeTracker meets these requirements by design: the employee activates the clock-in manually, the GPS records only the coordinates of the clock-in point (not the continuous route), and the system does not collect data outside working hours. Pre-filled GDPR forms are included in the platform.
Picture the next inspection on a Tuesday afternoon, the compliance folder already inside.
Set up a clock-in that complies by design. Fourteen days, no card.
No credit card, up and running in 2 minutes.
