Choosing a GPS software for your business is not just a matter of features. In 2026, with updated guidelines from Italy’s Privacy Authority and GDPR fully enforced, the wrong choice can turn into a fine. This article covers the questions every business owner should ask before signing a contract with a GPS employee tracking provider.
This is not bureaucracy. It is about knowing whether what you install protects you or exposes you. In practice, the difference is worth thousands of euros.
What GDPR says about employee GPS tracking in 2026
GDPR does not prohibit GPS on employees, it regulates it. Three things are required: a valid legal basis (contract performance or documented legitimate interest), an updated privacy notice that explicitly mentions GPS, and a data retention policy proportionate to the purpose. If your current software does not help you comply with these three points, it is not compliant.
Audit your current GPS software against the three GDPR questions on one site, and see which answers are missing before the next inspection.
No credit card, up and running in 2 minutes.
Open your trialThe Italian Privacy Authority has sanctioned companies that tracked employees continuously, retained data too long, or failed to properly inform workers. Administrative fines can reach 4% of global annual turnover. For a business with €2 million in revenue, that means €80,000.
The 5 questions to ask your provider before choosing
First: does GPS activate only during the shift or does it record continuously? A system that tracks breaks, home-to-work commutes or weekends is already non-compliant. Second: how long is location data retained and what automatic deletion policies apply? Third: does the app generate GDPR-ready documentation, privacy notices, processing records, DPA, or does it leave you to handle that alone?
Fourth: is the report produced independently verifiable by third parties, or can it be modified after closure? Fifth: does the provider have a referenced DPO or privacy consultant, or does it pass all responsibility to the client? If you do not have an answer to one of these five questions, you do not have enough information to choose.

The “we have consent” trap
The most common answer we hear from business owners is: “employees signed consent in their employment contract”. In 2026 this answer no longer holds up before the Privacy Authority. In an employment relationship, consent is not considered freely given, the worker signs because they need the job, not because they genuinely chose to. The Authority knows this and does not accept it as a sufficient legal basis for tracking.
The correct legal basis is contract performance (Art. 6(1)(b) GDPR), but only if GPS is strictly necessary to perform the work. If you use GPS to verify where your technicians are between jobs, that purpose must be formally documented, not simply stated in a standard contractual clause.
Remote monitoring vs. service certification: why the distinction is legally relevant
Article 4 of the Italian Workers’ Statute distinguishes between remote monitoring tools (which require a union agreement or Labour Inspectorate authorisation) and tools necessary to perform the work (which do not). A GPS that documents job completion at a client site falls into the second category, but only if the primary purpose is certifying the work done, not surveilling the employee.






