Blog / Gestione presenze
Employee geolocation: what the GDPR says and what you can do (practical guide)
Gestione presenze 18 March 2026

Employee geolocation: what the GDPR says and what you can do (practical guide)

Mike Petraroli

Mike Petraroli

Lettura: 9 min

Many companies track their employees in the field. Few do so in a legally compliant manner.

The Data Protection Authority has already fined companies for geolocation systems operating without a privacy notice, without documented consent, or with data retained for longer than necessary. Fines can reach up to €20 million or 4% of global turnover.

The problem isn’t the technology. It’s not knowing exactly what you’re allowed to do, how to document it, and how to respond if someone asks for an explanation.

This guide answers the questions every business owner should ask themselves before activating any tracking system.

Contenuti

Yes, but under specific conditions.

The GDPR (EU Regulation 2016/679) and the Italian Privacy Code (Legislative Decree 196/2003, updated by Legislative Decree 101/2018) do not prohibit the geolocation of employees. They permit it when:

  • there is a valid legal basis (employment contract, documented legitimate interest, or explicit consent where applicable)
  • the employee is informed clearly and in advance — mandatory information notice pursuant to Article 13 of the GDPR
  • the data is processed only for the stated purposes (verification of attendance in the field, security, operational optimisation)
  • the data is not retained for longer than is strictly necessary
  • the system complies with the principle of data minimisation: it collects only what is necessary, nothing more

Please note: the employee’s consent alone is not sufficient if the employment relationship creates an imbalance of power. The Data Protection Authority has clarified that in many contexts the correct legal basis is not consent, but the performance of the contract or a legitimate interest — documented and proportionate.

The most common mistakes (and the ones that cost the most)

1. Missing or generic privacy notice
It is not enough to write “we use GPS” in the contract. The privacy notice must specify the purposes, legal basis, retention periods and the data subject’s rights.

2. Continuous tracking even outside working hours
A system that records location 24 hours a day, including during leisure time, is unlawful. Tracking must be limited to working hours and, where possible, must be deactivatable by the employee when off duty.

3. Failure to notify trade union representatives or the Labour Inspectorate
In many cases, the introduction of remote monitoring systems requires trade union agreement or authorisation from the Labour Inspectorate (Article 4 of the Workers’ Statute). Bypassing this step exposes the employer to criminal penalties, not just administrative ones.

4. Data used for undeclared
disciplinary monitoring If you use GPS data to challenge lateness or absences without having declared this in the privacy notice, you are processing the data for a purpose other than that communicated. This constitutes a direct breach of the GDPR.

5. Unlimited data
retention Location data must be deleted in accordance with a defined retention policy. “We keep it for as long as we need it” is not an acceptable response during an audit.

Are you using a geolocation system for your field staff?

GeoTapp has been designed to be GDPR-compliant by design: it tracks only during working hours, generates tamper-proof reports and does not collect unnecessary data.

See how it works →

The real issue isn’t tracking, but proving it

Many companies think that installing a GPS app solves everything. It doesn’t.

GPS tells you where an employee was. It doesn’t tell you what they did. It doesn’t provide evidence that stands up to a challenge — from a customer, an employee, or a regulatory body.

Consider these real-life scenarios:

  • A customer claims the service wasn’t carried out. You have the GPS showing the operator was there. He says he was sitting in the car. How do you prove it?
  • An employee contests a disciplinary action. They claim they were present and working. You only have a GPS coordinate. That’s not enough.
  • The Labour Inspectorate requests attendance records for the last six months. Your data is in a consumer app with no structured export option. How do you respond?

Geolocation for its own sake is just data. Verifiable evidence is something else: it combines GPS position, timestamps, georeferenced photos and a digital signature on the report, all within a system that cannot be altered after the event.

The difference between “I tracked it” and “I can prove it” is what matters when things go wrong.

GeoTapp does not replace a GPS app. It introduces a higher level: certification of the work carried out. Every job leaves a trail that includes where, when, who, and what — verifiable, exportable, defensible.

What to do now to comply

A practical, not theoretical, checklist:

  1. Check your privacy policy — does it include geolocation among the purposes of processing? Does it have an explicit legal basis?
  2. Check if a trade union agreement is required — if you use GPS for remote monitoring, Article 4 of the Workers’ Statute applies
  3. Define a retention policy — how long do you keep location data? Is this documented anywhere?
  4. Ensure the system switches off outside working hours — or at least that the reason why it does not is documented
  5. Prepare a record of processing activities — mandatory for companies that systematically process employee data

Frequently asked questions

Yes, provided there is a valid legal basis, the employee is informed via a specific notice under Article 13 of the GDPR, and the tracking is limited to working hours and the stated purposes. It is not automatically lawful simply because it is written in the contract.

It depends. In many work contexts, consent is not the correct legal basis, because the employment relationship renders it non-voluntary. The most appropriate legal basis is often the performance of the contract or the company’s legitimate interest, which must be documented and proportionate.

What happens if the Labour Inspectorate carries out an inspection?

They must find: an up-to-date privacy notice, a documented legal basis, any trade union agreement or authorisation (if the system is considered remote monitoring), a defined data retention policy, and an up-to-date record of processing activities. In the absence of any of these elements, penalties range from formal warnings to fines of up to €20 million.

Does GPS count as ‘remote monitoring’ under Article 4 of the Workers’ Statute?

It depends on how it is used. If the system is also used to verify the performance of work duties — and not just for organisational or safety purposes — the Data Protection Authority and case law tend to consider it a remote monitoring system. In that case, an agreement with the trade union representatives or authorisation from the Labour Inspectorate is required.

Can I use GPS data to take disciplinary action against an employee?

Only if this purpose is explicitly stated in the privacy notice and the system documentation. Using the data for a purpose other than that communicated is a direct breach of the GDPR.

Do you want a system that complies with the GDPR and generates verifiable evidence of the work carried out?

GeoTapp is used by cleaning, maintenance and logistics companies to certify every job carried out in the field — in a legally defensible manner.

See how GeoTapp works →

How to Communicate Geolocation to Your Team Without Creating Resistance

Regulations are one thing; corporate culture is another. Even with a fully compliant GDPR policy, the introduction of geolocation can generate resistance if it isn’t communicated in the right way. Employees who fear surveillance aren’t being irrational — they’re right to wonder how their data will be used. The way you present the system determines whether it’s accepted calmly or experienced as oppressive control.

The most effective message is one that highlights the benefits for the employees themselves. GPS clocking in objectively verifies their hours — no one can accuse them of non-existent lateness or of leaving early. The photo report documents their work and protects them from clients who might dispute services that were actually provided. Privacy is guaranteed: the system records location only at clock-in times; it does not monitor movements between one site and another.

GDPR Documentation Ready for Any Audit

Having a proper geolocation policy is not enough — you must also be able to demonstrate it in the event of an inspection by the Data Protection Authority or an employee’s appeal. With GeoTapp, the necessary documentation is already built into the system. The consent form is digitally signed upon the employee’s onboarding and automatically archived. The processing register updates automatically. Geolocation data is retained for the periods required by law and automatically deleted upon expiry.

You don’t need a dedicated DPO to manage all this — GeoTapp has been designed for SMEs that don’t have an in-house legal department. The default settings are already compliant with the Italian GDPR, and the system automatically generates the documentation you need to demonstrate that compliance. It’s the difference between being compliant ‘on paper’ and being able to prove it in ten minutes if someone asks you to.

n

Geolocation and the GDPR: what the Data Protection Authority’s guidelines say

nnnn

The Data Protection Authority’s guidelines on geolocation specify that the processing of employees’ location data is permitted only if strictly necessary for the stated purposes. The principle of data minimisation requires that only essential data be collected: start and end-of-shift coordinates are legitimate; continuous tracking every few seconds is not — unless there are specific, documented and proportionate requirements.

nnnn

The GDPR on employee geolocation stipulates that the employer cannot rely on the employee’s consent as the sole legal basis: the employment relationship renders consent potentially non-free. The correct legal basis is almost always the performance of the employment contract or legitimate interest — both of which must be documented in the Record of Processing Activities pursuant to Article 30 of the GDPR.

nnnn

In summary, the three cumulative conditions that the Data Protection Authority verifies during an inspection:

nnnn
  • A complete privacy notice pursuant to Article 13 of the GDPR provided prior to the system’s activation
  • Documented legal basis (contract, legitimate interest or trade union agreement for monitoring systems)
  • Proportionality: the data collected must be limited to what is necessary for the stated purpose
n

Keep reading

GPS & GDPR 2026: Employee Tracking Without Penalties

GPS & GDPR 2026: Employee Tracking Without Penalties

14 April 2026
GPS & GDPR 2026: What Business Owners Must Know Before Choosing Software

GPS & GDPR 2026: What Business Owners Must Know Before Choosing Software

14 April 2026
ICO, Employee GPS Tracking and UK GDPR 2026: What Field Service Businesses Need to Know

ICO, Employee GPS Tracking and UK GDPR 2026: What Field Service Businesses Need to Know

13 April 2026
GPS Clocking for Cleaning Services: Automatic Checks and No Disputes

GPS Clocking for Cleaning Services: Automatic Checks and No Disputes

18 March 2026
Digital Stamping vs Paper Cards: Real Costs & ROI

Digital Stamping vs Paper Cards: Real Costs & ROI

18 March 2026
GPS Tracking in 2026: Rules That Changed Everything for Field Teams

GPS Tracking in 2026: Rules That Changed Everything for Field Teams

8 April 2026
Condividi questo articolo
Mike Petraroli

Mike Petraroli

GeoTapp

158 articoli

Scritto da

Mike Petraroli

Fondatore di GeoTapp, appassionato di tecnologia e gestione operativa per le imprese di servizi sul campo.

Tutti gli articoli Sito web
← Torna al Blog

Stay updated

Get the best content on operations, HR and technology in your inbox.