The app that tracks work: a powerful tool with hidden risks
Over the last three years, the market for field service management apps has boomed. There are solutions for GPS clocking in, job management, monitoring attendance on site, and digital signing of reports. Affordable costs, intuitive interfaces, promises of simplification. Many SMEs have adopted them quickly, attracted by the operational benefits and the prospect of reducing disputes.
But there is a problem that many business owners did not consider at the time of adoption: these apps process employees’ personal data, including GPS locations, working hours, attendance records and, in some cases, biometric data. And this means they are fully subject to the GDPR. In 2026, with the Data Protection Authority stepping up its checks, businesses using non-compliant apps will find themselves exposed to a risk they had not factored in.
The GDPR and tracking apps: the critical issues
GDPR compliance for a work-tracking app is not simply a tick to be ticked at the bottom of the privacy notice. It involves architectural, contractual and operational decisions that must be made before the tool is adopted.
You are the data controller, not the app provider. Many SMEs believe that adopting an app from a major provider exempts them from liability. This is not the case. The company using the app is the data controller and is directly liable to the Data Protection Authority for any breach. The app provider is, at best, a data processor who must be contractually bound by a specific Data Processing Agreement (DPA).
The legal basis must be identified and documented. GPS tracking of employees cannot be based on consent, as an employee’s consent to their employer is never truly freely given. The correct legal basis is legitimate interest or the performance of the employment contract, but this must be documented in the Data Protection Impact Assessment (DPIA), which is generally mandatory for employee tracking.
Data cannot be retained indefinitely. GPS data retention policies must be clearly defined: for how long are operators’ locations retained? Who has access to them? When are they deleted? If the app does not provide for configurable automatic retention, the company must manage this manually, and often fails to do so.
Data transfers outside the EU are a hidden risk. Many field service apps are developed by non-EU suppliers or use cloud infrastructure with servers outside the European Union. This creates issues regarding international data transfers, which must be managed through specific contractual clauses or appropriate certifications. Ignoring this constitutes a breach.
The 2026 inspections: what’s happening
The Italian Data Protection Authority has included specific focus on remote worker monitoring systems in SMEs in its 2026 inspection plan. These are not large multinationals: they are businesses with 10, 20 or 50 employees that use clocking-in or tracking apps without having followed the correct regulatory procedure.







