26 May Smart Working and Geolocation: The Recent Decision of the Italian Data Protection Authority

Authors: Giovanni Cortese, Laura Senatore, Lorenzo Covello

By a decision dated 13 March 2025[1] (the “Decision”), the Italian Data Protection Authority (the “Authority”) found that the processing of geolocation data by a regional company for agricultural development (the “Company”), in relation to its remote working employees, was unlawful.

The Decision stemmed from a complaint filed by an employee and a report submitted by the Public Function Inspectorate concerning the Company’s use of geolocation systems to verify the correspondence between the real-time geographic location of remote working employees and the locations declared in their individual smart working agreements with the Company.

Following an investigation, the Authority identified multiple violations of data protection legislation, particularly with respect to the principles of lawfulness, fairness, transparency, and purpose limitation, in the Company’s use of geolocation data. This was the finding of the Authority despite the Company’s agreement with trade union representatives under Article 4 of the Italian Workers’ Statute[2] and obtaining the employees’ consent to geolocation.

The Geolocation System

The Company used an application which recorded the real-time geographic location, together with the date and time of the start and end of the working activity of remote working staff when they

clocked in and out, subject to their consent. The location data was then compared with that specified in the individual smart working agreements to verify that it matched.

The geolocation monitoring was also used for random checks e.g., selected employees were contacted during their on-call availability period and asked to clock-in in real time. The recorded coordinates were also matched against the work locations that were formalized in the agreements with the Company. The outcomes of these checks were documented and forwarded to the Director General. In some instances, the checks led to disciplinary proceedings.

The Violations Identified

The Company relied on three main arguments to justify the lawfulness of such processing and in particular, the use of geolocation systems. According to the Company, the processing was grounded on a valid legal basis as:

• A specific agreement had been signed with trade union representatives for the use of tools capable of remote employee monitoring, as envisaged by Article 4(1) of the Workers’ Statute;
• The legal basis could be found in the Company’s Resolution which regulated smart working and provided for the use of geolocation systems; and
• In any case, employees’ consent to geolocation had been obtained.

The Authority first clarified that signing an agreement with trade union representatives is insufficient to legitimize data processing that potentially entails remote monitoring of workers’ activity. Under Article 4(1) of the Workers’ Statute, such tools are permissible only when aimed at specific purposes namely: “for organisational and production needs”, “for workplace safety”, or “for the protection of company assets”. In this case, the Company failed to demonstrate that the geolocation system served any of these purposes. The tool was designed to verify employees’ presence at declared locations, resulting in a form of direct monitoring. In the Decision, the nature of the monitoring was neither found to be incidental, indirect, nor unintended and was pivotal to the Authority’s reasoning. Such direct monitoring is inherently inadmissible, as it is incompatible not only with labour law[3] but also with the Italian constitutional framework. This stance is well established in both the Authority’s precedents and the case law it references.[4]

The Authority further excluded the possibility of grounding the processing on the Company’s Resolution or its internal regulations on smart working. Despite whether such documents qualify as General Administrative Acts under Italian Law, the Authority reiterated that they cannot override or derogate from higher-ranking norms, such as the GDPR or the Italian Workers’ Statute. Such documents can only have supplementary effect and cannot independently legitimize the processing of personal data such as geolocation, which must be based on legal grounds defined by law and comply with the principles of proportionality, necessity, and existing constitutional protections.

Thirdly, the Authority dismissed the argument that the employee’s consent could serve as a valid legal basis² for geolocation monitoring. The Authority reaffirmed its past interpretation[5] which stated that, in the context of an employment relationship, consent cannot be regarded as freely given and therefore does not constitute a valid legal basis under Article 6 of the GDPR.

In addition to violations of the principles of lawfulness, fairness, transparency, and purpose limitation, and the lack of a valid legal basis, the Authority noted further unlawful aspects of the processing. Specifically, the features of the geolocation application were deemed disproportionate to the stated purpose, resulting in systematic collection of unnecessary data, in violation of the principle of data minimisation (Article 5(1)(c) GDPR) and the prohibition on processing irrelevant data (Article 113 of the Italian Data Protection Code). The Authority also found the system lacked adequate measures to ensure data protection by design and by default³ (Article 25 GDPR), and that no data protection impact assessment (DPIA) had been conducted (Article 35 GDPR). Moreover, the privacy notice provided to employees was found to be inadequate, and the use of the collected data for initiating disciplinary procedures was unlawful and thereby violating the principles of lawfulness and purpose limitation (Articles 5 and 6 GDPR) and Article 2-decies of the Italian Data Protection Code, which prohibits such use.

On these grounds, the Authority issued a fine of EUR 50,000 on the Company for violations of Articles 5, 6, 13, 25, 35, and 88 of the GDPR and Article 113 of the Italian Data Protection Code, and ordered publication of the Decision on the Authority’s website, pursuant to Article 154-bis(3) of the Italian Data Protection Code.

Conclusions

In addition providing practical guidance for public and private employers using technological tools to monitor employee activity particularly in the context of smart working, the Authority’s Decision reaffirms the limits and safeguards imposed by the Italian legal framework to protect employees’ personal sphere against undue intrusions.

The use of such technologies is permissible only when genuinely necessary to pursue legitimate and narrowly defined statutory purposes. Otherwise, there is a serious risk of undermining the legal protections safeguarding employees’ freedom and dignity.

The Decision reveals some key operational principles that employers must take into account:

• Integrated assessment of lawfulness of processing: Employers must assess the lawfulness of processing employees’ personal data by jointly considering the GDPR principles, labour law provisions, and constitutional protections of workers’ freedom and dignity (Articles 2, 3, and 41 of the Constitution). Reference should be made to the extensive case law of the Authority and the Supreme Court, which provide tools for balancing organizational needs with fundamental workers’ rights.
• Direct monitoring not permitted: Even where the safeguards under Article 4(2) of the Workers’ Statute (trade union agreement or Labour Inspectorate authorization) are met, technological tools may only be used for the statutorily defined purposes (production needs, safety, protection of assets), and the monitoring must be indirect, incidental, or unintended. Direct, systematic, or targeted monitoring of work activities remains inadmissible.
• “Direct” monitoring and smart working: Tools that enable real-time tracking of an employee during working hours amount to direct monitoring of work activity. Such tools are not permitted even if envisaged in a trade union agreement, unless they serve the limited purposes set forth in Article 4 of the Workers’ Statute and are deployed in a way that only allows for indirect monitoring.
• Invalid Consent: An employee’s consent to geolocation tracking, even if formally obtained, cannot be considered a valid legal basis in the context of an employment relationship due to the inherent power imbalance between the parties.
• Internal resolutions insufficient: Company regulations, internal acts, or resolutions cannot derogate from higher-ranking legal norms. The introduction of monitoring tools must always comply with constitutional framework safeguarding workers’ freedom and dignity and with the principles laid down by the GDPR and the Italian Data Protection Code, including the Workers’ Statute provisions referenced therein.
• Mandatory DPIA and privacy by design/by default: Before implementing systems capable of even potentially monitoring employees, a data protection impact assessment (DPIA) must be conducted and the DPO consulted, pursuant to Article 35 GDPR. Adequate privacy by design and by default measures must also be adopted, under Article 25 GDPR.
• Transparent privacy notice and limited data use: Employees must be properly informed about data processing, in accordance with Article 13 GDPR. In any event, processing must be proportionate, relevant, and strictly necessary.

[1] Italian Data Protection Authority, Decision No. 135 of 13 March 2025 (web doc. No. 10128005), https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/10128005.

[2] Law No. 300 of 20 May 1970, as subsequently amended (Workers’ Statute).

[3] Pursuant to the referral contained in Article 114 of the Italian Data Protection Code (see also Article 88 of the GDPR), compliance with Articles 4 and 8 of the Workers’ Statute constitutes a condition for the lawfulness of processing.

[4] See para. 4.2 of the Decision, https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/10128005.

[5] See, among others, Italian Data Protection Authority, Decision No. 16 of 14 January 2021 (web doc. No. 9542071), https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9542071.