Monday morning, 7:45 AM. One of your field engineers calls from a job site: he’s heard the app records his location. He wants to know if that’s legal. You know it is — but you don’t have a document to prove it. And just like that, a sensible technology choice becomes a legal headache.
A privacy notice for GPS tracking of employees is not optional under UK GDPR. Articles 13 and 14 require you to provide a written document to every employee before you switch on any location-based system. Not after someone complains. Not when ICO comes knocking. Before.
Contenuti
What ICO says about employee location tracking
The Information Commissioner’s Office has been clear on workplace geolocation: employers may collect location data, but only when it is proportionate, transparent and limited to what is strictly necessary. In practice that means three things. First, no continuous tracking — record the position at clock-in and clock-out, not every five minutes. Second, the employee must know exactly what is collected, why, for how long and who will see it. Third, the data must not be repurposed beyond the stated objectives.
All of this must be documented. The privacy notice is the document that formalises it. Without one, even a perfectly legitimate system becomes challengeable. And when an audit comes — whether from ICO or an employment tribunal — the first thing they ask for is that notice.
The 7 mandatory elements of a GPS privacy notice
UK GDPR leaves no room for interpretation on what a privacy notice must contain. Article 13 lists the information the data controller is obligated to communicate. For employee geolocation, these translate into seven concrete points.
First, the identity of the data controller — your company, with full contact details. Second, the DPO contact details if you have appointed one. Third, the specific purposes of processing: why you collect GPS data. “For business purposes” won’t cut it — you need to be precise. Attendance tracking, job verification, assignment management: each must be declared. Fourth, the legal basis — for most SMEs this is legitimate interest, but it must be justified with a documented balancing test. Fifth, the recipients — who has access, including any cloud providers. Sixth, the retention period: how long you keep GPS coordinates. ICO guidance suggests anything beyond 24 months requires strong justification. Seventh, the employee’s rights: access, rectification, erasure, portability, objection, and the right to complain to ICO.
It sounds like a lot. In reality, with a well-structured template, it’s a two-page document. Here is how to do it.
GPS employee privacy notice template — 2026
Below is a complete template, aligned with UK GDPR and ICO employment guidance. Replace the fields in square brackets with your company details.
EMPLOYEE PRIVACY NOTICE
GPS location tracking via company mobile device
Pursuant to Articles 13–14 of the UK General Data Protection Regulation
Data controller: [Company name], registered at [address], company number [number], represented by [full name]. Contact: [email/phone].
Data Protection Officer: [Name / external firm], contactable at [DPO email]. (State “not appointed” if not required for your organisation size.)
Purposes of processing: Geolocation data is collected exclusively for: (a) recording attendance at work sites, (b) verifying completion of client interventions, (c) operational management of assignments and field scheduling. Location data is captured only at clock-in and clock-out, not continuously.
Legal basis: Processing is based on the legitimate interests of the Controller (Article 6(1)(f) UK GDPR) in the proper organisational management of work and protection of business assets, as well as the performance of the employment contract (Article 6(1)(b) UK GDPR). A Legitimate Interest Assessment has been carried out in accordance with ICO guidance.
Data processed: GPS coordinates (latitude, longitude) at clock-in/out, date and time, device identifier, operator identifier.
Recipients: Data is accessible only to [authorised roles: e.g. managing director, operations manager]. Data is stored with [cloud provider name], based in [country]. No transfers to countries outside the UK adequacy framework.
Retention period: Geolocation data is retained for a maximum of [N] months from collection, after which it is irreversibly deleted. (ICO considers periods beyond 24 months to require strong justification.)
Employee rights: You have the right to: access your personal data, request rectification or erasure, restrict processing, object to processing, request data portability. To exercise these rights, contact the Controller at [email]. You also have the right to lodge a complaint with the Information Commissioner’s Office (ico.org.uk).
Consequences of refusal: Providing geolocation data is necessary for the operational requirements of your role. Refusal may result in the inability to assign you to duties requiring field attendance verification.
Date: ___/___/______
Employee signature (acknowledgement): ______________________________
How to use this template in practice
Print it, fill in the fields in square brackets, and have every employee sign it before activating your GPS system. Keep a signed copy — digital or paper, it doesn’t matter, as long as it’s retrievable during an audit. If you add new processing purposes (for example, you start using GPS data to calculate mileage reimbursements), you need to update the notice and collect a new signature.
A mistake I see often: the employer hands out the notice six months after activating the app. At that point, the previous six months are technically uncovered. ICO can challenge the processing for the entire period without a notice, even if the system itself is legitimate. The sequence is always: document first, activation second.
Has it happened to you — switching on a system and thinking about the paperwork later? It’s more common than you’d think, and the good news is it can be sorted in an afternoon.
If you’re looking for a solution that already includes compliant documentation — privacy notices, processing records, GDPR-ready configuration — see how GeoTapp works. The system records location only at clock-in/out, not continuously, and is designed to comply with ICO guidance from installation.
Keep reading
Construction Site Attendance Software: Guide for Building Companies 2026
21 April 2026
Cleaning Verification with GPS Photos: A Guide for Facility Managers
21 April 2026
No-Code Workflows in Field Service: How to Automate Without Adding Complexity
21 April 2026
Public Contracts 2026: New Field Reporting Requirements You Can’t Ignore
22 April 2026