Italy fines public body over GPS tracking breach
The Italian Data Protection Authority (IDPA) has issued a US$58,613 fine for the unlawful tracking of employees’ GPS locations, as reported by Data Guidance on May 12, 2025.
The fine was levied against a regional public agency that utilized the Time Relax employee monitoring app to track the physical locations of employees while they worked remotely.
The core issue revolved around whether the agency had proper consent to use GPS location tracking to validate whether staff were working from their declared remote locations.
Whereas tracking employees’ location is a legal and accepted practice popular amongst employers that hire remote staff, in this instance, the IDPA found that proper consent procedures had not been followed, violating key areas of the General Data Protection Regulation (GDPR).
The employer claimed that written consent had been sought from employees, however, the IDPA ruled that this alone could not be relied upon.
GDPR and Consent – What Employers Should Know
Under GDPR, valid consent must be freely given, specific, informed, and easy to withdraw. Because of the inherent power imbalance in the employer-employee relationship, employers cannot rely on signed consent documents alone.
Employee data should only be stored where specific circumstances allow, including:
- It’s necessary to fulfil the employment contract, for example, using an employee’s location for billing purposes.
- There is a requirement to meet legal obligations, such as complying with local labor laws.
- There are justifiable, legitimate business interests, as long as those interests do not override the employee’s right to privacy.
What Can We Learn From the Ruling?
This ruling is a stark warning for organizations where GDPR applies. Any form of surveillance that lacks a solid legal basis or fails to meet data standards could lead to serious penalties or fines.
Employers must avoid assuming that employee consent alone can justify data recording and employee monitoring practices. In the eyes of the law, consent must be freely given, which is difficult to establish in hierarchical workplace environments.
Furthermore, the IDPA clarified that no collective labour agreement or internal company policy can override GDPR protections. Surveillance measures must always respect an employee’s fundamental rights.
The ruling aligns with broader European regulatory trends that stress digital privacy, including within hybrid and remote work settings. Regulators have repeatedly emphasized that digital tools used in managing remote employees must not infringe on personal boundaries.
Notably, the IDPA stated that all employees, regardless of whether they work onsite or remotely, are entitled to the same level of data protection.
The case has also sparked discussions on how remote monitoring tools should be designed to comply with both GDPR and national labor laws. Privacy must be an integral part of time tracking and attendance tools.
Can Employers Track Employees’ GPS Locations?
Yes, but only if done lawfully. GDPR does not prohibit GPS tracking altogether. It reinforces that employers must use such tools transparently, with a valid legal basis, and only when it’s necessary and proportionate.
Related Content:
Employee GPS Tracking: Is it Legal in the US?
You Need This in Your Next GPS Time Tracker
Automated Time Tracking: Geofencing for Seamless Clock-In and Out
Create an account and take the hassle out of time tracking - it's FREE forever for unlimited users!
