Geofencing and GPS at work: the legal and ethical limits in the EU
Yes, you can use GPS to verify clock-in location. No, you can't track employees' phones all day. Here's the framework EU data protection authorities actually apply.
- hours24 team
GPS and geofencing are useful for workforce management - verifying a field worker is on-site when they clock in, attaching location to a photo of completed work, dispatching the nearest available person. But the line between 'workforce management' and 'employee surveillance' is real, and EU data protection authorities have drawn it carefully.
The legal frame: GDPR proportionality
Under GDPR Art. 5(1)(c), processing must be 'adequate, relevant, and limited to what is necessary'. Location data is sensitive enough that proportionality matters more here than in most cases. The European Data Protection Board has been consistent: collect location tied to work events, not continuous tracking.
What's clearly allowed
- GPS-stamping the clock-in moment to verify the employee is at the agreed site
- Geofencing - confirming inside or outside a defined area at the moment of an event
- Location-tagged photo proof of completed work
- Dispatching the nearest available technician (with employee awareness)
What's clearly not allowed
- Tracking employees' phones outside working hours
- Continuous, second-by-second location during the day with no purpose-tied use
- Sharing employee location with third parties (insurance, marketing) without separate consent
- Using location data for performance reviews or discipline without prior notice and proportionality assessment
The grey zone: 'reasonable monitoring'
Continuous tracking of a delivery vehicle (the asset) during the shift is generally OK if there's a clear business purpose (logistics, safety). Continuous tracking of the driver's personal phone is not. The same data sometimes - depends entirely on the device and the purpose. Always look at proportionality: could the same business outcome be reached with less data?
Practical deployment checklist
- Define the purpose in writing (clock-in verification, dispatch optimisation, photo proof, etc.)
- Configure the tool to collect ONLY what serves that purpose
- Switch off location capture outside shift hours
- Tell employees in their data protection notice: what, when, why, how long retained
- Provide a non-tracking alternative where feasible (kiosk clock-in, supervisor sign-in)
- Document your proportionality assessment - if regulators ask, you have the reasoning ready
hours24's GPS module is off by default and configurable per-employee - managers choose what to enable and the employee sees what's collected.
Source: EDPB Guidelines 3/2019 on processing personal data through video devices (applies similar logic)
Want to see what the AI assistant would do for your team?