Home

Internal

Global

Contatto

de|en|it

Rödl & Partner Italia e Studio Gottardo per la partnership tra Officine MTM S.p.A. e Gruppo Dawang Metals |

In tutto il mondo

Utilizziamo cookie tecnici per personalizzare il sito web e offrire all’utente un servizio di maggior valore. Chiudendo il banner e continuando con la navigazione verranno installati nel Suo dispositivo i cookie tecnici necessari ai fini della navigazione nel Sito. L’installazione dei cookie tecnici non richiede alcun consenso da parte Sua. Ulteriori informazioni sono contenute nella nostra Cookie Policy.

Employee geolocation: the Italian Data Protection Authority reaffirms its enforcement approach

published on 22 April 2025 | reading time approx. 4 minutes

With its decision dated 16 January 2025, published in the newsletter of 21 March 2025, the Italian Data Protection Authority (“Garante” or “Authority”) imposed a fine of Eur 50,000 on a transport company (“Company” or “Employer”) for unlawfully processing personal data through the use of a geolocation system installed on corporate vehicles.

The sanction was triggered by a complaint filed by a former employee, who alleged that:

he had not received adequate information on the processing of his personal data via the geolocation system installed on the company vehicle used for daily work activities;
the Company had breached the procedural safeguards set out in Article 4 of Italian Law No. 300/1970 (the “Workers’ Statute”).

During the investigation, it emerged that the geolocation system – provided by a third-party vendor – was used by the Company for safety and asset protection purposes, as well as for internal organisational reasons.

At the conclusion of the investigation, the Authority found that the privacy notice provided to employees was inadequate and unclear, containing errors, poorly defined roles, and references to unrelated third parties. Moreover, the system allowed for a more direct association between geolocation data and employee identity than the Company had declared. In fact, the system enabled continuous tracking of vehicle location, ignition status, telemetry, and indirectly, of the employee’s work activity – including their breaks.

The system also stored the collected data for 180 days, which the Authority deemed excessive and disproportionate under the principle of data minimisation as set out in Article 5(1)(c) of Regulation (EU) 2016/679 (“GDPR”). Furthermore, this retention period was inconsistent with the provisions authorised by the competent Territorial Labour Inspectorate.

In light of these findings, the Garante concluded that the Company had engaged in systematic and disproportionate monitoring of its employees through the geolocation system.

This decision serves as yet another reminder from the Authority that processing employees’ personal data – particularly when it involves forms of remote surveillance – must be properly regulated within the organisation. If not, such processing may trigger significant compliance risks and sanctions, particularly in light of both the GDPR and Italian labour law provisions, such as the Workers’ Statute.

To mitigate these risks, companies adopting geolocation systems on tools or vehicles used by employees to perform work duties should ensure the following:

a clear and updated privacy notice is in place, consistent with the declared purpose of geolocation. This should clearly explain how employee personal data is collected and processed through tracking systems;
the geolocation system should allow for technical configurations that limit direct identifiability of employees where not necessary. For instance, tracking should be disabled during breaks and anonymisation mechanisms should be implemented accordingly;
the company’s internal policy on the use of corporate tools – such as devices and IT applications – should be updated to transparently and comprehensively describe the operation of the geolocation system, including its ability to track employee movements for legitimate purposes (e.g. physical safety or asset protection);
the company should ensure compliance with the authorisation granted by the competent Italian Labour Inspectorate, or, where applicable, the agreement reached with trade union representatives. These measures are essential to balance the company’s legitimate interests with the rights of employees and to avoid unlawful remote surveillance;
the geolocation system should be configured to collect only the personal data strictly necessary for the declared purposes, in line with the accountability principle and data minimisation under the GDPR;
where technically feasible, companies should implement audit and logging functions to track access to geolocation data by authorised personnel;
a Data Protection Impact Assessment (DPIA) should be conducted under Article 35 GDPR, to reinforce the controller’s accountability and provide a solid justification for the geolocation processing;
when possible, the geolocation system should present a brief contextual privacy notice upon activation of the tracking function. This initial message should inform the employee about the purpose and method of data processing, with a link to the full privacy policy, ensuring the highest level of transparency.