Utilizziamo cookie tecnici per personalizzare il sito web e offrire all’utente un servizio di maggior valore. Chiudendo il banner e continuando con la navigazione verranno installati nel Suo dispositivo i cookie tecnici necessari ai fini della navigazione nel Sito. L’installazione dei cookie tecnici non richiede alcun consenso da parte Sua. Ulteriori informazioni sono contenute nella nostra Cookie Policy.



New legal obligation of employers to control employees' working hours. The data protection implications

PrintMailRate-it

​On May 12th 2019, a new obligation came into force in Spain that requires all companies to establish a daily record of the working hours of their employees. When a system makes it possible to record the entry and exit times of a specific employee, these data clearly identify a specific person individually, which is why we are talking about a new processing of workers' personal data, which must comply with the regulations on the protection of personal data.

 

On May 12th 2019 came into force the new obligation for all companies to establish a daily record of the employees’ working hours, set out by Decree-Law 8/2019. As a result of this obligation, companies will have to implement a system that allows for the registration of the entry and exit of their workers. When a system allows the entry and exit times of a particular employee to be recorded, this data clearly identifies a specific person individually, and therefore this record implies a new processing of workers' personal data.


Regardless of whether the registration is carried out by including the name and surname of the worker or by identifying each worker with a number (for example, an employee code), since this number is unique for each employee- otherwise it would not be possible to correlate the hours of entry and exit with each specific employee- it also constitutes personal data within the meaning of article 4 paragraph 1) of the GDPR: "an identifiable natural person is any person whose identity can be established, directly or indirectly, in particular by reference to an identifier, such as (...) an identification number".


Furthermore, the recording system can range from a manual record to a biometric technological system. However, in this latter case, we are faced with the processing of an additional piece of data, e.g. the fingerprint, which belongs to the special categories of data of article 9 of the GDPR, the processing of which is prohibited, unless one of the exceptions set out by the Regulation applies.


All of this has rightly caused an avalanche of doubts and queries on the part of Spanish employers and companies regarding the alignment of this new obligation and the current regulations on data protection and the conditions under which this registration and control of employees’ working hours must be carried out.


The Spanish Supervisory Authority (“Agencia Española de Protección de Datos”; hereinafter, the “AEPD”) has already made a statement on this matter and has published three new questions and answers in its FAQs (vid. www.aepd.es) with the aim of helping companies in the implementation of such a recording in compliance with the new legal obligation, the main lines of which are set down below:


What kind of system can employers use for working hours’ control?

Initially companies can use any system to control the employees’ working hours. However, the AEPD highlights that the system must be "the least intrusive possible" for employees’ privacy, which suggests that manual systems are preferred to those involving biometric technologies.


Should workers' consent be sought for the implementation of these systems and should they be informed about the new control measure?

The recording of employees' working hours does not require their consent. This processing of employees’ personal data is lawful under Article 6.1 (c) of the GDPR; that is, the processing is necessary to comply with a legal obligation to which the employer is subject.


However, the existence of a legal basis for this processing does not exempt the obligation to inform the data subjects of such processing and the conditions under which the processing is carried out in accordance with Articles 12 et seq. of the GDPR. Consequently, all employers must inform their employees about this new control measure by putting at their disposal an information text containing all the points required by Article 13 of the GDPR.


What should I do if the system is managed by a provider who will have access to the data?

If the provider of the recording system has access to the data or provides data hosting services, such provider will be acting as a Data Processor on behalf of the company, which is the Data Controller. Therefore, and in compliance with article 28 of the GDPR, the company must sign with this provider the corresponding “data processing agreement” with the content prescribed in said article.

 

Contact

Contact Person Picture

Isabel Garcìa Garcìa

+34 91 5359977

Invia richiesta

 Rödl & Partner Spain


​Discover more about our offices in Spain. Read more »

 Data Protection Bites

Our newsletter aims at collecting updates, news and insights on data protection matters worldwide, with a special focus on the GDPR. Read all releases »
Deutschland Weltweit Search Menu