Tracking employees via GPS is legal — but only if you strictly adhere to the rules set out by the GDPR in 2026. Those who fail to comply face fines starting at €10,000. This guide explains what you can and cannot do, and how to choose a GDPR-compliant employee GPS system without taking any risks.
Who this article is for: owners, operations managers and administrative managers of field service companies.
Objective: to reduce disputes, recover billable hours and improve operational control without complicating field work.
Contenuti
- Is GPS tracking of employees legal? Yes — but only if you know exactly what you’re doing.
- The legal framework: what the GDPR actually says about workplace GPS
- The 5 most common GDPR violations in field service
- How GeoTapp manages GDPR compliance automatically
- What you need to do BEFORE activating GPS tracking for employees
- The case of collective agreements: what Italian labour law adds
- FAQ: the questions we’re asked every week
- Conclusion: compliance is not bureaucracy, it is mutual protection
- The Line Between Lawful Monitoring and Illegal Surveillance
- How to Structure GDPR Documentation for Geolocation
Is GPS tracking of employees legal? Yes — but only if you know exactly what you’re doing.
Every week, a field service business owner asks me: “Can I use GPS to track where my technicians are without getting into trouble with the GDPR?”
The answer is yes. But there are specific conditions that many companies fail to meet — often out of ignorance, not malice.
The legal framework: what the GDPR actually says about workplace GPS
The GDPR (EU Reg. 2016/679) does not prohibit GPS tracking of employees. It regulates it. The applicable legal basis in the workplace is the employer’s legitimate interest (Art. 6(1)(f)), subject to a documented balancing of interests.
Three conditions must be met:
- Legitimate and proportionate purpose: tracking serves to document work, not to monitor private life
- Adequate information: the employee knows that they are being tracked, how, for how long and why
- Limitation of processing: GPS is active only during working hours
If even one of these conditions is missing, the company is liable to penalties.
The 5 most common GDPR violations in field service
| Breach | Typical scenario | Potential penalty |
|---|---|---|
| 24/7 tracking | GPS app always active, even outside working hours | Up to €20 million or 4% of turnover |
| Failure to provide information | “Everyone knows” without a documented signature | €10M or 2% of turnover |
| Unlimited retention | GPS data retained for years without a policy | €10M or 2% of turnover |
| Unauthorised access | Anyone in the company can view the GPS data | Variable |
| Transfer outside the EU | Data on US servers without safeguards | Significant |
The Italian Data Protection Authority has stepped up checks in the field service sector since 2024. It is no longer a theoretical risk.
How GeoTapp manages GDPR compliance automatically
GeoTapp was designed with GDPR compliance as a non-negotiable requirement:
1. Tracking only during working hours
GPS is activated when the technician starts a shift and deactivated when they finish it. Outside of declared working hours, no location data is collected.
2. Privacy notice integrated into onboarding
Upon first login, every worker reads and digitally signs the privacy policy regarding the processing of GPS data. The signature is recorded with a timestamp and retained.
3. Configurable
retention
The administrator sets the data retention period (e.g. 24 months). Upon expiry, data is automatically deleted.
4. Access to personal data
Each worker can view their own GPS data via the app. Portability and transparency guaranteed.
5. EU servers
All data is stored on European infrastructure (GDPR Articles 44–49 compliant).
“The Data Protection Authority contacted us for an inspection following a complaint from a former employee. We showed them GeoTapp’s GDPR dashboard in 20 minutes: signed consent form, data limited to working hours, retention policy, access logs. The inspection concluded without any issues.”
— HR Manager, industrial cleaning company, 48 employees
What you need to do BEFORE activating GPS tracking for employees
Pre-activation checklist:
- [ ] Data Protection Impact Assessment (DPIA): mandatory if tracking involves more than 10 people on a systematic basis
- [ ] Specific GPS privacy notice: a generic one is not enough; a dedicated document is required
- [ ] Trade union notification (if applicable): in some sectors, a trade union agreement is required for monitoring systems
- [ ] Data processing register: update the data controller’s register with the new GPS processing
- [ ] Appointment of DPO (if necessary): if processing special categories of data on a large scale
GeoTapp provides document templates for all these requirements in the Compliance section of the admin panel.
The case of collective agreements: what Italian labour law adds
In addition to the GDPR, GPS tracking of employees is regulated by Article 4 of the Workers’ Statute (Law 300/1970, amended by Legislative Decree 151/2015).
The regulation distinguishes between:
Work tools (company smartphone used for clocking in): these do not require trade union agreement or INL authorisation, but do require a privacy notice.
Monitoring tools (GPS installed solely for surveillance purposes): these require trade union agreement OR authorisation from the Labour Inspectorate.
GeoTapp falls into the first category: it is a work tool that also generates location data as an ancillary function to attendance tracking. This is the most favourable scenario for companies.
FAQ: the questions we’re asked every week
“Can I see where my technicians are in real time?”
Yes, if this is specified in the privacy notice and is necessary for coordinating work. GeoTapp has an optional live map that you can enable or disable.
“Can technicians turn off the GPS?”
Yes, outside working hours. During their shift, location data is required for the main function (site-based clocking in).
“How long can I keep the data?”
The GDPR requires the principle of data minimisation. GeoTapp recommends 24 months for field service; beyond that, documented justification is required.
“What happens if a technician refuses?”
Informed refusal is a worker’s right. But if GPS is an integral part of the company’s work tool, refusal amounts to refusing to use the work tool — a contractual matter, not a GDPR issue.
Conclusion: compliance is not bureaucracy, it is mutual protection
A GDPR-compliant GPS system protects the company from penalties, but it also protects employees: their data is secure, used only for the stated purposes, and deleted when no longer needed.
Compliance isn’t an obstacle. With GeoTapp, it’s automatic.
The Line Between Lawful Monitoring and Illegal Surveillance
The difference between a lawful geolocation system and an unlawful one does not lie in the technology — it lies in consent and purpose. The Data Protection Authority has clarified in several rulings that the geolocation of employees is lawful if it serves a legitimate business purpose (coordination of worksites, attendance checks, operator safety), if it is proportionate to the purpose, and if employees have been clearly informed and have given their consent.
Continuous monitoring of an employee’s movements throughout the entire working day — knowing their location every five minutes, even between construction sites — is almost always disproportionate to any reasonable business purpose. GeoTapp has been designed to stay on the other side of this line: it records location only at clock-in times, does not monitor continuously, and the data is used exclusively for the purposes stated in the policy.
How to Structure GDPR Documentation for Geolocation
GDPR compliance for employee geolocation requires specific documentation that many SMEs have not yet put in place. A specific privacy notice for employees is needed, describing what data is collected, for how long, for what purpose, and who has access to it. An appropriate legal basis is required — typically the company’s legitimate interest for coordination purposes, supplemented by explicit consent for geolocation data. A risk assessment is required if the processing involves high-risk activities.
GeoTapp provides ready-to-use templates for all this documentation, adapted to Italian legislation and already validated in practice. You don’t have to start from scratch, and you don’t have to pay a legal consultant to draft the policy from scratch. The system guides you through a configuration that automatically complies with the data minimisation thresholds and retention periods required by law.
To learn more about the regulatory aspects of employee geolocation, read: Employee geolocation and the GDPR: a comprehensive guide.
Keep reading
Employee geolocation: what the GDPR says and what you can do (practical guide)
18 March 2026
ICO, Employee GPS Tracking and UK GDPR 2026: What Field Service Businesses Need to Know
13 April 2026
Multiservizi National Collective Agreement 2026: GPS obligations that come at a high cost
2 April 2026
GPS & GDPR 2026: What Business Owners Must Know Before Choosing Software
14 April 2026
GPS Clocking for Cleaning Services: Automatic Checks and No Disputes
18 March 2026
Digital Stamping vs Paper Cards: Real Costs & ROI
18 March 2026