Irish Data Protection Act 2018 and GDPR: GPS employee surveillance lawfully
June 30, 2026 ยท 5 min
Your operations manager wants GPS rolled out across the Limerick and Galway field teams next week. Two engineers send a polite email objecting on privacy grounds. By Friday the union representative is involved. The rollout is paused, the customer quietly moves the contract elsewhere, and you spend a fortnight unpicking a data protection impact assessment that should have been done before the first engineer was ever told. The Data Protection Commission has firm views on deployments like this one, and a fortnight of unpicking is the gentle version of what those views can cost.
The mistake here was not the GPS. It was the order of operations. Workforce monitoring done in the right sequence is lawful and uncontroversial. Done in the wrong sequence, it becomes a privacy problem, an industrial-relations problem and a lost contract, all at once.
How the two laws fit together
The GDPR applies directly in Ireland, and the Data Protection Act 2018 implements the national derogations, names the Data Protection Commission as the supervisory authority, and creates the offences for serious breaches. Between them they govern every workforce-monitoring deployment in the country, and the Commission is one of the more active supervisory authorities in Europe on exactly this question.
For GPS workforce tracking the provisions that matter are a short list. The principles of lawfulness, purpose limitation, data minimisation and storage limitation. The lawful basis, which for ongoing workforce monitoring is almost always legitimate interests rather than consent. The duty to inform the worker, clearly and in advance, of what is collected and why. And the requirement for a data protection impact assessment where the processing is high-risk, which the Commission has confirmed includes the systematic monitoring of employees. Get those four right and the deployment is sound. Skip any one of them and the deployment is exposed, regardless of how carefully the rest was handled.
Try GeoTapp free for 14 days
No credit card required. Get started in 2 minutes.
Legitimate interests, and the assessment behind it
Consent is the wrong lawful basis for ongoing workforce monitoring, and it is worth being clear why. Both the Commission and the European Data Protection Board have said plainly that consent in an employment context is rarely freely given, because the worker cannot realistically refuse without consequence. The durable basis is legitimate interests, and it has to be documented in a legitimate interests assessment that works through three steps: what the legitimate interest actually is, whether the processing is genuinely necessary to it, and how it balances against the rights and freedoms of the worker.
A workable assessment for GPS tracking names the concrete operational interest, timekeeping for payroll, lone-worker safety, contract-specific proof of attendance. It establishes that a less intrusive method would not meet that interest. And it records the safeguards: collection at clock-in and clock-out only, no off-duty tracking, defined retention windows, the worker’s access rights, and a clear route to lodge a complaint. That document is the first thing the Commission asks to see. Without it, there is no lawful basis to point to.
The impact assessment is not optional
The GDPR makes a data protection impact assessment mandatory where processing is likely to result in a high risk to people’s rights and freedoms, and the Commission’s published list of such processing includes the systematic monitoring of employees. On the Commission’s reading, a workforce GPS deployment with no impact assessment is a breach in its own right, independent of whether any worker was ever actually harmed. The absence is the breach.
The assessment the Commission expects runs to a few pages, signed by the data protection officer or the designated responsible person, and it documents the purposes, the categories of data, the lawful basis, the proportionality analysis, the retention period, the security measures, the worker’s rights and the residual risks. It is completed before the system goes live, reviewed each year, and revisited after any material change. Done at the start, it is the strongest defence the Commission is ever shown. Done after a complaint, it is an admission that it was late.
Subject access requests, and the operational reality
A worker is entitled to a copy of all the personal data the employer holds about them, within one month. The Commission regularly fields complaints about access requests in the GPS context that came back late or incomplete, and the cause is almost always the same: the employer could not easily export the worker’s data from the platform, or the export quietly omitted the location and time history.
The platform that supports an access-request export by default, in machine-readable form, with the location history, the time history, the schedule history and the supervisor notes all included, removes that backlog before it forms. GeoTapp’s worker-data export is built for the one-month timeline, so an Irish employer answers an access request in a handful of working days rather than scrambling at the edge of the deadline. Start a free fourteen-day trial, with no card, and roll out monitoring in the order the law actually expects.
Have you had a workforce-monitoring rollout meet resistance, or an access request you struggled to answer in time? Tell us in the comments below. The sequence, assessment first and rollout second, is the part most deployments get backwards, and what you write helps other employers get it the right way round.
Get articles like this in your inbox
Practical insights on GPS tracking, field operations and GDPR. No spam, just useful content.