Remote Work and Employee Privacy: Italian Data Protection Authority Fines Public Entity for Unlawful Geolocation

On 8 May 2025, the Italian Data Protection Authority (“IDPA”) published a significant ruling issued on 13 March concerning the unlawful geolocation of employees during remote working days by a regional public agency. The decision, which imposed a €50,000 administrative fine, emphasizes fundamental data protection principles and clarifies the limits of employee monitoring in the context of remote working.

At the heart of the case was the use of Time Relax, an attendance tracking application that registered employees’ GPS location at the moment of clock-in and clock-out. The employer used this tool during remote working days to verify whether employees were physically located in the areas specified in their individual remote working agreements. This data was also used in at least one instance as part of a disciplinary proceeding. The IDPA found this practice to be incompatible with both EU and national data protection law.

The IDPA held that the employer’s geolocation of employees constituted a disproportionate and intrusive form of data processing in violation of multiple provisions of the General Data Protection Regulation (GDPR), including the principles of lawfulness, transparency, purpose limitation, and data minimization. The employer failed to demonstrate a valid legal basis for the processing of location data. Notably, the employer had relied on the “consent” of the employee—an approach the IDPA deemed fundamentally flawed in the employment context, due to the power imbalance between employer and worker. Citing prior decisions and European guidance, the IDPA reiterated that consent in such settings is rarely considered freely given and thus cannot serve as a lawful basis for such processing.

The IDPA also found that the employer had not provided employees with adequate information under Article 13 of the GDPR, nor had it conducted the required Data Protection Impact Assessment (DPIA) despite the high-risk nature of the processing involved. The collection of sensitive geolocation data—especially when used to support disciplinary action—was considered particularly invasive. Moreover, the processing lacked the safeguards required by both the GDPR and Italian labour law, including Article 4 of the Workers’ Statute (Law 300/1970), which strictly regulates remote surveillance of employees. The IDPA also specified that the tools used neither fell within the definition of "instrument useful for performing work", nor were there any productive, organizational, or work safety needs that would justify (subject to union agreement or authorization from the labour inspectorate) the possibility of the remote monitoring of workers.

One of the most significant findings was the IDPA’s rejection of the employer’s reliance on a collective labour agreement to legitimize the processing. The IDPA confirmed that no form of negotiated agreement can override the obligations set out by the GDPR, nor can such an agreement justify invasive monitoring practices that undermine an employee’s dignity and private life. Even where organizational or productivity goals are cited, employers must ensure that any monitoring is strictly necessary, proportionate, and respectful of the individual’s fundamental rights.

The ruling emphasized that no distinctions in the level of data protection can be drawn based on employment sector, geographic location, or method of work. Employees who work remotely are entitled to the same legal protections as those working on site. The decision also highlights that geolocation technologies, especially when implemented systematically, risk blurring the boundary between the professional and private spheres - something about which regulators across Europe are increasingly vigilant.

The IDPA concluded by stating that the employer's use of the employee’s geolocation data, acquired through the Time Relax application, to initiate disciplinary proceedings was not in compliance with the principles of lawfulness, fairness, and transparency, nor was it supported by an adequate legal basis.

The IDPA’s decision reinforces the principle that employers must integrate privacy into the design and implementation of remote working tools. Monitoring systems must be based on a clear legal basis, supported by risk assessments, limited in scope, and transparent to data subjects. The use of new technologies in managing the workplace cannot come at the cost of the fundamental rights to privacy and dignity.

For HR professionals, compliance officers, and legal counsel, this decision serves as a timely reminder that GDPR compliance in employment contexts requires more than policy documentation. It demands substantive and demonstrable adherence to privacy principles—particularly when technological tools risk enabling de facto surveillance.

The full text of the decision is available (in Italian) via the IDPA’s official website: Provvedimento n. 10128005 – Garante Privacy