Geolocalizzazione Dipendenti e GDPR: La Guida Legale Definitiva

Many companies track employees in the field. Few do it legally correctly.

The Privacy Guarantor has already sanctioned companies for active geolocation systems without information, without documented consent, or with data stored beyond what is necessary. The penalties reach up to 20 million euros or 4% of global turnover.

The problem isn’t the technology. It’s not knowing exactly what you’re allowed to do, how to document it, and how to respond if someone asks you to account

This guide answers the questions that every business owner should ask themselves before activating any tracking system.

Contenuti

Is it legal to track employees with GPS?
The most common mistakes (and those that cost the most)
The real problem is not tracing, but proving it
What to do now to be in good standing
Frequently Asked Questions
Is it legal to track employees with GPS?
Do you need the employee’s consent?
What happens if the Labor Inspectorate checks?
Does GPS count as “remote control” under art. 4 Workers’ Statute?
Can I use GPS data to challenge an employee in a disciplinary way?
How to Communicate Geolocation to the Team Without Creating Resistance
GDPR Documentation Ready for Any Verification

Is it legal to track employees with GPS?

Yes, but with specific conditions.

The GDPR (EU Regulation 2016/679) and the Italian Privacy Code (Legislative Decree 196/2003, updated by Legislative Decree 101/2018) do not prohibit the geolocation of employees. They allow it when:

there is a valid legal basis (employment contract, legitimate documented interest, or explicit consent in the cases provided)
the employee is informed in a clear and preventive manner — mandatory information pursuant to art. 13 GDPR
the data is processed only for the stated purposes (verification of field attendance, security, operational optimization)
the data is not kept longer than is strictly necessary
the system respects the principle of minimization: it collects only what is needed, nothing more

Attention: the worker’s consent, alone, is not sufficient if the employment relationship creates an imbalance of power. The Guarantor has clarified that in many contexts the correct legal basis is not consent, but the execution of the contract or legitimate interest – documented

and proportionate.

The most common mistakes (and those that cost the most)

1. Absent or generic information It is
not enough to write ‘we use GPS’ in the contract. The information must specify the purpose, legal basis, storage times, rights of the interested party.

2. Continuous tracking even after hours
The system that records the position 24 hours a day, including free time, is illegitimate. Tracking must be limited to working hours and, where possible, can be deactivated by the off-duty employee

3. Failure to communicate to the RSA or the Inspectorate
In many cases, the introduction of remote control systems requires trade union agreement or authorization from the Labor Inspectorate (art. 4 Workers’ Statute). Skipping this step exposes you to criminal penalties, not just

administrative ones.

4. Data used for undeclared disciplinary control
If you use GPS data to contest delays or absences without having stated it in the information, you are processing the data for a purpose other than the one communicated. Direct violation of the GDPR.

5. Unlimited data storage Position
data must be deleted according to a defined retention policy. “We keep it as long as it is needed” is not an acceptable response during monitoring

Are you using a geolocation system for your field operators?

GeotApp has been designed to comply with GDPR by design: it tracks only during working hours, generates non-alterable reports and does not collect unnecessary data.

See how it works →

The real problem is not tracing, but proving it

Many companies think that installing a GPS app will solve everything. It’s not like that.

The GPS tells you where an employee was. He doesn’t tell you what he did. It doesn’t give you proof that stands up to a dispute — from the customer, the employee, or a supervisory body.

Think about these concrete scenarios:

A customer says the service didn’t run. You have the GPS showing that the operator was there. He says he was standing in the car. How do you prove it?
An employee disputes a disciplinary recall. He claims that he was there and was working. You only have one GPS coordinate. That’s not enough.
The Labor Inspectorate asks for documentation on attendance for the last six months. Your data is in a consumer app with no structured export. How do you respond?

Geolocation as an end in itself is a fact. A verifiable test is something different: it combines GPS position, time stamp, georeferenced photos, digital signature of the report, all in a system that

you cannot alter after the fact.

The difference between ‘I’ve traced it’ and ‘I can prove it’ is what counts when something goes wrong.

GeotApp is not a substitute for a GPS app. It introduces a higher level: the certification of the work performed. Every intervention leaves a trail that includes where, when, who, and what — verifiable, exportable, defensible.

What to do now to be in good standing

Operational list, not theoretical:

Check your privacy policy — does it include geolocation among the processing purposes? Does it have an explicit legal basis

Check if a union agreement is needed — if you use GPS for remote control, art. 4 Workers’ Statute applies
Define a retention policy — how long do you keep location data? Is it written somewhere?
Make sure that the system shuts down after hours — or that at least it’s documented why it doesn’t do it
Prepare a record of treatments — mandatory for companies with systematic processing of employee data

Frequently Asked Questions

Is it legal to track employees with GPS?

Yes, provided that there is a valid legal basis, that the employee is informed through appropriate information pursuant to art. 13 GDPR, and that tracking is limited to working hours and to the stated purposes. It’s not automatically legal just because it’s written in the contract.

It depends. In many work contexts, consent is not the correct legal basis, because the relationship of subordination makes it not free. The most appropriate legal basis is often the execution of the contract or the legitimate interest of the company, documented and proportionate

What happens if the Labor Inspectorate checks?

It must include: updated information, documented legal basis, possible trade union agreement or authorization (if the system is considered remote control), defined retention policy, updated record of treatments. In the absence of any of these elements, the penalties range from formal warnings to a fine of up to 20 million euros

Does GPS count as “remote control” under art. 4 Workers’ Statute?

It depends on the usage. If the system is also used to verify the fulfillment of work performance – and not only for organizational or security purposes – the Guarantor and the law tend to consider it a remote control system. In that case, you need an agreement with the RSA or authorization from the Inspectorate

Can I use GPS data to challenge an employee in a disciplinary way?

Only if this purpose is explicitly stated in the system information and documentation. Using data for a purpose other than the one communicated is a direct violation of the GDPR.

Do you want a system that complies with the GDPR and generates verifiable evidence of the work performed?

GeoTapp is used by cleaning, maintenance and logistics companies to certify every intervention in the field — in a legally defensible way.

See how GeoTapp works →

How to Communicate Geolocation to the Team Without Creating Resistance

The norm is one thing; company culture is another. Even with a perfectly compliant GDPR policy, the introduction of geolocation can generate resistance if it is not communicated in the right way. Employees who fear surveillance aren’t irrational — they’re right to wonder how their data will be used. The way you present the system determines whether it is peacefully accepted or experienced as an oppressive control

The most effective message is the one that puts the benefits for the employees themselves first. GPS stamping certifies their hours objectively — no one can accuse them of non-existent delays or of leaving earlier than they should have. The photo report documents their work and protects them from customers who might dispute the services actually provided. Privacy is guaranteed: the system records the position only when stamping, it does not monitor movements between one construction site

and another.

Having a correct geolocation policy is not enough — you must also be able to prove it in the event of a check by the Privacy Guarantor or an employee’s appeal. With GeoTapp, the necessary documentation is already integrated into the system. The informational consent is digitally signed upon employee onboarding and automatically archived. The treatment register is updated automatically. Geolocation data is kept for the retention periods required by law and automatically deleted

when they expire.

You don’t have to have a dedicated DPO to manage all of this — GeotApp was designed for SMEs that don’t have an internal legal department. The default settings already comply with the Italian GDPR, and the system automatically produces the documentation you need to demonstrate that compliance. It’s the difference between being compliant ‘on paper’ and being able to prove it in ten minutes if someone asks you

to.

Keep reading