GPS & GDPR 2026: What Business Owners Must Know Before Choosing Software

Choosing a GPS software for your business is not just a matter of features. In 2026, with updated guidelines from Italy’s Privacy Authority and GDPR fully enforced, the wrong choice can turn into a fine. This article covers the questions every business owner should ask before signing a contract with a GPS employee tracking provider.

This is not bureaucracy. It is about knowing whether what you install protects you or exposes you. In practice, the difference is worth thousands of euros.

What GDPR says about employee GPS tracking in 2026

GDPR does not prohibit GPS on employees — it regulates it. Three things are required: a valid legal basis (contract performance or documented legitimate interest), an updated privacy notice that explicitly mentions GPS, and a data retention policy proportionate to the purpose. If your current software does not help you comply with these three points, it is not compliant.

The Italian Privacy Authority has sanctioned companies that tracked employees continuously, retained data too long, or failed to properly inform workers. Administrative fines can reach 4% of global annual turnover. For a business with €2 million in revenue, that means €80,000.

The 5 questions to ask your provider before choosing

First: does GPS activate only during the shift or does it record continuously? A system that tracks breaks, home-to-work commutes or weekends is already non-compliant. Second: how long is location data retained and what automatic deletion policies apply? Third: does the app generate GDPR-ready documentation — privacy notices, processing records, DPA — or does it leave you to handle that alone?

Fourth: is the report produced independently verifiable by third parties, or can it be modified after closure? Fifth: does the provider have a referenced DPO or privacy consultant, or does it pass all responsibility to the client? If you do not have an answer to one of these five questions, you do not have enough information to choose.

The “we have consent” trap

The most common answer we hear from business owners is: “employees signed consent in their employment contract”. In 2026 this answer no longer holds up before the Privacy Authority. In an employment relationship, consent is not considered freely given — the worker signs because they need the job, not because they genuinely chose to. The Authority knows this and does not accept it as a sufficient legal basis for tracking.

The correct legal basis is contract performance (Art. 6(1)(b) GDPR) — but only if GPS is strictly necessary to perform the work. If you use GPS to verify where your technicians are between jobs, that purpose must be formally documented, not simply stated in a standard contractual clause.

Remote monitoring vs. service certification: why the distinction is legally relevant

Article 4 of the Italian Workers’ Statute distinguishes between remote monitoring tools (which require a union agreement or Labour Inspectorate authorisation) and tools necessary to perform the work (which do not). A GPS that documents job completion at a client site falls into the second category — but only if the primary purpose is certifying the work done, not surveilling the employee.

This distinction directly affects the type of software you choose. A system designed for job certification activates GPS only when a job is opened and produces a sealed report with location, timestamp and photos. It does not track between jobs, does not record routes and does not monitor breaks. From the Privacy Authority’s perspective, this is a different category entirely.

What to check in the provider’s documentation

Ask the provider for a Data Processing Agreement (DPA) — if they do not have one ready, stop. The DPA is legally required whenever a third party processes personal data on your behalf. Verify it includes: the list of sub-processors (servers, storage, analytics), the retention periods applied, the security measures and the channels for reporting a breach.

Also verify that the provider can supply you with the complete list of processing activities performed on your employees’ data — this is your right of access as the data controller. If the provider cannot or will not provide this transparency, you are transferring data to a party you cannot control.

What to do now

If you already have GPS software active, check immediately: does GPS track only during working hours? Were employees specifically informed? Do you have a signed DPA with the provider? If any of these answers is “no” or “I don’t know”, you are in a risk zone worth closing before an inspection arrives.

The good news is that becoming compliant is not complicated — it requires software designed with compliance built in, not added later. GeoTapp activates GPS only when a job is opened and closes it with the job, produces sealed tamper-proof reports, includes all GDPR documentation and signs the DPA as data processor. If you want to see how it works in detail, the full flow is here — no commitment.

Keep reading