GPS and worker monitoring in Italy: what you need to stay compliant
Updated on 15 June 2026
What you need
For each obligation we tell you whether it applies in this country: Yes means required, It depends means only in certain cases, No means not required.
Trade union agreement (RSA/RSU) or authorisation from the Labour Inspectorate, before installing the system
YesrequiredGPS is a tool that can lead to remote monitoring of workers. Article 4 of the Workers' Statute allows it only after a trade union agreement with the RSA or RSU, or authorisation from the Territorial Labour Inspectorate. Installing it before this step, or using it differently from what was authorised, is the fastest route to a penalty.
Legge 20 maggio 1970, n. 300 (Statuto dei Lavoratori), art. 4
Written privacy notice to workers, complete and truthful (Article 13 GDPR)
YesrequiredThe worker must know clearly and truthfully that they are being geolocated, how, when and why (Article 13 GDPR). In the road haulage case the notice existed but was full of inconsistencies and typos: for the Garante that is the same as not having one.
Garante Privacy, Provvedimento del 16 gennaio 2025, n. 10112287
No continuous tracking: location collected only when needed (data minimisation)
YesrequiredFollowing the vehicle 24/7, breaks included, violates the data minimisation principle (Article 5 GDPR). Location is collected when it serves a legitimate purpose, not to always know where the person is. Continuous tracking is one of the reasons for the 50,000 EUR penalty against the road haulage company.
Garante Privacy, Provvedimento del 16 gennaio 2025, n. 10112287
Use of data only for the declared purpose, with no reuse for disciplinary sanctions
YesrequiredLocation data must be used only for the purpose for which it was collected. Reusing it for another purpose (for example data collected to verify the workplace and then used to start a disciplinary procedure) is a misuse of purpose, and the Garante always sanctions it. It is the mistake that cost the public body dearly in the ARSAC case.
Garante Privacy, Provvedimento del 13 marzo 2025, n. 10128005
Data Protection Impact Assessment (DPIA)
It dependsonly in certain casesFor processing of this kind a DPIA (Article 35 GDPR) is required when the risk is high. Omitting it, as in the public body case, is in itself a violation.
Garante Privacy, Provvedimento del 13 marzo 2025, n. 10128005
Data retention limited to the strictly necessary period
YesrequiredData is kept for the time necessary for the purpose, not "just in case" indefinitely. In the road haulage case, retention for 180 days contributed to the penalty.
Garante Privacy, Provvedimento del 16 gennaio 2025, n. 10112287
Legitimate and declared purpose (organisational, safety, protection of company assets)
YesrequiredOrganisational, safety or company asset protection needs are legitimate purposes. Never "checking what the employee does": that is exactly what Article 4 prohibits.
Legge 20 maggio 1970, n. 300 (Statuto dei Lavoratori), art. 4
The procedure, step by step
- 1
Complete the Article 4 procedure first, not later: an agreement with the trade union representatives (RSA or RSU) or authorisation from the Territorial Labour Inspectorate. Without it, you are out from the first minute.
- 2
Define a legitimate and declared purpose: organisational, safety or company asset protection needs. Never "checking what the employee does".
- 3
Prepare a complete and truthful privacy notice under Article 13 GDPR: no typos, no grey areas.
- 4
Apply data minimisation: collect only the data you need, only when you need it. No tracking during breaks, provide the ability to switch it off.
- 5
Limit retention: data is kept for the time necessary for the purpose, not indefinitely.
- 6
Carry out the impact assessment (DPIA) when the risk is high (Article 35 GDPR).
- 7
Keep a single purpose: data collected for one purpose is not reused to sanction. Ever.
- 8
If you switch systems: when you change your monitoring system or software, update and re-issue the privacy notice, and check whether the trade-union agreement (Art. 4) or the Labour Inspectorate authorisation needs renewing. The provider (data processor), the data collected and the methods often change: the one signed earlier is not enough.
Who to contact
Competent authority
The template to download
Scarica il fac-simile dell’informativa GPS, pronto da compilare
Modello di informativa privacy per la geolocalizzazione dei dipendenti, conforme all’art. 13 GDPR. Compila i campi tra parentesi e fallo verificare dal tuo consulente.
What you risk
EUR 120,000
Garante Privacy, newsletter of 29 January 2026: a company in the seed sector, 5 employees, devices on vehicles that monitored the workers' driving style.
Cite this page
You're free to cite it, as long as you credit the source with a link to this page.
GPS and worker monitoring in Italy: what you need to stay compliant — GeoTapp. https://geotapp.com/en-au/resources/gps-workers-eu/italy/Fonte: <a href="https://geotapp.com/en-au/resources/gps-workers-eu/italy/?utm_source=citazione&utm_medium=referral&utm_campaign=risorse">GPS and worker monitoring in Italy: what you need to stay compliant — GeoTapp</a>© 2026 GeoTapp. Data compiled and verified by GeoTapp. For full republication of the dataset or commercial use, get in touch.
Sources
- Garante Privacy, Provvedimento del 16 gennaio 2025, n. 10112287
- Garante Privacy, Provvedimento del 13 marzo 2025, n. 10128005
- Garante Privacy, newsletter del 29 gennaio 2026 (sanzione settore sementi)
- Legge 20 maggio 1970, n. 300 (Statuto dei Lavoratori), art. 4
- Regolamento UE 2016/679 (GDPR), artt. 5, 13, 25, 35, 88
This is an informational resource, not legal advice. Before activating a monitoring system, have your situation checked by a professional.
Want a system that is already compliant?
GeoTapp records the location only at clock-in, not continuously, and generates the notice for workers to sign. Try it for free.
Try GeoTapp for free