Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Italy’s Data Protection Authority (Garante per la protezione dei dati personali) has imposed a €50,000 fine on a public entity for geolocating employees during remote working days using an app installed on company devices. Provision No. 135, issued on March 13, 2025, marks a pivotal moment in the protection of privacy within flexible work arrangements.
his measure follows the previous Provision No. 7 issued on January 16, 2025, by the Privacy Authority.
Geolocation and remote monitoring: a clear legal boundary
According to the Authority, using geolocation tools to track the physical location of remote employees violates Article 4 of the Workers’ Statute (Law 300/1970), as it constitutes remote monitoring not justified by lawful purposes such as workplace safety or asset protection.
Simply verifying whether the employee is working from one of the locations specified in their individual smart working agreement is not a legitimate purpose under the law. Even on remote working days, the use of electronic tools capable of monitoring employee activity requires specific, well-defined legal justifications.
Smart working is about flexibility—and personal freedom
Systematically geolocating employees working remotely was deemed particularly invasive, as it interferes with their private life—an aspect that remote work is supposed to safeguard. One of the primary objectives of smart working is to promote a better work-life balance, not increased surveillance.
The Authority emphasized that the use of the app “Time Relax,” which required GPS activation during clock-in and clock-out, was disproportionate and lacked a valid legal basis under data protection law.
Consent is not sufficient, and union agreements are not decisive
It was clarified that employee consent to GPS tracking does not constitute a valid legal basis for data processing, especially in an employment relationship characterized by a clear imbalance of power between employer and employee.
Similarly, any agreements made with trade unions do not legitimize data processing activities that violate the core principles of the GDPR (EU Regulation 2016/679), including lawfulness, purpose limitation, and data minimization.
Selective checks and disciplinary actions triggered the investigation
The case originated from a complaint filed by an employee who had been subjected to an internal inspection. The app required her to clock in with geolocation enabled and then send an email stating her exact location. When discrepancies were found between the recorded location and the one declared in her smart working agreement, disciplinary procedures were initiated—just as they were for other workers in the same situation.
The Authority determined that such checks were conducted on a sample of approximately 100 employees, involving the systematic collection of highly sensitive data, in clear violation of their fundamental rights.
Conclusion: protecting privacy in remote work is essential
This decision reaffirms that remote work must not become a covert form of surveillance. Any processing of employees’ personal data must adhere strictly to the principles of transparency, proportionality, and legitimate purpose.
Companies and public institutions must reevaluate their monitoring practices, avoiding invasive technologies and instead adopting less intrusive alternatives—such as performance reviews, goal tracking, or periodic activity reports.
