Unauthorized employee tracking: Italian Data Protection Authority penalizes public institution for illegal geolocation practices
In a landmark decision published on May 8, 2025, the Italian Data Protection Authority (IDPA) addressed the unlawful geolocation of employees by a regional public agency during remote work. The ruling, available on the IDPA's official website (Provvedimento n. 10128005 - Garante Privacy), reinforces the importance of integrating privacy into the design and implementation of remote working tools.
The case centred around the use of the Time Relax attendance tracking application, which registered employees' GPS location at clock-in and clock-out during remote work. The employer used this tool to verify if employees were physically located in the areas specified in their individual remote working agreements.
However, the IDPA found that the employer's geolocation of employees was incompatible with both EU and national data protection law. The employer failed to demonstrate a valid legal basis for the processing of location data, and the IDPA deemed the approach of seeking employee consent as fundamentally flawed in the employment context.
The ruling emphasizes fundamental data protection principles and clarifies the limits of employee monitoring in the context of remote working. It underlines that employers must have a legitimate legal basis to track employee location, clearly informing employees about the purpose, scope, and duration of the tracking. Geolocation data should only be collected for specific, explicit, and legitimate purposes, such as validating attendance, and not used for unrelated reasons.
Moreover, the decision highlights that only the minimum necessary location data should be collected, avoiding continuous or excessive tracking beyond what is needed for attendance verification. Appropriate technical and organisational measures must be in place to protect geolocation data from unauthorised access, breaches, or misuse.
Employees retain rights to access their data, challenge inaccurate information, and potentially restrict processing when it infringes on their rights, especially regarding privacy outside working hours. Tracking should be proportionate to the purpose and not overly intrusive, particularly respecting employee privacy in remote work contexts.
The IDPA's decision serves as a timely reminder that GDPR compliance in employment contexts requires substantive and demonstrable adherence to privacy principles. It is crucial for employers to understand that no distinctions in data protection can be drawn based on employment sector, geographic location, or method of work.
Regulators across Europe are increasingly vigilant about this issue. The use of new technologies in managing the workplace cannot come at the cost of the fundamental rights to privacy and dignity. The IDPA's decision emphasizes that no form of negotiated agreement can override the obligations set out by the GDPR, nor can such an agreement justify invasive monitoring practices that undermine an employee's dignity and private life.
In conclusion, the IDPA's ruling underscores the importance of balancing the needs of employers to monitor remote work attendance with the rights and privacy of employees. Employers must ensure they have a clear legal basis for tracking employee location, collect only the minimum necessary data, and implement robust security measures to protect this data.
The IDPA's ruling also stresses the need for employers to ensure they do not intrude on their employees' privacy while administering remote work, particularly when it comes to sports activities during non-work hours. Employers must avoid monitoring employee location beyond what is necessary for work-related purposes, and should not use location data collected for attendance verification to track sports activities or invade privacy outside working hours.
![Unparalleled Pole Vault Achievement: Duplantis Clears Over 6.29 Meters [20 Feet]](/en/content/images/size/w640/format/webp/20250822052231_pole-vault-world-record.jpeg)
