“Employers may not geolocate employees working remotely.” This was the position expressed by the Italian Data Protection Authority (i.e. “Garante per la protezione dei dati personali”), which imposed a €50,000 fine on a company that tracked the geographic location of randomly selected employees on days they were performing their duties remotely. 

The case 

The Authority’s investigation revealed that the company regularly carried out checks aimed at determining the exact location of employees connected from remote locations. 

Specifically, a randomly selected employee would be contacted by a colleague tasked with conducting such checks, within the employee’s availability window. The employee was asked to perform a double clock-in using the company’s software application (which had been subject to negotiation with trade union representatives). Immediately following the call, the employee was instructed to declare their precise location via email to the designated “controller.” The latter would then verify the consistency between the locations declared by the employee via email, those indicated in the individual remote work agreement, and those recorded by the company’s system. 

The Authority further observed that: 

• While the employer’s interest in monitoring compliance with the employee’s duty of diligence – legitimately pursued either directly or through the employer’s organizational hierarchy (Articles 2086 and 2104 of the Italian Civil Code) – falls within management prerogatives, such objectives may not be pursued through remote technological tools that, by mechanically and inflexibly reducing personal freedom and dignity, result in direct surveillance of the employee’s work activities. Such monitoring is not permitted under the applicable legal framework or the constitutional system, as it does not fall within any of the limited purposes expressly allowed by law – namely, organizational and production-related needs, workplace safety, or protection of corporate assets (Article 4 of the Italian Workers’ Statute). 

• As a result, pursuing a purpose of direct control through such means is not admissible under Italian law – even where a collective agreement with the company’s trade union representatives or works council exists – since such a purpose lies outside the scope of the statutory protections established in this area. 

The existence of a union agreement is, in fact, a necessary but not sufficient condition for the overall lawfulness of the data processing and compliance with personal data protection principles. 

Remote work and geolocation: best practices 

✓ Remote work arrangements, unlike on-site work at the employer’s premises, are typically characterized by flexibility, both in terms of time and place—subject, where applicable, to agreed periods of availability. 

✓ Any monitoring of remote work performance may appropriately consist of: 

• periodic reports or summary documentation prepared by the employee on the activities performed; 

• discussions held during on-site workdays to evaluate progress toward assigned objectives. 

✓ The use of technological tools that may enable remote surveillance of employee activities is permitted only when strictly aimed at one of the statutory purposes (“organizational and production-related needs,” “workplace safety,” or “protection of corporate assets”), and only in full compliance with the procedural safeguards provided under applicable law. 

Other related insights:  

• DID YOU KNOW THAT… The INL has provided its operational guidelines for the issuance of authorisations under Article 4 of the Workers’ Charter?

The Personal Data Protection Authority issued Order no. 247/2017 in response to a request for preliminary verification, lodged by a company working in the field of refuse collection and concerning a system of geolocation installed on vehicles and mobile equipment used by employees. The aim of this system was to ensure a safer, more organised and productive working environment, in addition to ensuring the protection of company assets, and the company had acquired approval for their installation from the Territorial Labour Department. According to the Privacy Authority, it is forbidden to install a geolocation system which constantly monitors workers, even if the procedural guarantees under Art. 4 of the Workers’ Charter have been carried out. The Privacy Authority emphasised that control is lawful only in the case of predetermined events, about which the employees themselves must have been adequately informed. In addition, the Privacy Authority reasserted the fact that, with regard to the lawfully pursued aims, (i) only necessary, pertinent and non-excessive data can be processed and (ii) the period of storage of this data must be reasonable, except with regard to storage under any legal obligations relating to the Data Controller.