Since the entry into force of Royal Decree-Law 8/2019 of 8 March, daily working-time recording is a legal obligation for all Spanish companies, regardless of their size or sector. Article 34.9 of the Workers' Statute (ET) requires employers to ensure that the specific start and end times of each employee's working day are recorded. What many organisations have not analysed in sufficient depth is that such records — regardless of the technology used — constitute processing of personal data subject to Regulation (EU) 2016/679 (GDPR) and to Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD — Ley Orgánica de Protección de Datos y Garantía de los Derechos Digitales).
In this article we explain what personal data is generated by time and attendance tracking, what legal basis supports that processing, how to apply the minimisation principle, when biometrics require a data protection impact assessment, and what retention periods must be observed. The aim is not to overwhelm with theory but to provide a practical roadmap so that companies can implement or review their GDPR-compliant time-clock system.
The legal obligation: article 34.9 of the Workers' Statute
Article 34.9 of the ET sets out three mandates that every company must fulfil:
- Record daily the specific start and end times of each worker's working day.
- Organise and document that record through collective bargaining, a company agreement or, failing that, a decision by the employer after consulting the workers' legal representatives.
- Retain the records for four years, keeping them available to the workers themselves, their legal representatives and the Labour and Social Security Inspectorate.
Failure to comply with this obligation constitutes a serious infringement in labour relations matters under article 7.5 of the Law on Infringements and Sanctions in the Social Order (LISOS — Ley sobre Infracciones y Sanciones en el Orden Social), with fines ranging from €751 to €7,500 per workplace. However, a company that does record working hours but does so without observing data protection rules may incur an additional infringement of a different nature.
What personal data does working-time recording generate?
The type and volume of personal data varies substantially depending on the system chosen. At a minimum, any time-and-attendance system generates at least the following data linked to each worker:
- Name or identifier of the worker.
- Exact clock-in and clock-out time each day.
- Recorded breaks (depending on the system's configuration).
- Workplace or location from which the worker clocks in.
Depending on the technology used, the record may also include geolocation data (mobile time-clock applications), biometric data (fingerprints, facial recognition) or behavioural patterns that allow sensitive information to be inferred. Each additional data layer increases the risk and requires more stringent protective measures.
Legal basis for processing: the legal obligation as the foundation
Article 6 of the GDPR lists the legal bases that legitimise the processing of personal data. For working-time recording considered through the lens of data protection, the main basis is article 6(1)(c): processing is necessary for compliance with a legal obligation to which the controller is subject. That legal obligation is precisely article 34.9 of the ET.
This has important practical consequences: the company does not need to obtain workers' consent to process their time-and-attendance data, because the legal basis is not consent but legal compliance. Nor can it waive the processing even if a worker requests it, because doing so would mean non-compliance with labour law. However, the fact that the basis is a legal obligation does not exempt the company from observing the other GDPR principles: minimisation, purpose limitation, accuracy, integrity and confidentiality.
The minimisation principle applied to time tracking
Article 5(1)(c) of the GDPR enshrines the principle of data minimisation: personal data must be «adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed». Applied to GDPR-compliant time clocking, this means that before implementing or renewing their system, companies must consider which data are genuinely necessary to demonstrate compliance with article 34.9 ET.
The answers to these questions guide system design:
- Is it necessary to record short breaks (coffee breaks) in addition to clock-in and clock-out? If the collective agreement does not require it, this could be excessive.
- Is it necessary to know exactly from which location a worker clocks in, or is it sufficient to confirm they are at the workplace?
- Is the biometric recognition system the only technically viable option, or does a less intrusive alternative exist (RFID card, PIN, password-authenticated app)?
The principle of data protection by design and by default (art. 25 GDPR) requires these considerations to be integrated at the system-selection stage, not as a post-hoc correction. Companies that work with Summum Consultoría on aligning their working-time recording systems receive a proportionality analysis before any technology is deployed.
Biometrics in time clocking: the special regime of article 9 of the GDPR
One of the most common mistakes among companies that install fingerprint or facial recognition terminals for time and attendance is failing to account for the fact that biometric data processed for the purpose of uniquely identifying a natural person constitute a special category of data under article 9(1) of the GDPR. Their processing is prohibited as a general rule, unless one of the exceptions in article 9(2) applies.
In the employment context, the applicable exception is usually article 9(2)(b) of the GDPR: processing is necessary for carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment law. However, the Spanish Data Protection Agency (AEPD — Agencia Española de Protección de Datos) has indicated in its guidance that this exception alone is not sufficient: the company must demonstrate that the use of biometrics is necessary and proportionate, meaning that no less intrusive alternative system exists that would equally verify the worker's attendance.
In other words: if an RFID card or a PIN-code application equally fulfils the function of evidencing a worker's arrival and departure to satisfy the obligation under article 34.9 ET, installing a fingerprint reader may not pass the proportionality test. Biometrics are only justified when there is a genuine need — for example, high-security environments where identity fraud poses a verifiable material risk.
When is a Data Protection Impact Assessment required?
Article 35 of the GDPR requires a Data Protection Impact Assessment (DPIA) to be carried out when processing is likely to result in a high risk to the rights and freedoms of natural persons. The large-scale processing of special categories of data is one of the scenarios that, according to the guidelines of the European Data Protection Board (EDPB), mandatorily requires a DPIA.
Therefore, any company that deploys a biometric-based time-and-attendance system must carry out a DPIA before putting the system into production. This assessment must document: a description of the processing and its purposes, an assessment of necessity and proportionality, the risks identified for workers' rights, and the measures envisaged to mitigate them. If a high residual risk remains after the DPIA, article 36 of the GDPR requires prior consultation with the supervisory authority (in Spain, the AEPD) before processing begins.
The data protection team at Summum Consultoría assists companies in preparing the documentation needed to implement a GDPR-compliant working-time recording system, including the DPIA where the chosen system requires it.
Geolocation as a method of time and attendance tracking
Another increasingly popular technology is clocking in via a mobile application with geolocation: the worker records their presence from a smartphone and the system validates that they are at the correct location. Article 90 of the LOPDGDD specifically regulates these systems in the employment context and requires the employer to inform workers and their representatives in advance of the system's existence and characteristics. The key proportionality distinction is between capturing coordinates at the moment of clocking in and out — sufficient to demonstrate compliance with article 34.9 ET — and continuous geolocation tracking throughout the working day, which exceeds that purpose and would require independent justification. A full analysis of workplace geolocation and video surveillance under the full regime of article 90 of the LOPDGDD is available in our companion article Time tracking, geolocation and workplace video surveillance: what the GDPR and LOPDGDD require.
Record retention periods
Article 34.9 of the ET sets a retention period of four years for working-time records. The GDPR, in turn, establishes in article 5(1)(e) the principle of storage limitation: data must not be kept for longer than is necessary for the purposes of processing. In this case, the four-year period under the ET constitutes the legally established maximum; once that period has elapsed, the company must proceed to delete or anonymise the data.
During that period, time-and-attendance data must be stored with adequate security measures, restricting access to those who genuinely need to consult them (HR managers, labour inspectors when required, and workers' representatives in the exercise of their legal functions). The access policy must be documented and reviewed regularly.
| System | Type of data | Special category (art. 9) | DPIA required | GDPR risk level |
|---|---|---|---|---|
| Paper signature book or register | Handwritten signature + hours | No | No | Low |
| Management software with PIN or password | Identifier + timestamp | No | No (except large scale) | Low-medium |
| RFID or NFC card | Card ID + timestamp | No | No | Low-medium |
| Mobile app with geolocation at clock-in/out | GPS coordinates + timestamp | No | Recommended | Medium |
| Mobile app with continuous geolocation | Real-time GPS trajectory | No | Yes | High |
| Fingerprint reader | Biometric data (fingerprint) | Yes | Yes (mandatory) | High |
| Facial recognition | Biometric data (facial geometry) | Yes | Yes (mandatory) | Very high |
Duty to inform workers
Articles 13 and 14 of the GDPR impose on the controller an obligation to inform data subjects — in this case, workers — about the essential characteristics of the processing of their data. This information must be provided at the latest at the time when the data are collected for the first time or, in the case of article 14, within one month of the controller obtaining the data from a source other than the data subject.
In the context of time and attendance tracking, the minimum information that each worker must receive includes:
- Identity and contact details of the controller (the company).
- Purpose of processing: compliance with the legal obligation of working-time recording (art. 34.9 ET).
- Legal basis: article 6(1)(c) of the GDPR (legal obligation).
- Retention period: four years (art. 34.9 ET).
- Recipients of the data: Labour and Social Security Inspectorate, workers' representatives (in the exercise of their functions), and processors where applicable (the time-clock software provider).
- Rights of the data subject: access, rectification, erasure, restriction of processing and objection (arts. 15–21 GDPR).
- Right to lodge a complaint with the AEPD.
This information can be incorporated into the employment contract, the employee welcome document, the corporate intranet or a specific data protection document provided at the start of the employment relationship. The key requirement is that it be accessible, intelligible and that the company can demonstrate that each worker has received it.
Convergence with the company's technology systems
Time and attendance tracking rarely lives in an isolated technology silo. In most companies, clocking data is integrated with the payroll system, the corporate ERP, the human resources management tool or, in companies with field workers, with route and task planning applications. Each integration is an additional data flow that must be documented in the Record of Processing Activities (RPA) required by article 30 of the GDPR and that entails verifying that the processors involved (software providers, integrators, cloud operators) have signed the data processing agreements required by article 28 of the GDPR.
Companies with an IT department or systems consultancy must coordinate the implementation or review of their GDPR time-and-attendance system with the data protection function from the outset — not only for the technical configuration of access controls and encryption, but to ensure that the system architecture respects the principle of data protection by design (art. 25 GDPR). At Summum Consultoría we work in a coordinated manner across our Consultancy and Systems divisions to support this process comprehensively.
The sanctions regime: what risk does the company assume?
Failure to comply with GDPR obligations in the context of time and attendance tracking can give rise to sanctions on two regulatory fronts:
- GDPR, article 83: infringements relating to the principles of processing (art. 5), the legal basis (art. 6), processing of special categories without a legal basis (art. 9) or failure to carry out a DPIA (art. 35) may result in fines of up to €20,000,000 or 4% of total worldwide annual turnover, whichever is higher. Less serious infringements — such as failures to comply with information obligations — fall in the tier of up to €10,000,000 or 2% of turnover.
- LOPDGDD, articles 72–74: Spanish law classifies infringements and sets out criteria for grading the sanction that the AEPD applies taking into account factors such as intent, duration, the nature of the data affected and measures taken to mitigate the harm.
It is worth emphasising that the AEPD does not only act on its own initiative: investigations are frequently triggered by complaints from workers or former employees. A company that has deployed a biometric time-clock system without a DPIA, without properly informing workers and without a data processing agreement with the terminal provider concentrates several simultaneous risk factors.
Frequently asked questions
Can an employer use the geolocation of a company mobile to monitor working hours?
Yes, provided the requirements of article 90 of the LOPDGDD are met: workers and their legal representatives must be informed in advance of the existence and characteristics of the geolocation system, with specific mention of their rights (arts. 15–22 GDPR). In addition, the use of geolocation must be proportionate to the purpose: if the sole objective is to record working hours, capturing coordinates at the moment of clocking in and out is sufficient; continuous tracking of position throughout the working day may not pass the proportionality test.
Does a fingerprint system always require a DPIA?
Yes. The processing of biometric data for the purpose of uniquely identifying natural persons constitutes a special category of data under article 9(1) of the GDPR, and the processing of special categories of data is explicitly listed among the scenarios that mandatorily require a DPIA according to the EDPB's guidelines. The DPIA must be carried out and documented before the system is deployed, not after. If the DPIA reveals a high residual risk that cannot be mitigated by technical or organisational measures, the company must consult the AEPD before proceeding.
How long must working-time records be retained?
Article 34.9 of the Workers' Statute sets a minimum retention period of four years. During that period, records must remain available to workers, their legal representatives and the Labour and Social Security Inspectorate. Once the four years have elapsed, the storage limitation principle of article 5(1)(e) of the GDPR requires deletion or anonymisation of the data, unless another legal obligation justifies longer retention (for example, an ongoing labour dispute requiring the data to be kept as evidence).
What information must workers be given about the time-and-attendance system?
At a minimum, the information set out in article 13 of the GDPR: identity of the controller, purpose and legal basis of processing, retention period, recipients of the data, and data subjects' rights with an indication of how to exercise them and of the right to complain to the AEPD. If the system involves biometrics or geolocation, the information must specifically mention these circumstances. Providing this information in writing at the start of the employment relationship and retaining an acknowledgement of receipt is the recommended practice for demonstrating compliance to the AEPD.