GPS tracking of security staff and the GDPR: how to implement it without risking penalties from the Data Protection Authority
Field Service

GPS tracking of security staff and the GDPR: how to implement it without risking penalties from the Data Protection Authority

May 20, 2026 · 13 min

You come across the news one Tuesday morning in November, whilst having a coffee in the office, in a business newspaper that’s been sitting on your desk for weeks without you having opened it. Headline: “Data Protection Authority fines security firm for unlawful geolocation of employees, €75,000 fine”. You read it twice. The company had installed a GPS system on its vehicles and on the security guards’ devices, without a preliminary DPIA, without an adequate privacy notice, and without a trade union agreement pursuant to Article 4 of the Workers’ Statute. The ruling runs to forty pages and quotes every comma of the GDPR. You’ve had exactly the same problem for three months: you want to install GPS tracking on your company’s patrols because a corporate client explicitly requested it in the tender specifications, but your accountant told you, “Be careful – in the security sector, it’s a more sensitive issue than elsewhere.” You put down your cup. You switch on your computer. You start searching.

The real problem is that every article you find is written by a law firm trying to sell you consultancy services, by a software company trying to sell you a platform, or by a trade union explaining in twenty pages why you can’t track anyone. No one tells you in straightforward terms what you actually need to do if you run a private security firm with forty guards and want to install a GPS tracking system that will allow you to win the tender, comply with the GDPR, avoid a row with the trade union, stay off the Data Protection Authority’s radar and, above all, avoid the €75,000 fine you’ve just read about in the newspaper. It feels like walking through a minefield without a map. Yet your better-organised competitors are already doing it – evidently in compliance – because they’re winning the contracts you can’t even bid for.

This is the situation facing the vast majority of private security firm owners in Italy today. The security sector is one of the most closely scrutinised by the Data Protection Authority because it deals with particularly sensitive data: your employees work in locations and at times which, when combined with geolocation data, reveal much more than mere ‘presence at work’. It reveals where a VIP client lives, the routines of a bank, and where a magistrate under private protection sleeps. Getting your privacy framework wrong is not just an administrative risk: it is a reputational risk that can destroy a company.

If geolocating a security firm means handling data relating to VIP clients, a two-week trial will show where the loopholes lie.

No credit card required; up and running in 2 minutes.

View the sector

Why security is the most sensitive sector for GPS tracking

Multi-site cleaning, construction, technical maintenance: all sectors in which GPS tracking of teams is used to know whether a person has arrived, how long they stayed, and where they went next. In security, the situation is fundamentally different. Security guards perform a public-private service regulated by the TULPS, operate under prefectural authorisation, and have quasi-public responsibilities (intervention, custody, cash-in-transit, armed surveillance). At the same time, they are employees protected by Article 4 of the Workers’ Statute – amended by the Jobs Act but still restrictive – and by the National Collective Labour Agreement for Private Security and Fiduciary Services. The Data Protection Authority considers the GPS tracking of security staff to be ‘high-risk’ processing within the meaning of Article 35 of the GDPR, because the combination of continuous geolocation, night-time working hours and travel frequency allows for detailed profiling of the employee’s working life and, at times, their personal life.

This does not mean you cannot track employees. It means you must do so in a structured manner. The Data Protection Authority’s case law over the last five years is clear: security firms that have implemented GPS in compliance with the combined provisions of the GDPR, Article 4 of the Workers’ Statute, the National Collective Labour Agreement and prefectural regulations have never been penalised. Those that have improvised – installing systems overnight, using generic privacy notices copied from the internet, without any trade union agreement, and retaining data indefinitely – have all come under scrutiny, some facing six-figure fines. The difference does not lie in the technology. It lies in the administrative process that precedes and accompanies the technical implementation.

The second sensitive issue is the end customer. When a patrol logs its arrival at a credit institution at 02:47, that geolocation data also contains information about the customer: the bank is under armed surveillance, valuables are stored on the premises, and there is a vulnerability. If the GPS system is not designed to segregate and protect this data, and it ends up being exfiltrated in a data breach, the reputational damage affects your institution twice over: as the data controller and as the security provider. The GDPR requires technical and organisational measures that are ‘appropriate to the risk’. In security, ‘appropriate’ means more than it does in other sectors.

The five pillars of a compliant GPS system for private security

The first pillar is the DPIA – Data Protection Impact Assessment. For the security sector, it is mandatory, not optional, as it falls under ‘high-risk’ processing as defined in the Data Protection Authority’s 2018 provision on mandatory DPIA. The DPIA is a 15–30-page document that describes the processing (what is tracked, why, how), assesses the risks to workers’ rights and freedoms, identifies mitigation measures and documents prior consultation with the in-house DPO and, if residual risks remain high, with the Data Protection Authority itself before the system is launched. Without a documented and dated DPIA prior to the system’s activation, a penalty is automatically imposed in the event of an inspection.

The second pillar is the trade union agreement pursuant to Article 4 of the SDL. The geolocation of patrols falls within the category of ‘tools which also enable the remote monitoring of workers’ activities’. The Jobs Act has allowed for some flexibility, but case law has now been established: an agreement with the RSA/RSU is required or, failing that, authorisation from the National Labour Inspectorate. The agreement must specify the purposes (security guard duties, customer service verification, emergency management), technical procedures (when the GPS is activated, when it is deactivated, and the level of accuracy), and, crucially, the explicit exclusion of the direct disciplinary use of geolocation data. The National Collective Labour Agreement for Private Security supports this approach.

The third pillar is data minimisation. The GDPR prohibits you from collecting ‘everything that technology allows you to collect’. You must collect only the minimum necessary for the stated purpose. For security services, this means: no continuous 24-hour tracking, but specific ‘pings’ triggered by relevant events (arrival at the client’s site, departure, alarm event, completion of a patrol). No permanent history: the precise location disappears as soon as the assignment is closed; only the times and site identifiers remain. No tracking during contractual breaks, journeys between home and work, or off-duty hours. A system that tracks a security guard’s location 24 hours a day is automatically non-compliant, even with a trade union agreement.

The fourth pillar is data retention. How long can you keep GPS logs? The principle is ‘for as long as is strictly necessary for the purposes’. For customer service evidence: 3–6 months, rarely longer, except in the case of ongoing disputes. For emergency management and the security guard’s safety: 1–3 months is already ample. For the purpose of preventing insurance fraud: up to 12 months if documented and proportionate. Beyond these limits, the data must be anonymised or deleted automatically and verifiably; it must not be left in the database ‘just in case’. A system that retains GPS logs indefinitely is another of the most frequently penalised infringements.

Try GeoTapp free for 14 days

No credit card required. Get started in 2 minutes.

Start free trial

The fifth pillar is transparency towards workers. A specific privacy notice for GPS processing – not a page tacked onto the end of a generic document, but a dedicated document which the security guard signs upon activation of the service, explicitly stating the data collected, the purposes, the legal basis (legitimate interest + contractual obligation), retention periods, rights of access and erasure, and the DPO’s contact details. Initial and annual staff training. An app with a visible icon showing when tracking is active and when it is deactivated, so that the security guard always knows the status of their device. Surveillance cannot be a ‘surprise’; it must be carried out with the individual’s knowledge.

The role of the Data Protection Authority: what it actually checks during an inspection

When the Data Protection Authority inspects a security firm – often following a complaint from an employee or a trade union representative – it requests three things within the first two hours: the DPIA, dated and signed before the system was activated; the trade union agreement or ITL authorisation; and the privacy notice signed by the workers. If these three documents are missing, the outcome is a written finding and the penalty is merely a matter of quantification. If they are present but flawed – a generic DPIA copied from other sectors, a trade union agreement that is years old and has not been updated to reflect the introduction of GPS, or a privacy notice that does not mention geolocation – the outcome is slightly better but a fine is still imposed.

The Data Protection Authority’s fines relating to the geolocation of employees over the last three years have ranged from €20,000 to €150,000 for SMEs, up to €800,000 for larger companies, in addition to the obligation to suspend processing and delete data collected unlawfully. Added to this are civil claims by individual employees for compensation for breach of privacy, the risk of dismissals being declared null and void because they are based on evidence obtained in breach of the GDPR, and, not least, automatic exclusion from public tenders requiring declarations of compliance with privacy regulations.


The future that awaits you if you give up tracking out of fear

You’ll be left behind. You’ll win fewer and fewer contracts from corporate clients who specify verifiable GPS in their tender specifications – banks, industrial groups and multinationals. The operations centre relies on radio calls and paper duty rosters, and any dispute over arrival times or the duration of patrols turns into a lengthy phone call in which you speak to the branch manager to piece together, after the event, who was where. The safety of your security guards in emergency situations – man down, armed attack, sudden illness at night – depends on their ability to call via radio, because nobody knows where they are in real time. Your professional liability insurance premiums are rising because you cannot provide evidence of a ‘tracked and certified’ service. Meanwhile, your better-organised competitors – who carried out their DPIA three years ago and have an up-to-date trade union agreement – are taking your contracts one by one.

The future that awaits you if, instead, you implement a compliant system

You win the tender with the regional bank because your tender specifications include “GDPR-compliant geolocation with reports exportable to the client in real time”. The DPIA document you drew up with the DPO two years ago is a commercial asset that you attach to your bids and which your competitors do not have. Your security guards are safer because, in the event of an emergency, the operations centre knows exactly where they are, can send targeted reinforcements, and can contact the emergency services (112) by providing precise coordinates; this safety aspect is explicitly cited in the DPIA as the primary purpose, which in turn strengthens the legal basis for the processing. Contract renewals with existing clients become less stressful because every assignment is documented in real time with a certified PDF, GPS data and photographs. Should the Data Protection Authority ever visit following a complaint, they will find three well-organised files – the DPIA, the trade union agreement and signed privacy notices – and will conclude the inspection with a positive outcome. Third-party liability insurance premiums fall at the first renewal because you can demonstrate structured digital tracking. And in public tenders, where a GDPR compliance declaration is an eligibility requirement, you will no longer be automatically excluded at the first technical assessment.

What it really takes to get there

You need a system designed from the outset with ‘privacy by design’ and ‘privacy by default’ in accordance with Article 25 of the GDPR – not a generic platform adapted for the security sector, but a tool where data minimisation, retention periods configurable by purpose, automatic deactivation outside working hours, and the segregation of client and security guard data are native features, rather than functions to be added retrospectively. You need a supplier who supports you with DPIA templates specific to private security, with privacy notice templates already aligned with the Data Protection Authority’s guidance, and with technical documentation that your DPO can attach to the processing register without having to rewrite anything.

GeoTapp was built precisely with this in mind, working alongside Italian security firms that needed to reconcile increasingly stringent corporate requirements regarding tracking and proof of service with the combined provisions of the GDPR, Article 4 of the SDL, the TULPS and the National Collective Labour Agreement for Private Security. Timely alerts for relevant events rather than continuous tracking; retention periods configurable by purpose; ready-to-use templates for employee privacy notices and DPIA; tamper-proof logs exportable as client-branded PDFs; and data segregation by site and role. See how it works and consider whether, the next time you read in the newspaper about a fine imposed by the Data Protection Authority on a security firm, you’ll be able to smile instead of breaking out in a cold sweat.

And what about you? How far have you got with implementing GPS tracking in your organisation: do you already have a DPIA and a trade union agreement, are you halfway through the process, or are you still putting it off for fear of making a mistake? Let us know in the comments – discussing things with those who’ve navigated the same regulatory maze is the quickest way to avoid making the most costly mistakes.

Think about the next fine the Data Protection Authority imposes on a security firm and being able to smile instead of breaking out in a cold sweat.

See the security sector compliant from day one. Fourteen days, paperless.

No credit card required; up and running in 2 minutes.

See the sector

Get articles like this in your inbox

Practical insights on GPS tracking, field operations and GDPR. No spam, just useful content.

Comments

No comments yet. Be the first.

Leave a comment

Related articles

Read also

Try GeoTapp free for 14 days

No credit card required. Get started in 2 minutes.

Start now

© 2026 GeoTapp — original content. You may quote it and reuse parts with a link to this page. Full republication or commercial use only with our permission.