Monday morning, 7:45 AM. One of your field engineers calls from a job site: he’s heard the app records his location. He wants to know if that’s legal. You know it is, but you don’t have a document to prove it. And just like that, a sensible technology choice becomes a legal headache.
A privacy notice for GPS tracking of employees is not optional under UK GDPR. Articles 13 and 14 require you to provide a written document to every employee before you switch on any location-based system. Not after someone complains. Not when ICO comes knocking. Before.
What ICO says about employee location tracking
The Information Commissioner’s Office has been clear on workplace geolocation: employers may collect location data, but only when it is proportionate, transparent and limited to what is strictly necessary. In practice that means three things. First, no continuous tracking, record the position at clock-in and clock-out, not every five minutes. Second, the employee must know exactly what is collected, why, for how long and who will see it. Third, the data must not be repurposed beyond the stated objectives.
Pair the privacy notice template with a clock-in that records only at start and end, and test it before the next ICO query.
No credit card, up and running in 2 minutes.
Open your trialAll of this must be documented. The privacy notice is the document that formalises it. Without one, even a perfectly legitimate system becomes challengeable. And when an audit comes, whether from ICO or an employment tribunal, the first thing they ask for is that notice.
The 7 mandatory elements of a GPS privacy notice
UK GDPR leaves no room for interpretation on what a privacy notice must contain. Article 13 lists the information the data controller is obligated to communicate. For employee geolocation, these translate into seven concrete points.
First, the identity of the data controller, your company, with full contact details. Second, the DPO contact details if you have appointed one. Third, the specific purposes of processing: why you collect GPS data. “For business purposes” won’t cut it, you need to be precise. Attendance tracking, job verification, assignment management: each must be declared. Fourth, the legal basis, for most SMEs this is legitimate interest, but it must be justified with a documented balancing test. Fifth, the recipients, who has access, including any cloud providers. Sixth, the retention period: how long you keep GPS coordinates. ICO guidance suggests anything beyond 24 months requires strong justification. Seventh, the employee’s rights: access, rectification, erasure, portability, objection, and the right to complain to ICO.
It sounds like a lot. In reality, with a well-structured template, it’s a two-page document. Here is how to do it.
GPS employee privacy notice template, 2026
Below is a complete template, aligned with UK GDPR and ICO employment guidance. Replace the fields in square brackets with your company details.
EMPLOYEE PRIVACY NOTICE
GPS location tracking via company mobile device
Pursuant to Articles 13–14 of the UK General Data Protection Regulation
Data controller: [Company name], registered at [address], company number [number], represented by [full name]. Contact: [email/phone].
Data Protection Officer: [Name / external firm], contactable at [DPO email]. (State “not appointed” if not required for your organisation size.)
Purposes of processing: Geolocation data is collected exclusively for: (a) recording attendance at work sites, (b) verifying completion of client interventions, (c) operational management of assignments and field scheduling. Location data is captured only at clock-in and clock-out, not continuously.
Legal basis: Processing is based on the legitimate interests of the Controller (Article 6(1)(f) UK GDPR) in the proper organisational management of work and protection of business assets, as well as the performance of the employment contract (Article 6(1)(b) UK GDPR). A Legitimate Interest Assessment has been carried out in accordance with ICO guidance.
