The mandatory digital working time record is the unfinished business of Spanish labour regulation. Since the reform of Article 34.9 of the Workers' Statute (ET) established in 2019 the obligation to record each employee's start and end time, companies have been complying — with varying degrees of rigour — using paper sheets, spreadsheets, or loosely controlled applications. That model is living on borrowed time: the draft new working time recording regulation, presented by the Ministry of Labour at the end of 2024 and under consideration throughout 2025, will impose specific technical conditions that many current systems do not meet. This article answers the questions we most often receive from HR directors and SME managers: when does it come into force, what must the recording system do, and what risk does anyone who fails to adapt in time take on?
Current regulatory situation: what Article 34.9 of the ET already requires
Article 34.9 of the Workers' Statute, in force since 12 May 2019 (Royal Decree-Law 8/2019), requires all companies, regardless of size or sector, to record each employee's working day on a daily basis, specifying the exact start and end times. Data must be retained for at least four years and must be available to the Labour Inspectorate, employees' legal representatives, and the employees themselves.
The 2019 rule did not specify the medium: paper, spreadsheet, or software were all equally valid. This created a huge gap between companies that digitalised their time tracking and those that still use paper sheets that nobody archives reliably. The Labour Inspectorate has issued fines for the absence of records, but also for «fictitious» records showing uniform hours with no real reflection of the working day.
The new working time recording regulation: timeline and legislative progress
The Ministry of Labour and Social Economy published in November 2024 the preliminary draft of the Royal Decree on working time recording, which develops the technical framework for working time recording in line with the proposed Law on the Use of Time and Law 10/2021 on distance working, covering the gap that the ET left blank. The process has followed these milestones:
| Date | Milestone | Status |
|---|---|---|
| November 2024 | Preliminary draft published for public consultation | Completed |
| January–March 2025 | Public hearing and information process; report from the Economic and Social Council | Completed |
| Q2 2025 | Opinion of the Council of State; social dialogue table (CCOO, UGT, CEOE, CEPYME) | Completed |
| Q4 2025 | Approval by the Council of Ministers and publication in the BOE | Expected / pending confirmation |
| 6–12 months after BOE publication | Transitional period for technical adaptation | Pending |
At the time of writing (first quarter of 2026), the regulation is in the final stretch of its legislative journey. The major trade unions and employers' organisations have reached a framework agreement on the most sensitive points — remote work, domestic workers, output-based work — although the final wording of the technical provisions may still change before publication in the BOE. What is already certain is that the current recording model will change, and the transitional period will not be open-ended.
What technical requirements the new recording system will demand
The preliminary draft establishes that the working time recording system must meet, at a minimum, the following technical characteristics. These are the ones that account for most of the adaptation work for companies:
1. Real-time recording and data immutability
The time stamp must be recorded at the exact moment of the start and end of the working day, with no possibility of subsequent editing by the employer without leaving a traceable record of who changed what and when. Open spreadsheets without cell protection or a change log do not meet this requirement. Nor do paper records transcribed after the fact. The system must guarantee the integrity of the original data.
2. Verifiable timestamp
Each record must include a timestamp that makes it possible to certify the exact moment of the time-stamp event. It is not sufficient to enter «arrival 09:00»: the system must record the time to the nearest second and link it to a reliable time source (NTP server or equivalent). Records must be exportable in a format readable by the Labour Inspectorate.
3. Employee access to their own record
The employee must be able to consult their own working time history at any time, without needing to request it from the employer. This means the system must provide the employee with an interface — web or mobile app — from which they can download their records in a standard format (PDF, CSV, or equivalent).
4. Four-year retention and immediate availability
The obligation to retain records for four years has been in force since 2019, but the new regulation adds the requirement of immediate availability: in response to a request from the Labour Inspectorate, the company must be able to present the records in digital format on the spot during the inspection visit, not within a period of days. Paper-based systems or data scattered across emails will find it very hard to meet this standard.
5. Specific requirements for remote and teleworking
The regulation devotes a separate chapter to remote work, given that Law 10/2021 on distance working acknowledged the need to adapt time tracking to the reality of the remote employee. The system must allow time stamps from any location — home, coworking space, client site — without requiring the employee's physical presence at company premises. Solutions based exclusively on biometric readers or RFID cards fixed at the office will not be sufficient for remote workers.
6. Data protection (GDPR)
Time-stamp data is personal data that can reveal lifestyle patterns, movements, or health status (if absences due to illness are recorded). The system must comply with the General Data Protection Regulation (GDPR) and the LOPDGDD: a clear legal basis, information provided to the employee, limitation of the purpose of processing, and, if geolocation is used for time-stamping on the move, documented informed consent or a contractual basis. GDPR compliance for the recording system is not optional: the AEPD has already sanctioned companies for collecting geolocation data from their employees without an adequate legal basis.
Which recording systems will not comply with the new regulation
Before assessing what your company needs to implement, it is worth identifying which technologies will fall outside the scope of compliance:
- Signed paper sheets: they do not generate a verifiable timestamp, they can be altered without a traceable record, and they do not allow the employee immediate digital access.
- Unprotected Excel or Google Sheets: they allow retroactive editing without a change log. They would only be valid with advanced electronic signatures or with cell locking and auditing enabled, making them technically complex to maintain.
- Employee self-confirmation emails: they do not guarantee integrity or a verifiable timestamp (the mail server may have a time offset).
- ERP records without a dedicated time-tracking module: this depends on the ERP, but many generic attendance records do not meet the integrity and employee-access requirements.
Which technologies do meet the requirements
Solutions that are likely to pass the technical scrutiny of the new regulation are those that combine the following elements:
- Web or mobile app with employee authentication (username + password, PIN, or the employee's own device biometrics).
- Timestamp recorded on the server, not on the user's device (to prevent clock manipulation).
- Immutable audit log: any subsequent correction is recorded with the user who made it, the time, and the reason.
- Employee portal for viewing and downloading their history.
- Export to standard formats (CSV, PDF) to facilitate inspections.
- Hosting in the EU or adequate international transfer guarantees in line with the GDPR.
The Spanish market offers dedicated time-tracking solutions (SaaS time-stamping software such as Factorial, Sesame HR, Bizneo, and similar products) and HR modules integrated into ERPs (Odoo, Sage, SAP) that already incorporate most of these requirements. The choice between a standalone solution and an integrated module depends on the company's technology ecosystem, the number of employees, and whether remote workers need to be managed.
When does it come into force: the real date and the transitional period
This is the question that causes the most confusion. The honest answer at this point in time is: no definitive date has been published in the BOE, but all indicators suggest the regulation will be approved during 2026, with a transitional period of six to twelve months for the technical adaptation of systems. That would place the effective mandatory date for the digital system between the end of 2026 and mid-2027, depending on when publication takes place.
What has no transitional period is the working time recording obligation itself, which has been in force since May 2019. The Labour Inspectorate is already acting under the current rules: issuing fines for the absence of records or for manifestly false records. Penalties for a serious infringement in labour relations matters range from 751 to 7,500 euros per inspection report (Article 40.1.b of the LISOS), and can reach 225,018 euros in the case of a very serious infringement affecting a large number of workers.
Adaptation plan for an SME: concrete steps
If your company has between 10 and 250 employees, this is the recommended roadmap for achieving compliance without last-minute pressure:
- Audit your current system: document how working time is recorded today, where the data is stored, who can edit it, and whether an employee portal exists.
- Identify gaps: compare your system against the technical requirements in the draft regulation. Pay particular attention to record immutability and employee access.
- Evaluate solutions: assess whether it is better to adapt your current system (adding a time-tracking module to your ERP) or to implement a dedicated SaaS solution. Key factors: licence cost, integration with payroll, capacity for remote workers, provider's GDPR compliance.
- GDPR adaptation of the new system: update the Record of Processing Activities, review the information given to employees (information clause), and, if you use geolocation, document the legal basis. Our working time recording consultancy team accompanies this process from start to finish.
- Training and internal communication: employees must know how to clock in, what data is collected, and how to access their history. A technically perfect implementation that employees do not use correctly will generate invalid records.
- Piloting and adjustment: run the new system in parallel with the old one for at least one month before the final switchover.
Frequently asked questions
Do micro-enterprises with fewer than 10 employees also have to implement the digital system?
The working time recording obligation under Article 34.9 ET makes no distinction by size: it applies to all companies with employed workers, including those with one or two employees. The new regulation will also apply generally, although it is possible that the final rule will provide some flexibility in format for micro-enterprises. As things stand, the prudent approach is to prepare for the same requirements as everyone else.
Can I use the time-tracking app on my personal phone to comply with the regulation?
It depends on the solution. An app installed on the employee's phone can meet the requirements if the timestamp is generated and stored on the company's server (not on the device), if authentication is robust, and if the worker cannot edit their own past records without a traceable record. What does not comply is an app that stores data locally only or that allows employees to modify past entries without an audit trail. Ask your provider whether their solution generates server-side audit logs.
Is biometric time-stamping (fingerprint, facial recognition) mandatory under the new regulation?
No. The regulation does not mandate any biometric technology. Biometric time-stamping may be an option, but its use is subject to very strict GDPR restrictions, as biometric data is a special category of data (Article 9 GDPR) that requires explicit consent or a specific legal authorisation. The AEPD has issued sanctioning resolutions against the use of fingerprints for attendance control without proper legal backing. There are equally valid and less intrusive alternatives: PIN, RFID card, mobile app with user credentials.
What happens if I have workers at several sites or constantly on the move?
The regulation specifically addresses these situations. For workers on the move — sales representatives, field technicians, transport workers — the system must allow remote time-stamping from a mobile device. If geolocation is used to verify where the employee is clocking in, this feature must be documented, disclosed to the employee, and justified by the necessity of the processing. For companies with multiple sites, a cloud-based centralised system is the most efficient solution: all sites record in the same platform and the data is available to the Inspectorate from a single point.
If your company needs a review of its current time-tracking system or guidance on implementing the new model, the Summum Consultoría team has been helping SMEs meet their labour and data protection obligations with technical expertise and without bureaucratic overload since 2007. Five offices in Valladolid, Burgos, Palencia, Aranda de Duero, and Las Palmas.