Time tracking and data protection: Data protection-compliant solution explained

Time and attendance is an essential part of any business - but it also presents a challenge when it comes to data security and privacy. With the ever-evolving digital landscape, it is more important than ever that companies have secure systems in place to protect employee data. GDPR-compliant time recording is particularly important for employees, as it ensures that their personal data is protected. For those who are responsible for personnel in the company, it is important to address this issue in order to be legally compliant and to adequately protect employee data. This blog post is about the importance and interplay of time recording and data protection, the challenges of handling employee data responsibly and tips on how to ensure maximum security measures when processing employee data.

The challenge of time recording: data protection

As a HR manager, you play an important role in ensuring that time recording is secure and compliant with the GDPR. It is crucial that managers create a secure environment for handling employee data by ensuring that all employees are aware of their rights regarding the protection of their personal data. Time recording within a data protection law framework involves taking proactive steps to protect sensitive employee data to avoid external threats or internal abuse. By following such measures, you can not only create a secure environment, but also save time and financial resources through potential fines.

Why is working time personal data?

Working hours are personal data because they are directly related to a specific person. It contains information about the identity, place of work, hours and conditions of work, and possibly the nature of the work. This working time data may establish links with other personal data, such as location, contact details and income. Information about working hours can also allow conclusions to be drawn about a person's actual work performance, e.g. employers can use it to check whether the employee is working fast enough or producing fast enough. Therefore, it must be protected in accordance with the Data Protection Regulation (GDPR).

Is time recording relevant to data protection?

Yes, time recording is relevant to data protection because it contains personal data. As such, they are subject to the requirements of the GDPR and you as an employer must ensure that you set up time recording procedures that comply with data protection standards. This also includes the secure storage and transmission of the data as well as appropriate regulations for accessing and processing the data in order to protect the rights of employees. At the latest since the decision of the European Federal Labour Court that the recording of working time is compulsory, compliance with data protection guidelines in processing in this area takes on a special role. Read more about the obligation to record working time here When recording working time, personal data is processed, which is why, according to the Basic Data Protection Regulation, it may only be viewed by authorised persons. These include, for example, HR managers, finance departments or executives. Additionally, it is important that these authorised persons only use the information for the purposes initially specified (i.e. to document working time) and not to control the employee. These control measures - if they have to be carried out - must be based on other, less invasive measurements of the employee's work (purpose limitation principle from Art. 5(1)(b) GDPR). It is important that all employees who have access to time recording systems and thus to the time recording of individual employees are informed about the importance of data protection and understand how to handle the data responsibly.

Advantages and disadvantages of time recording on paper or Excel

It is not uncommon to use paper or Excel to record working time. This may seem easier and cheaper at first, but some aspects should be considered.

Advantages:

• Easy to use (however, with more than 10 employees it can quickly become difficult to keep track).
• Hardly any technical knowledge required
• No additional costs

Disadvantages:

• Less security for the data and thus risk of data leakage and data protection breaches.
• No automatic monitoring of time recording
• Access by unauthorised persons is more difficult to control

Above all, the risk of data leakage and data protection breaches is a starting point to look at other ways of time recording in the context of data protection under the GDPR. Security for personal data and automatic monitoring can be ensured through HR software, for example. More on the question of whether you should opt for the digital personnel file or the paper personnel file can be found here.

Advantages and disadvantages of using HR software

To ensure GDPR-compliant time recording, the use of HR software should therefore be considered. This is a secure, modern and efficient way to record working hours and leave days. Time recording with an HR software has the following advantages and disadvantages regarding data protection:

Advantages:

• Higher data security: HR software has built-in data protection and security features that ensure that data is protected according to legal requirements.
• Automatic monitoring of time recording: With HR software, many processes are automated, saving time and effort while minimising sources of error.
• Centralised storage: All working time data is stored in a central location for easy access.

Disadvantages:

• Additional costs: HR software does cost you additional money. However, the costs for such software are very low in relation to the costs that you will incur with a fine in the event of incorrect handling in accordance with the GDPR.

Where must the servers be located on which the data is stored?

The servers on which the time tracking is stored must be located in an EU country or a country that is recognised as offering the same level of data protection as the EU and must comply with the requirements of the GDPR. This also applies to companies that house their servers with an external service provider (some companies choose to keep the servers in their own building, while others keep the servers in an external data centre for more security and protection). It is important to ensure that the data on the servers is adequately protected and cannot be accessed without authorisation. It is also important to note that different legal requirements may apply to the location of the servers depending on the country, especially regarding data protection.

How long may data be stored?

A GDPR-compliant time recording is of great importance for every company, especially with regard to the storage of data. According to the requirements of the GDPR and labour law, data from the recording of working time must usually be stored for at least two to five years in order to be able to prove claims under labour law. However, it is important to note that certain laws, such as tax law, may require longer storage periods. It is therefore advisable to carefully review the applicable laws and ensure that timekeeping data is stored for data protection purposes in accordance with the applicable laws.

What do employers need to consider?

As an employer, you have a responsibility to protect personal data when recording time from your employees. There are a number of legal requirements and regulations to follow to ensure that time recording is GDPR compliant and legally permissible.

• Clear and unambiguous regulations: Working hours, jobs and working time models must be clearly and unambiguously specified in an employment contract.
• GDPR compliance: Time recording must be GDPR-compliant and legally permissible. All employees must be informed about the time recording. A procedure for processing personal data in connection with time recording must be in place.
• Data security: Data storage must be secure and protected to prevent unauthorised use or disclosure of the data. Data must not be stored for longer than is necessary for the management and monitoring of working time. The servers on which the data is stored must be located in a secure jurisdiction, according to the General Data Protection Regulation.

You need to ensure that you meet these data protection requirements for time recording to ensure legally secure and responsible management of working time and therefore personal data.

What do employees need to be aware of?

Time tracking is an important aspect of working life and can help to monitor working time and performance. It is therefore important that workers are aware of their rights and responsibilities in relation to timekeeping. These include:

• Right to information and transparency: every employee has the right to information and transparency regarding their working hours. Workers should ensure that they have access to their own working time data and are informed of any changes.
• Right to protection of personal data: Every employee has the right to the protection of their personal data. Workers should ensure that their working time data is kept safe and secure and that it is not shared without their consent.

It is important that workers understand their rights and responsibilities in relation to timekeeping to ensure that their personal data is protected.

Summary: Time Tracking - Data Protection

Time tracking and data protection are important issues for any business. It is essential that you as an employer comply with the applicable laws and regulations. A GDPR-compliant time recording protects both the company and the employees from data misuse and guarantees a lawful processing of personal data. The choice between paper or Excel time recording and HR software or time tracking app depends on the company's requirements, but the high level of data protection should always take precedence.

***

Lea Walden is Marketing and Business Development Associate at heyData, the compliance SaaS company for data protection and more. With her background in business psychology, she compiles content for interested parties around the topic of data protection in close consultation with heyData's legal team.