Canella Camaiora / Monitoring employees between geolocation and video surveillance: what is lawful and what is not?

Monitoring employees between geolocation and video surveillance: what is lawful and what is not?

Reading time: 5 minutes

Written by: Debora Teruggia Leggi la bio for Canella Camaiora Studio Legale

Controlli sui lavoratori tra geolocalizzazione e videosorveglianza_ cosa è lecito e cosa no

Abstract

Smartphones, tablets, laptops, and company vehicles: many work tools today include location and tracking features. In addition, there are remote clock-in apps, management software, and video surveillance systems – now common not only in company offices, but also in coworking spaces and shared environments.In a context where smart working, business travel, and off-site work are part of daily operations, it is fair to ask: how far can an employer go in monitoring employees?

Not everything that is technically possible is also lawful

Article 4 of the Workers’ Statute (Law 300/1970), as amended by the Jobs Act (Legislative Decree no. 151/2015), remains the essential reference: tools that may, even indirectly, result in remote monitoring of employee activity can be used only for organizational, production, safety, or asset protection purposes.

A practical example of an organizational need arises when a client company outsources deliveries to a third party and wishes to monitor its activity. As clarified by the National Labour Inspectorate (INL Note no. 9728/2019), it is lawful – under Article 4 of the Workers’ Statute – to install an app on company-provided smartphones used by drivers to coordinate deliveries, verify the execution of routes, and manage any logistical issues.

Similarly, it is a legitimate safety requirement – within the permitted limits – to install GPS systems on company vehicles in order to locate them in the event of accidents, theft, or anomalies. INL Note no. 2572/2023 clarified that, where these purposes apply, there is no need to list the vehicle license plates in the authorization, provided the system is proportionate and does not result in continuous or generalized surveillance of the employee.

In both scenarios, it remains mandatory to provide:

  • a written privacy notice to employees;
  • clear specification of the purposes of processing;
  • traceability of data access;
  • and retention limited to the strictly necessary period, in line with the requirements of EU Regulation 2016/679 (GDPR).

In addition to the written notice, there must be a collective agreement with employee representatives or an authorization request submitted to the National Labour Inspectorate.

Smart working and geolocation: the data protection authority’s intervention

In its decision of 13 March 2025, the Italian Data Protection Authority fined a company € 50,000 for monitoring the location of over 100 employees (out of 540) working remotely through a clock-in app. Sampled workers were invited to activate their device’s geolocation, clock in via the app, and declare their physical location by email.

In many cases, a comparison followed between the workplace(s) declared in the individual remote working agreement, the email declaration, and the location recorded by the app.

This could lead to disciplinary action for “failure to comply with the procedures set out in the Regulation on remote working” or “discrepancy between the declared location and the one verified by the Inspection Office during checks.

The company claimed that the system was for internal reporting purposes (i.e. clocking in) for smart working employees and had been ratified through a specific union agreement.

However, the Authority found several unlawful elements in the process:

  • Lack of a valid legal basis: the location data processing lacked a legitimate justification or freely given consent.
  • Inadequate privacy notice: employees were not properly informed of the nature and purposes of data processing.
  • Disproportionate control: the monitoring was direct, continuous, and pervasive – even if union-approved – thus violating the Workers’ Statute and constitutional principles.
  • Intrusion into private life: real-time geolocation infringed upon the employee’s freedom and dignity, undermining the autonomy that smart working is meant to ensure.

The outcome? A €50,000 fine, an obligation to delete all collected data, and a complete overhaul of company procedures.

GPS systems on company vehicles: when they are unlawful

Another example of unlawful data processing is described in Decision no. 7 of 16 January 2025, where a logistics company was fined for the improper use of GPS tracking systems on its fleet, despite having obtained prior authorization from the Labour Inspectorate.

Among the most serious breaches noted by the Authority were violations of the principles of data minimization and storage limitation, under Article 5(1)(c) and (e) of the GDPR. The GPS system used by the company tracked vehicles continuously, including during breaks, and stored the data for 180 days. These methods were deemed excessive and disproportionate to the stated purposes, which could have been achieved using less invasive means and less detailed data.

Furthermore, the processing was inconsistent with the conditions set out in the Labour Inspectorate’s authorization, which had expressly allowed non-continuous tracking and identification of the driver only when strictly necessary (e.g. in case of anomalies or accidents). In practice, the company was able to constantly associate each vehicle with the respective employee by cross-referencing IT systems and company data – thus circumventing the protections required by the authorization itself.

Video surveillance: safety tool or hidden control system?

Similar caution must be applied in the management of video surveillance systems. Article 4 of the Workers’ Statute fully applies in this area as well. The employer can install cameras only following a union agreement or authorization from the Labour Inspectorate, and never for the continuous monitoring of individual workers.

The purposes must be legitimate and well-documented: asset protection, theft prevention, and workplace safety.

It follows that:

  • cameras must not be pointed directly at desks or individual workstations;
  • they cannot be used to monitor breaks, colleague interactions, or internal movements;
  • they must be signposted with clear signage;
  • images must be stored for the minimum necessary time, typically no more than 24 – 48 hours.

Thus, managing video surveillance lawfully requires not only formal authorization, but also alignment between declared purposes and actual usage methods.

In our daily work, we frequently support companies in drafting internal policies for the lawful use of digital systems, and we represent employees who discover they have been monitored without proper notice or safeguards.

It’s not about demonizing technology, but about using it wisely and responsibly. Every digital tool introduced in the workplace – from GPS to video surveillance – requires informed decisions, accurate documentation, and transparent management.

© Canella Camaiora S.t.A. S.r.l. - All rights reserved.
Publication date: 18 July 2025

Textual reproduction of the article is permitted, even for commercial purposes, within the limit of 15% of its entirety, provided that the source is clearly indicated. In the case of online reproduction, a link to the original article must be included. Unauthorised reproduction or paraphrasing without indication of source will be prosecuted.

Debora Teruggia

Laureata presso l'Università degli Studi di Milano, praticante avvocato appassionato di Diritto del Lavoro e Diritto di Famiglia.

Leggi la bio
error: Content is protected !!