“Employers may not geolocate employees working remotely.” This was the position expressed by the Italian Data Protection Authority (i.e. “Garante per la protezione dei dati personali”), which imposed a €50,000 fine on a company that tracked the geographic location of randomly selected employees on days they were performing their duties remotely.
The case
The Authority’s investigation revealed that the company regularly carried out checks aimed at determining the exact location of employees connected from remote locations.
Specifically, a randomly selected employee would be contacted by a colleague tasked with conducting such checks, within the employee’s availability window. The employee was asked to perform a double clock-in using the company’s software application (which had been subject to negotiation with trade union representatives). Immediately following the call, the employee was instructed to declare their precise location via email to the designated “controller.” The latter would then verify the consistency between the locations declared by the employee via email, those indicated in the individual remote work agreement, and those recorded by the company’s system.
The Authority further observed that:
- While the employer’s interest in monitoring compliance with the employee’s duty of diligence – legitimately pursued either directly or through the employer’s organizational hierarchy (Articles 2086 and 2104 of the Italian Civil Code) – falls within management prerogatives, such objectives may not be pursued through remote technological tools that, by mechanically and inflexibly reducing personal freedom and dignity, result in direct surveillance of the employee’s work activities. Such monitoring is not permitted under the applicable legal framework or the constitutional system, as it does not fall within any of the limited purposes expressly allowed by law – namely, organizational and production-related needs, workplace safety, or protection of corporate assets (Article 4 of the Italian Workers’ Statute).
- As a result, pursuing a purpose of direct control through such means is not admissible under Italian law – even where a collective agreement with the company’s trade union representatives or works council exists – since such a purpose lies outside the scope of the statutory protections established in this area.
The existence of a union agreement is, in fact, a necessary but not sufficient condition for the overall lawfulness of the data processing and compliance with personal data protection principles.
Remote work and geolocation: best practices
✓ Remote work arrangements, unlike on-site work at the employer’s premises, are typically characterized by flexibility, both in terms of time and place—subject, where applicable, to agreed periods of availability.
✓ Any monitoring of remote work performance may appropriately consist of:
• periodic reports or summary documentation prepared by the employee on the activities performed;
• discussions held during on-site workdays to evaluate progress toward assigned objectives.
✓ The use of technological tools that may enable remote surveillance of employee activities is permitted only when strictly aimed at one of the statutory purposes (“organizational and production-related needs,” “workplace safety,” or “protection of corporate assets”), and only in full compliance with the procedural safeguards provided under applicable law.
Other related insights:
