GPS and worker monitoring in Alemanha: what you need to stay compliant

What you need

For each obligation we tell you whether it applies in this country: Yes means required, It depends means only in certain cases, No means not required.

• Agreement with the works council (Betriebsvereinbarung) before installation, under section 87 BetrVG

  It dependsonly in certain cases

  In Germany the co-determination of the Betriebsrat is mandatory for technical systems capable of monitoring the conduct or performance of workers (section 87(1) no. 6 BetrVG): without an agreement with the works council the system cannot be activated. But this applies ONLY where a Betriebsrat exists; many SMEs do not have one, and then this step does not apply (the entire GDPR still applies). What matters is the objective capability to monitor, not the employer's intention.

  Betriebsverfassungsgesetz, § 87 (cogestione del consiglio aziendale)

• Authorization from a labour authority before installation

  Nonot required

  Germany does not require prior authorization from a labour authority (there is no equivalent of the Italian Labour Inspectorate). The filter is the agreement with the works council; the data protection authority acts only as a supervisory body, and is consulted in advance only in the case of Article 36 GDPR (high residual risk that cannot be mitigated, identified by the DPIA).

  Betriebsverfassungsgesetz, § 87 (cogestione del consiglio aziendale)

• Valid legal basis for the processing (Article 6 GDPR)

  Yesrequired

  A legal basis is required. Note: after the CJEU judgment C-34/21 of 30 March 2023, section 26 BDSG is no longer sufficient on its own as a standalone basis; the processing must be grounded directly on Article 6 GDPR (e.g. performance of the contract, legal obligation, legitimate interest with a balancing test). A possible dedicated law (Beschäftigtendatengesetz) is under discussion but does NOT appear to be in force.

  Garante del Baden-Württemberg, FAQ sulle basi giuridiche dei dati dei dipendenti (sentenza CGUE C-34/21)

• Privacy notice to workers (Article 13 GDPR)

  Yesrequired

  Workers must be clearly informed about which location data is collected, how, when and why.

  Regolamento UE 2016/679 (GDPR)

• Prohibition of continuous tracking (data minimisation, Article 5 GDPR)

  Yesrequired

  The German authority is clear: systems that allow permanent monitoring of employees are in principle unlawful, and workers must not be exposed to constant monitoring pressure. Location is collected only when it serves a legitimate purpose (e.g. safety of a lone worker, protection of the cargo), not continuously.

  Garante della Renania-Palatinato, guida sulla localizzazione GPS dei dipendenti

• Data protection impact assessment (DPIA) for the geolocation of employees

  Yesrequired

  The geolocation of employees is expressly on the DSK list of processing operations that require a data protection impact assessment (Article 35 GDPR). It must be carried out before activating the system.

  Lista DSK dei trattamenti che richiedono una valutazione d'impatto (settore privato)

The procedure, step by step

1. 1

   If a Betriebsrat exists, negotiate and sign the Betriebsvereinbarung before activating (section 87 BetrVG).

2. 2

   Identify a valid legal basis under Article 6 GDPR (no longer section 26 BDSG alone, after the C-34/21 judgment).

3. 3

   Carry out the data protection impact assessment (DPIA): it is required for the geolocation of employees.

4. 4

   Provide the privacy notice to the workers (Article 13 GDPR).

5. 5

   Configure the system with data minimisation: no continuous tracking, location only when needed.

6. 6

   If the DPIA reveals a high residual risk that cannot be mitigated, consult the data protection authority of your Land in advance (Article 36 GDPR).

7. 7

   If you switch systems: when you change your monitoring system or software, update and re-issue the privacy notice, and check whether the national agreement or authorisation for remote monitoring needs renewing. The provider (data processor), the data collected and the methods often change: the one provided earlier is not enough.

Who to contact

What you risk

Sources

• Betriebsverfassungsgesetz, § 87 (cogestione del consiglio aziendale)
• Bundesdatenschutzgesetz, § 26 (dati dei lavoratori)
• Garante del Baden-Württemberg, FAQ sulle basi giuridiche dei dati dei dipendenti (sentenza CGUE C-34/21)
• Regolamento UE 2016/679 (GDPR)
• Garante della Renania-Palatinato, guida sulla localizzazione GPS dei dipendenti
• Lista DSK dei trattamenti che richiedono una valutazione d'impatto (settore privato)
• BfDI, elenco delle autorita garanti per la protezione dei dati dei Land
• Garante di Amburgo, comunicato del 1 ottobre 2020 (sanzione H&M)
• BayLDA, autorita garante della Baviera
• BlnBDI, autorita garante di Berlino