You come across the news one Tuesday morning in November, whilst having a coffee in the office, in a business newspaper that’s been sitting on your desk for weeks without you having opened it. Headline: “Data Protection Authority fines security firm for unlawful geolocation of employees, €75,000 fine”. You read it twice. The company had installed a GPS system on its vehicles and on the security guards’ devices, without a preliminary DPIA, without an adequate privacy notice, and without a trade union agreement pursuant to Article 4 of the Workers’ Statute. The ruling runs to forty pages and quotes every comma of the GDPR. You’ve had exactly the same problem for three months: you want to install GPS tracking on your company’s patrols because a corporate client explicitly requested it in the tender specifications, but your accountant told you, “Be careful – in the security sector, it’s a more sensitive issue than elsewhere.” You put down your cup. You switch on your computer. You start searching.
The real problem is that every article you find is written by a law firm trying to sell you consultancy services, by a software company trying to sell you a platform, or by a trade union explaining in twenty pages why you can’t track anyone. No one tells you in straightforward terms what you actually need to do if you run a private security firm with forty guards and want to install a GPS tracking system that will allow you to win the tender, comply with the GDPR, avoid a row with the trade union, stay off the Data Protection Authority’s radar and, above all, avoid the €75,000 fine you’ve just read about in the newspaper. It feels like walking through a minefield without a map. Yet your better-organised competitors are already doing it – evidently in compliance – because they’re winning the contracts you can’t even bid for.
This is the situation facing the vast majority of private security firm owners in Italy today. The security sector is one of the most closely scrutinised by the Data Protection Authority because it deals with particularly sensitive data: your employees work in locations and at times which, when combined with geolocation data, reveal much more than mere ‘presence at work’. It reveals where a VIP client lives, the routines of a bank, and where a magistrate under private protection sleeps. Getting your privacy framework wrong is not just an administrative risk: it is a reputational risk that can destroy a company.
If geolocating a security firm means handling data relating to VIP clients, a two-week trial will show where the loopholes lie.
No credit card required; up and running in 2 minutes.
View the sectorWhy security is the most sensitive sector for GPS tracking
Multi-site cleaning, construction, technical maintenance: all sectors in which GPS tracking of teams is used to know whether a person has arrived, how long they stayed, and where they went next. In security, the situation is fundamentally different. Security guards perform a public-private service regulated by the TULPS, operate under prefectural authorisation, and have quasi-public responsibilities (intervention, custody, cash-in-transit, armed surveillance). At the same time, they are employees protected by Article 4 of the Workers’ Statute – amended by the Jobs Act but still restrictive – and by the National Collective Labour Agreement for Private Security and Fiduciary Services. The Data Protection Authority considers the GPS tracking of security staff to be ‘high-risk’ processing within the meaning of Article 35 of the GDPR, because the combination of continuous geolocation, night-time working hours and travel frequency allows for detailed profiling of the employee’s working life and, at times, their personal life.
This does not mean you cannot track employees. It means you must do so in a structured manner. The Data Protection Authority’s case law over the last five years is clear: security firms that have implemented GPS in compliance with the combined provisions of the GDPR, Article 4 of the Workers’ Statute, the National Collective Labour Agreement and prefectural regulations have never been penalised. Those that have improvised – installing systems overnight, using generic privacy notices copied from the internet, without any trade union agreement, and retaining data indefinitely – have all come under scrutiny, some facing six-figure fines. The difference does not lie in the technology. It lies in the administrative process that precedes and accompanies the technical implementation.
The second sensitive issue is the end customer. When a patrol logs its arrival at a credit institution at 02:47, that geolocation data also contains information about the customer: the bank is under armed surveillance, valuables are stored on the premises, and there is a vulnerability. If the GPS system is not designed to segregate and protect this data, and it ends up being exfiltrated in a data breach, the reputational damage affects your institution twice over: as the data controller and as the security provider. The GDPR requires technical and organisational measures that are ‘appropriate to the risk’. In security, ‘appropriate’ means more than it does in other sectors.
The five pillars of a compliant GPS system for private security
The first pillar is the DPIA – Data Protection Impact Assessment. For the security sector, it is mandatory, not optional, as it falls under ‘high-risk’ processing as defined in the Data Protection Authority’s 2018 provision on mandatory DPIA. The DPIA is a 15–30-page document that describes the processing (what is tracked, why, how), assesses the risks to workers’ rights and freedoms, identifies mitigation measures and documents prior consultation with the in-house DPO and, if residual risks remain high, with the Data Protection Authority itself before the system is launched. Without a documented and dated DPIA prior to the system’s activation, a penalty is automatically imposed in the event of an inspection.
The second pillar is the trade union agreement pursuant to Article 4 of the SDL. The geolocation of patrols falls within the category of ‘tools which also enable the remote monitoring of workers’ activities’. The Jobs Act has allowed for some flexibility, but case law has now been established: an agreement with the RSA/RSU is required or, failing that, authorisation from the National Labour Inspectorate. The agreement must specify the purposes (security guard duties, customer service verification, emergency management), technical procedures (when the GPS is activated, when it is deactivated, and the level of accuracy), and, crucially, the explicit exclusion of the direct disciplinary use of geolocation data. The National Collective Labour Agreement for Private Security supports this approach.
The third pillar is data minimisation. The GDPR prohibits you from collecting ‘everything that technology allows you to collect’. You must collect only the minimum necessary for the stated purpose. For security services, this means: no continuous 24-hour tracking, but specific ‘pings’ triggered by relevant events (arrival at the client’s site, departure, alarm event, completion of a patrol). No permanent history: the precise location disappears as soon as the assignment is closed; only the times and site identifiers remain. No tracking during contractual breaks, journeys between home and work, or off-duty hours. A system that tracks a security guard’s location 24 hours a day is automatically non-compliant, even with a trade union agreement.
The fourth pillar is data retention. How long can you keep GPS logs? The principle is ‘for as long as is strictly necessary for the purposes’. For customer service evidence: 3–6 months, rarely longer, except in the case of ongoing disputes. For emergency management and the security guard’s safety: 1–3 months is already ample. For the purpose of preventing insurance fraud: up to 12 months if documented and proportionate. Beyond these limits, the data must be anonymised or deleted automatically and verifiably; it must not be left in the database ‘just in case’. A system that retains GPS logs indefinitely is another of the most frequently penalised infringements.







