The Italian Data Protection Authority (Garante) recently issued a significant decision, imposing a fine of 50,000 euros on a company for unlawful employee monitoring through GPS tracking systems. The sanction followed an investigation into the company’s failure to comply with both national labour law and the EU General Data Protection Regulation (GDPR)—despite having received prior authorisation from the Ispettorato del Lavoro (Labour Inspectorate), which had provided clear guidance on how to carry out the processing lawfully.
The company had implemented a GPS-based vehicle tracking system for employees, obtaining the required authorisation from the Labour Inspectorate. However, this authorisation was conditional: it included specific technical and organisational safeguards to ensure compliance with data protection principles. The company failed to apply those safeguards in practice, leading to serious violations of employee rights and GDPR obligations.
The investigation revealed that the GPS system was configured in an intrusive and disproportionate way. It enabled continuous tracking of the vehicle’s position, even during employee breaks, and collected a detailed set of data that went well beyond location. Employees were not properly informed, and no feature was provided to restrict tracking outside of working hours. This resulted in unjustified, persistent surveillance.
Functioning of the GPS System and Monitoring Activity
The GPS tracking system processed a broad set of data types, including:
- Real-time geolocation data;
- Telemetry data such as speed, vehicle status, and kilometres travelled;
- Chronotachograph data, specifically the Driver Identification Number (DIN) — i.e. information about the driver’s identity, driving times, speed, and rest periods.
These data were collected continuously and included non-working periods, such as breaks. They were also retained for 180 days, well beyond what is necessary to fulfil the declared purposes of „fleet management and asset protection“.
Though the system included a so-called “privacy button” (which would have allowed employees to disable tracking during personal use), the company chose not to activate it. As a result, workers had no way to control or limit tracking, even when the vehicle was not being used for professional purposes.
The Garante concluded that this mode of processing—continuous geolocation, the lack of an opt-out mechanism, and extended retention—was excessive and disproportionate to the purposes pursued, clearly breaching the principles of data minimisation and storage limitation under Article 5 GDPR.
Moreover, the company failed to implement the specific guarantees set out in the Labour Inspectorate’s authorisation. These included:
- Ensuring non-continuous tracking of the vehicle;
- Applying anonymisation techniques to reduce identifiability of individuals;
- Implementing technical solutions to prevent the collection of unnecessary or excessive data.
Because these safeguards were not followed, the processing was not only disproportionate, but also unlawful.
Focus: Employee Monitoring in Italy under Article 4 of the Workers’ Statute
In Italy, remote employee monitoring is strictly regulated by Article 4 of the Workers’ Statute (Law No. 300/1970). Employers are not free to monitor employees at will — specific legal safeguards must be respected. Monitoring tools such as GPS systems, video surveillance, or other remote technologies may only be used when the following conditions are met:
Prior Authorisation: Monitoring systems must be authorised by a trade union agreement or, in the absence of such an agreement, by the Labour Inspectorate (Ispettorato Nazionale o Territoriale del Lavoro).
Legitimate Purpose: The monitoring must serve specific purposes such as organisational or production needs, workplace safety, or protection of company assets.
Employee Information: Employees must be clearly and transparently informed about how the monitoring tools work, what data is collected, and how it is used.
Data Protection Compliance: The processing must respect GDPR principles: necessity, proportionality, relevance, and data minimisation.
It goes without saying: even when authorisation is granted, failure to comply with the agreed safeguards may result in sanctions from the Garante.
Despite holding formal authorisation, the company significantly deviated from the required safeguards. These included limiting tracking, applying anonymisation, and introducing technical limitations to reduce the risk of excessive data collection—none of which were implemented.
As a result, the Garante not only imposed a monetary fine but also issued a corrective order, requiring the company to implement the same measures previously set out in the Labour Inspectorate’s authorisation.
GDPR Violations Identified by the Garante
Art. 5(1)(a) – Lawfulness, fairness, transparency: The system was implemented in a way that contradicted the authorisation, with inadequate employee information.
Art. 5(1)(c) – Data minimisation: The continuous and detailed tracking went beyond what was necessary.
Art. 5(1)(e) – Storage limitation: Retention of data for 180 days was unjustified.
Art. 25 – Privacy by design and by default: The company failed to enable privacy-preserving features such as the “privacy button”.
Conclusion
This decision is a clear reminder that authorisation is not enough. Employers must also faithfully implement the safeguards required under both GDPR and national labour law. Excessive and continuous tracking—particularly without transparency or employee control—violates fundamental rights and can trigger serious legal and financial consequences.
The case also reinforces the importance of technological restraint, privacy-conscious system design, and above all, the role of internal awareness: organisations must ensure that both management and technical teams understand their data protection obligations. The guidance of a qualified privacy counsel or DPO is essential to prevent such violations from occurring in the first place.