Modern technologies have significantly transformed the organization of work, especially in the context of remote work.
Accordingly, it is necessary to align the use of digital tools for managing working hours and monitoring employees with the rules on personal data protection.
This article analyses the decision of the Italian Data Protection Authority (“Garante”), No. 10128005 dated March 13, 2025 (“Decision”), which found multiple violations of the provisions of the General Data Protection Regulation (“GDPR”) and relevant Italian legislation due to the manner in which the Employer conducted GPS tracking of employees during remote work.
The Decision is significant as it establishes limits on the lawfulness of employee monitoring and the obligations of employers concerning the protection of employees’ personal data and privacy.
Facts of the Case
The Regional Agency for Agricultural Development of Calabria (“Employer” or “Controller”) introduced a remote work regime requiring employees to use an application daily to track working hours.
Specifically, employees were obliged to enable geolocation on their devices (computer or phone), and the application collected their geographical coordinates when logging in and out.
The Employer used this data to verify whether employees performed work from the locations specified in their individual employment agreements.
In addition to this tracking, the Employer conducted targeted checks by calling employees during working hours and requiring them to double check in/out via the application. Employees were also required to send an email indicating the exact address where they were, which the Employer then cross-checked against the app data.
In one case, based on such targeted control, the Employer initiated disciplinary proceedings against an employee due to a discrepancy between the reported work location and the geolocation data established by the Employer during the check.
The employee filed a complaint with Garante, alleging that his rights to personal data protection were violated.
During the proceedings before Garante, the Employer argued that this practice served organizational needs, aims related to employee safety and health protection, and legitimate interests of the employer, and that employees had given consent to such data processing.
Decision
Garante found that the Employer violated the GDPR and Italian labor and data protection laws and imposed a monetary fine.
Reasoning
Italian labor law prohibits direct and continuous tracking of employees at work through geolocation or other technological means. Such monitoring is permitted only exceptionally for purposes like organizational needs, health and safety at work, or property protection. In this case, the monitoring, as assessed by the Authority, did not meet such criteria.
For the processing to be lawful, it must not be mass or indiscriminate but specifically applied non-invasively, proportionately to the purpose, and only after less restrictive measures have been exhausted.
Given the systematic collection of precise location data, Garante considered that such processing exceeded what was necessary for managing remote work and violated the data minimization principle under Article 5(1)(c) GDPR.
Furthermore, this processing infringed European standards on workplace privacy protection, as it interfered with employees’ private lives, breaching the right to privacy guaranteed by Article 8 of the European Convention on Human Rights, as confirmed by the European Court of Human Rights’ case law.
Although the Employer claimed the processing was based on employee consent, Garante rejected this claim.
Primarily, Garante found the Employer failed to comply with Article 13 GDPR requirements because employees were not adequately informed about the processing; the information notice lacked all mandatory elements, meaning employees were not clearly, transparently, and fully aware of the specific processing of their personal data.
Moreover, as confirmed by the European Data Protection Board (“EDPB”) guidelines and prior national cases, consent given in an employment context cannot be considered freely given (Article 4(11) GDPR) due to the imbalance of power between employer and employee, making employees vulnerable to pressure or fear regarding their employment status or working conditions.
In these circumstances, Garante concluded that the processing was not lawful, fair, and transparent concerning the data subject (principle of lawfulness, fairness, and transparency from Article 5(1)(a) and Article 6 GDPR), nor was the data collected for specified, explicit, and legitimate purposes (purpose limitation principle from Article 5(1)(b) GDPR), and also was not compliant with Italian labor and data protection laws (Article 88 GDPR).
Garante also found that the Employer did not implement technical and organizational measures to limit data processing to the minimum necessary personal data (data protection by design and by default, Article 25 GDPR).
Since data collection was unlawful, its further use in disciplinary proceedings was also unlawful.
Finally, Garante emphasized the Employer’s obligation to conduct a Data Protection Impact Assessment (“DPIA”) pursuant to Article 35 GDPR, which was neglected. Given the high risk that geolocation tracking poses to employees’ rights and freedoms — especially considering their vulnerability in the workplace and the systematic nature of monitoring, as foreseen by EDPB guidelines — this was a significant oversight.
Conclusion
The Garante’s decision confirms that GPS employee monitoring must be carefully planned, proportionate, and lawful, respecting GDPR principles — especially lawfulness, transparency, minimization, purpose limitation, and data protection by design/default.
The reasoning of Garante is fully applicable domestically, considering Serbia’s Personal Data Protection Law follows GDPR logic and legal solutions, and the national Commissioner for Information of Public Importance and Personal Data Protection bases its practice on European data protection authorities’ precedents.
It is particularly important to highlight that employee consent for this kind of data processing cannot be regarded as freely given, and controllers must therefore identify an alternative appropriate legal basis for processing.
Failure to conduct a DPIA in cases involving systematic, high-risk monitoring such as GPS tracking in the workplace constitutes a serious violation.
Thus, employee monitoring must rest on lawful grounds and be conducted respecting privacy principles and the dignity of employees at work.
Author:
Borinka Dobrnjac, Senior Associate
Email(s): borinka.dobrnjac@prlegal.rs; legal@prlegal.rs;