Employee GPS Tracking under the GDPR 2026: how to avoid penalties from the Data Protection Authority
Field Service

Employee GPS Tracking under the GDPR 2026: how to avoid penalties from the Data Protection Authority

May 14, 2026 · 6 min

It is 9.14 am on a Wednesday morning. You open your post and find a registered letter from the Italian Data Protection Authority. Subject: GPS tracking of your field technicians. Three employees have lodged a complaint; they were unaware that the app installed on their company car was continuously recording their location, even during their lunch break, even after working hours, and when they were using the vehicle for private errands.

The Data Protection Authority’s fines for GDPR breaches relating to the monitoring of workers have risen significantly over the last two years. In 2024, the Authority issued over 30 injunctions for sums ranging from €20,000 to €50,000 against companies in the facilities management and cleaning sectors. The recurring reason: a lack of specific information and the absence of a trade union agreement or prior authorisation.

The problem is rarely a technical one. It is organisational: the device is handed over, an app is installed, and no one explains to the employee exactly what is being recorded, when, why, for how long the data is stored and who can access it. This is precisely where the Data Protection Authority is raising the bar, and this is where the fines arise.

GDPR-compliant employee GPS tracking without the hassle

GeoTapp Flow provides pre-configured GDPR privacy notice templates, granular control over tracking times and audit logs that stand up to any inspection by the Data Protection Authority.

14-day free trial, no credit card required

The GDPR does not permit the tracking of workers in a general sense. It requires a specific legal basis in accordance with Article 6 of the GDPR, supplemented by Article 88 of the GDPR and the Workers’ Statute (Law 300/1970, Article 4, as amended by the Jobs Act). In practice, there are three possible approaches:

Legitimate interest (Article 6(f) of the GDPR): the employer must demonstrate specifically why tracking is necessary, such as managing operations, optimising routes or verifying performance. General references to ‘safety’ or ‘efficiency’ are not sufficient. The balancing of these interests against the employee’s rights must be set out in writing.

Trade union agreement or authorisation from the Territorial Labour Inspectorate (Workers’ Statute, Article 4(1)): if the tracking tools may also involve monitoring of workers’ activities, this is mandatory. Without an agreement (or authorisation from the Territorial Labour Inspectorate), the system is arbitrarily unlawful, and penalties are cumulative: GDPR + Workers’ Statute + any offences of unlawful interference.

Consent (Article 7 of the GDPR): this is problematic in an employment relationship, as the freedom to give consent is questionable. It is valid only if the employee can effectively refuse without suffering any repercussions. In practice, it can only be used as a supplementary measure, never as the sole basis.

Data minimisation: record only what you need

Article 5(1)(c) of the GDPR requires data minimisation. In other words: GPS location data should only be collected during agreed working hours, not during breaks, not after the end of a shift, and not whilst on holiday. Anyone who tracks employees continuously, or monitors them in their private lives, has already lost the argument, even before the first inspection.

Technically, this means: the app must have a scheduled timetable. It activates when the employee clocks in, stops when they clock in for a break, and pauses during authorised leave. Geofences around private homes must be excluded in the settings. Data retention: for no longer than is necessary for the stated purpose, typically 30–90 days, followed by automatic deletion.

Technical and organisational measures (TOM)

Article 32 of the GDPR requires appropriate security measures. In practical terms: encryption of GPS data in transit and at rest, restricted access in accordance with the ‘need-to-know’ principle, periodic review of authorisations, and comprehensive audit logs. In the event of an inspection, the Data Protection Authority wishes to see who has accessed which location and when.

Try GeoTapp free for 14 days

No credit card required. Get started in 2 minutes.

Start free trial

An often-overlooked detail: the relationship with the app provider must also be governed by a contract. Article 28 of the GDPR requires a written Data Processing Agreement (DPA). If this is missing, the breach is a formal one and subject to penalties, regardless of whether everything runs smoothly in practice.

Common mistakes leading to penalties

1. Absent or incomplete information provided to employees. Article 13 of the GDPR requires full information on data collection: purposes, legal basis, retention period, recipients and the data subject’s rights. A vague clause in the contract is not sufficient. A dedicated document is required.

2. Tracking outside working hours. A classic example. Anyone who tracks employees during their lunch break or at weekends is collecting data without a legal basis. This results in a GDPR fine plus potential individual claims for compensation.

3. Lack of a trade union agreement. Article 4 of the Workers’ Statute is mandatory. Without an agreement (or authorisation from the Regional Labour Directorate), company policies based on tracking are unenforceable against the employee, and the penalties multiply.

4. Excessive data retention. Anyone who keeps GPS data ‘on file’ for years is in breach of the data retention limitation principle (Article 5 of the GDPR).

Verifiability: the underestimated competitive advantage

A modern tracking solution must do more than simply comply with the GDPR. It must actively prove that the data collected is intact. Reports cryptographically sealed with an ECDSA signature can be independently verified even months later, by the client, an auditor or the Data Protection Authority. It is not just about compliance. It is about building trust.

Anyone still working with unencrypted Excel logs or unverified app data in 2026 risks not only fines but also losing any dispute with customers who demand proof of attendance.

What to do now

Set aside three hours in your diary today for an internal audit: what tracking technology do you use? Where are the legal bases documented? Are your employees actively informed? Is there a DPA in place with the supplier? Who has access, and is this logged? Is there a trade union agreement or authorisation from the DTL?

If even one of these points is unclear, take action now, before the Data Protection Authority forces you to.

Imagine the Data Protection Authority’s next inspection with the DPIA, signed privacy notice and access logs all ready to go, without a single piece of paper to hunt down.

Set up a GDPR-ready GPS system from the very first shift. Fourteen days, paper-free.

No credit card required; up and running in 2 minutes.

Start your trial

Get articles like this in your inbox

Practical insights on GPS tracking, field operations and GDPR. No spam, just useful content.

Comments

No comments yet. Be the first.

Leave a comment

Try GeoTapp free for 14 days

No credit card required. Get started in 2 minutes.

Start now

© 2026 GeoTapp — original content. You may quote it and reuse parts with a link to this page. Full republication or commercial use only with our permission.