GPS and GDPR 2026: tracking employees without incurring penalties

Tracking employees via GPS is legal — but only if you strictly adhere to the rules set out by the GDPR in 2026. Those who fail to comply face fines starting at €10,000. This guide explains what you can and cannot do, and how to choose a GDPR-compliant employee GPS system without taking any risks.

Who this article is for: owners, operations managers and administrative managers of field service companies.

Objective: to reduce disputes, recover billable hours and improve operational control without complicating field work.

Set up GPS tracking with privacy notice, DPIA and union agreement ready on day one, instead of drafting them after an inspection.

Open your trial →

→ Book a GeoTapp demo

Is GPS tracking of employees legal? Yes — but only if you know exactly what you’re doing.

Every week, a field service business owner asks me: “Can I use GPS to track where my technicians are without getting into trouble with the GDPR?”

The answer is yes. But there are specific conditions that many companies fail to meet — often out of ignorance, not malice.

---

The legal framework: what the GDPR actually says about workplace GPS

The GDPR (EU Reg. 2016/679) does not prohibit GPS tracking of employees. It regulates it. The applicable legal basis in the workplace is the employer’s legitimate interest (Art. 6(1)(f)), subject to a documented balancing of interests.

Three conditions must be met:

1. Legitimate and proportionate purpose: tracking serves to document work, not to monitor private life
2. Adequate information: the employee knows that they are being tracked, how, for how long and why
3. Limitation of processing: GPS is active only during working hours

If even one of these conditions is missing, the company is liable to penalties.

---

The 5 most common GDPR violations in field service

Breach	Typical scenario	Potential penalty
24/7 tracking	GPS app always active, even outside working hours	Up to €20 million or 4% of turnover
Failure to provide information	“Everyone knows” without a documented signature	€10M or 2% of turnover
Unlimited retention	GPS data retained for years without a policy	€10M or 2% of turnover
Unauthorised access	Anyone in the company can view the GPS data	Variable
Transfer outside the EU	Data on US servers without safeguards	Significant

The Italian Data Protection Authority has stepped up checks in the field service sector since 2024. It is no longer a theoretical risk.

---

How GeoTapp manages GDPR compliance automatically

GeoTapp was designed with GDPR compliance as a non-negotiable requirement:

1. Tracking only during working hours
GPS is activated when the technician starts a shift and deactivated when they finish it. Outside of declared working hours, no location data is collected.

2. Privacy notice integrated into onboarding
Upon first login, every worker reads and digitally signs the privacy policy regarding the processing of GPS data. The signature is recorded with a timestamp and retained.

3. Configurable
retention The administrator sets the data retention period (e.g. 24 months). Upon expiry, data is automatically deleted.

4. Access to personal data
Each worker can view their own GPS data via the app. Portability and transparency guaranteed.

5. EU servers
All data is stored on European infrastructure (GDPR Articles 44–49 compliant).

“The Data Protection Authority contacted us for an inspection following a complaint from a former employee. We showed them GeoTapp’s GDPR dashboard in 20 minutes: signed consent form, data limited to working hours, retention policy, access logs. The inspection concluded without any issues.”
— HR Manager, industrial cleaning company, 48 employees

---

What you need to do BEFORE activating GPS tracking for employees

Pre-activation checklist:

• [ ] Data Protection Impact Assessment (DPIA): mandatory if tracking involves more than 10 people on a systematic basis
• [ ] Specific GPS privacy notice: a generic one is not enough; a dedicated document is required
• [ ] Trade union notification (if applicable): in some sectors, a trade union agreement is required for monitoring systems
• [ ] Data processing register: update the data controller’s register with the new GPS processing
• [ ] Appointment of DPO (if necessary): if processing special categories of data on a large scale

GeoTapp provides document templates for all these requirements in the Compliance section of the admin panel.

→ Download the GDPR+GPS compliance kit for field service — free of charge

---

The case of collective agreements: what Italian labour law adds

In addition to the GDPR, GPS tracking of employees is regulated by Article 4 of the Workers’ Statute (Law 300/1970, amended by Legislative Decree 151/2015).

The regulation distinguishes between:

Work tools (company smartphone used for clocking in): these do not require trade union agreement or INL authorisation, but do require a privacy notice.

Monitoring tools (GPS installed solely for surveillance purposes): these require trade union agreement OR authorisation from the Labour Inspectorate.

GeoTapp falls into the first category: it is a work tool that also generates location data as an ancillary function to attendance tracking. This is the most favourable scenario for companies.

---

FAQ: the questions we’re asked every week

“Can I see where my technicians are in real time?”
Yes, if this is specified in the privacy notice and is necessary for coordinating work. GeoTapp has an optional live map that you can enable or disable.

“Can technicians turn off the GPS?”
Yes, outside working hours. During their shift, location data is required for the main function (site-based clocking in).

“How long can I keep the data?”
The GDPR requires the principle of data minimisation. GeoTapp recommends 24 months for field service; beyond that, documented justification is required.

“What happens if a technician refuses?”
Informed refusal is a worker’s right. But if GPS is an integral part of the company’s work tool, refusal amounts to refusing to use the work tool — a contractual matter, not a GDPR issue.

---

Conclusion: compliance is not bureaucracy, it is mutual protection

A GDPR-compliant GPS system protects the company from penalties, but it also protects employees: their data is secure, used only for the stated purposes, and deleted when no longer needed.

Compliance isn’t an obstacle. With GeoTapp, it’s automatic.

The Line Between Lawful Monitoring and Illegal Surveillance

The difference between a lawful geolocation system and an unlawful one does not lie in the technology — it lies in consent and purpose. The Data Protection Authority has clarified in several rulings that the geolocation of employees is lawful if it serves a legitimate business purpose (coordination of worksites, attendance checks, operator safety), if it is proportionate to the purpose, and if employees have been clearly informed and have given their consent.

Continuous monitoring of an employee’s movements throughout the entire working day — knowing their location every five minutes, even between construction sites — is almost always disproportionate to any reasonable business purpose. GeoTapp has been designed to stay on the other side of this line: it records location only at clock-in times, does not monitor continuously, and the data is used exclusively for the purposes stated in the policy.

How to Structure GDPR Documentation for Geolocation

GDPR compliance for employee geolocation requires specific documentation that many SMEs have not yet put in place. A specific privacy notice for employees is needed, describing what data is collected, for how long, for what purpose, and who has access to it. An appropriate legal basis is required — typically the company’s legitimate interest for coordination purposes, supplemented by explicit consent for geolocation data. A risk assessment is required if the processing involves high-risk activities.

GeoTapp provides ready-to-use templates for all this documentation, adapted to Italian legislation and already validated in practice. You don’t have to start from scratch, and you don’t have to pay a legal consultant to draft the policy from scratch. The system guides you through a configuration that automatically complies with the data minimisation thresholds and retention periods required by law.