Monday morning, 7:45. One of your engineers calls from the site: he has heard the app records his location, and he wants to know if that is even allowed. You know it is, but you have nothing in writing to prove it. And right there, what was a sensible piece of tech turns into a legal headache.
A privacy notice for employee location tracking is not a nice-to-have. It is an obligation set out in the UK GDPR, articles 13 and 14, and reinforced by the Data Protection Act 2018. If you run an app with GPS for clock-ins, job management or attendance, you owe every worker a written notice. Before the system goes live, not after someone complains.
What the ICO says about tracking workers by GPS
The Information Commissioner’s Office has been clear on monitoring staff through their phones, and the thread running through its guidance is proportionality. An employer can collect location data, but only when it is necessary, transparent and kept to the least you actually need. In practice that means three things. First, no rolling surveillance: the position is captured at the start and the end of the shift, not every five minutes while someone drives a van. Second, the worker has to know exactly what is collected, why, for how long and who sees it. Third, the data cannot quietly be reused for something you never told anyone about.
If a PDF template is just paper waiting to go stale, spend fourteen days with the notice generated and signed for you.
No credit card, ready in 2 minutes.
All of this has to be written down. The privacy notice is the document that makes it official. Without one, even a perfectly lawful system becomes something a worker, or a tribunal, can pick apart. And if a complaint reaches the ICO or an employment tribunal, the first document anyone asks for is that notice.
The 7 things a GPS privacy notice has to spell out
The UK GDPR leaves you no room to improvise on what the notice must contain. Article 13 lists the information the controller is bound to give, and for location tracking that turns into seven concrete points. First, the identity of the controller, which is you as the business, with full contact details. Second, the contact details of the Data Protection Officer if you have appointed one. Third, the specific purposes: why you collect the position at all, and “for business reasons” will not do, so you name it, attendance at the start and end of a shift, checking work at a client site, running jobs in the field. Fourth, the lawful basis, which for most small firms is legitimate interest, and it has to be reasoned rather than just asserted. Fifth, who receives the data, including any cloud provider. Sixth, how long you keep it. Seventh, the worker’s rights: access, rectification, erasure, restriction, objection, portability, and the right to complain to the ICO.
It reads long. In reality, with a well-built template, it is a two-page document. Here is one you can use.
GPS employee privacy notice, 2026 template
What follows is a complete model, written around ICO guidance and the UK GDPR. Make it yours by filling in the fields in square brackets.
PRIVACY NOTICE ON THE PROCESSING OF PERSONAL DATA
Location tracking through a company mobile device
under articles 13-14 of the UK GDPR and the Data Protection Act 2018
Data controller: [Company name], registered at [address], company registration number [number], acting through its legal representative [full name]. Contact: [email/phone].
Data Protection Officer (DPO): [Full name / external firm], reachable at [DPO email]. (State “not appointed” where your size does not require one.)
Purposes of processing: Location data is collected solely to: (a) record attendance on entering and leaving work sites, (b) confirm that work has been carried out at client premises, (c) manage jobs and field assignments day to day. Position is captured only at the moment of clocking in and out (start and end of a shift or job), never continuously.
Lawful basis: The processing rests on the legitimate interest of the controller (article 6(1)(f) UK GDPR) in running the work properly and protecting company assets, and on the performance of the employment contract (article 6(1)(b) UK GDPR). The balancing of interests has been carried out in line with ICO guidance on monitoring workers.
Data processed: GPS coordinates (latitude, longitude) at the moment of clocking, date and time, device identifier, operator identifier.






