DPDP Compliance · Location Data · India Field, Logistics & Remote Teams

Is Employee GPS Tracking Legal in India Under DPDP?

Is employee GPS tracking legal in India under the DPDP Act? Yes, GPS tracking of employees is not banned in India, but the Digital Personal Data Protection Act 2023 makes it lawful only when it is genuinely necessary, proportionate and transparent. Location is personal data, so employers must give clear notice before tracking begins (Sections 5–6), tie the tracking to a defensible employment purpose such as field-service routing or vehicle safety (Section 8), limit capture to work assets during working hours, and set a defined retention period. Continuous or off-duty tracking, tracking of personal phones, and covert tracking are the configurations most likely to fail a proportionality test and draw penalties prescribed in the Act’s Schedule. For desk and remote knowledge work there is rarely a lawful case for location tracking at all. This is general information, not legal advice — verify with counsel.

GPS tracking is everywhere — delivery fleets, field-sales apps, even “always-on” phone location for remote staff. India’s DPDP Act 2023 does not outlaw it, but it draws a hard line between proportionate work tracking and surveillance of someone’s private life. This guide walks the legal test, the riskiest configurations, and a safer way to answer the productivity question without a location archive. Verify with counsel.

By Ashok Sachdev, Founder gStride AI Published 15 June 2026 11 min read

The short answer: legal, but conditional

There is no Indian law that bans employers from using GPS to track employees. But location is personal data under the Digital Personal Data Protection Act 2023, so the moment you record where an employee is, you are processing personal data and the obligations of the Act attach. Legality therefore is not a yes/no question about GPS — it is a question about how you track, why, and how much.

The practical test has four parts: is the tracking genuinely necessary for a stated work purpose, is it proportionate to that purpose, did the employee receive clear notice before it started, and is the data retained only as long as needed. A field-engineer routing app that logs location during a job passes that test far more easily than always-on tracking of a personal phone after hours. Verify with counsel.

What the DPDP Act 2023 actually requires

Three obligations do most of the work for location data. Notice (Sections 5–6): employees must be told, before tracking begins, what is collected, why, and for how long — a buried clause in a contract signed years ago is weak. Purpose limitation (Section 8): the location data can be used only for the stated purpose; repurposing a delivery-route log into a disciplinary attendance tool is a fresh purpose that needs its own basis. Data-principal rights (Sections 11–13): employees can ask what location data you hold, request correction, and in defined cases erasure.

For the file: the DPDP Act 2023 sets financial penalties for serious breaches in its Schedule, with the figure assessed case-by-case by the Data Protection Board — treat any single number you see online as indicative, not fixed. Separately, if movement data feeds an AI system that evaluates workers and you serve EU customers, the Annex III workplace provisions of the EU AI Act may apply. Both regimes are fact-specific — verify with counsel.

When is GPS tracking high-risk versus defensible?

The same technology can be perfectly defensible or a clear liability depending on configuration. The table below maps common setups to their DPDP risk posture. It is a planning aid, not a legal ruling on your specific facts.

ConfigurationTypical purposeDPDP riskWhy
Company vehicle, tracked during shiftsFleet safety, routingLowerWork asset, work hours, clear purpose
Field-app location while clocked in to a jobService dispatch, proof of visitLower–moderateProportionate if scoped to the task and notified
Company phone, location on during working hoursField-staff coordinationModerateNeeds tight retention and on/off boundary
Personal phone, location on during work hoursCost savingHighHard to scope; sweeps in private context
Any device, 24/7 or off-duty tracking“Visibility”Very highCaptures personal life; fails proportionality
Covert or undisclosed trackingSuspicion-basedVery highNo notice; breaches a core DPDP duty

Risk ratings are general guidance based on the framework of the DPDP Act 2023 and may differ on your facts — verify with counsel.

Do you actually need location data at all?

Many GPS deployments are answering the wrong question. The real ask is usually “is work getting done?” — and for desk-based and remote knowledge teams, location tells you almost nothing about that. An employee can be at their desk all day and shipping nothing, or working productively from a café. Tracking the dot on a map imports the heaviest possible personal-data category to answer a question the dot cannot answer.

For genuine field work — logistics, field service, safety-critical driving — scoped location tracking has a real purpose and can be done lawfully. For everyone else, the privacy-first move is to drop location entirely and measure outcomes: tasks completed, tickets closed, code merged, focus time. That is the design gStride uses, and it keeps the location-data category off your compliance surface completely.

A safer GPS-tracking checklist for India teams

  1. Justify the purpose in writing. Name the specific work reason; if you cannot, do not track.
  2. Track the work asset, not the person. Prefer company vehicles or devices over personal phones.
  3. Bound it to working hours. Location capture switches off outside the shift or assigned task.
  4. Give notice first. Tell employees what is captured, why, and the retention period — before go-live.
  5. Set retention and access limits. Short retention; only roles with a need can see the trail.
  6. Run a DPIA for anything broad. Continuous or fleet-wide tracking warrants a documented impact assessment and counsel sign-off.

Planning a monitoring or tracking rollout? Score it against the DPDP framework before you sign anything. The free DPDP Vendor Risk Assessment screens any tool against the core duties of the Act, and the DPDP Penalty Exposure Calculator models indicative exposure — both fact-specific, verify with counsel.

Measure output, not location

If your goal is knowing whether remote and hybrid work is moving, gStride scores outcome signals — no GPS, no location archive to defend under DPDP. See it on your own team in 15 minutes.

Book a 15-min demo → Open the DPDP Vendor Risk Assessment

Frequently asked questions

Is employee GPS tracking legal in India under the DPDP Act?

Employee GPS tracking is not prohibited in India, but it is lawful only when DPDP Act 2023 conditions are met: clear notice before tracking begins, a genuine and proportionate employment purpose, location capture limited to working hours and work assets, and defined retention. Continuous or off-duty tracking of personal devices is the highest-risk configuration. Verify with counsel.

Do I need employee consent to use GPS tracking at work?

Under DPDP you need a lawful basis and notice; for location data a documented employment purpose plus clear notice is generally the practical route, with consent treated as a supporting record rather than a blanket waiver. Consent forced as a condition of employment is weak. The safer posture is to track only the work asset, only during work hours, and to tell employees exactly what is captured. Verify with counsel.

Can an employer track a personal phone for work?

Tracking a personal phone is very hard to justify under DPDP because it sweeps in private, off-duty location data that has no employment purpose. If field work genuinely requires location, the defensible approach is a company-owned device or a work app that records location only while the worker is clocked in for a route or job. Personal-device, always-on tracking invites a proportionality challenge. Verify with counsel.

Is 24/7 or off-duty GPS tracking allowed?

Around-the-clock location tracking, including evenings and weekends, is the configuration most likely to fail the DPDP purpose-limitation and proportionality tests, because it captures personal-life data unrelated to work. Tracking should switch off outside working hours and outside the assigned task. Document the on/off boundary in your notice. Verify with counsel.

What are the penalties for unlawful GPS tracking under DPDP?

The DPDP Act 2023 sets out financial penalties for serious breaches in its Schedule, and the exact figure depends on the nature and gravity of the violation as assessed by the Data Protection Board. Penalty exposure is fact-specific and not a fixed number per incident. Treat any number you read as indicative only and verify your exposure with counsel.

How is gStride different from GPS tracking tools?

gStride does not track employee location. It measures whether knowledge work is moving using outcome signals such as calendar, repository, ticket and focus artefacts, so there is no continuous location record to defend under DPDP. For desk and remote knowledge teams this removes the location-data category from your compliance surface entirely.

Does GPS tracking trigger the EU AI Act for India exporters?

If location or movement data feeds an AI system that evaluates or monitors workers and you serve EU customers, the EU AI Act may classify that system as high-risk under its Annex III workplace provisions, adding transparency and human-oversight duties. Pure GPS logging without automated worker evaluation is a different question. Verify classification with counsel.

Related reading

Disclaimer: This article is general information, not legal advice. The DPDP Act 2023 and EU AI Act obligations are fact-specific, and penalty figures are assessed case-by-case by the relevant authority. Verify classification, lawful basis, retention and penalty exposure with qualified counsel before deploying any employee tracking. Verify with counsel.