The reform of the Spanish Law of Statute of Workers “Estatuto de los trabajadores” (ET) introduced by Royal Decree-Law 8/2019, of March 8 introduced the obligation for ALL companies to adopt a system to record the working day of their employees on an individual basis. The working day Record constitutes a specific processing of personal data because it identifies a specific employee during his or her work activity and, as such processing, must comply with the requirements established in the current personal data protection regulations.
It should be remembered that the ET does not establish which are the specific systems that companies must choose to carry out this registration, nor the technical or organizational characteristics that they must comply with, the only requirement being that they guarantee the recording of each employee’s working day in such a way that it is duly documented and that they are kept for 4 years. This freedom to choose the recording system is not absolute for the company because, although the right to data protection does not limit the options of a company in relation to the choice of the time recording system, the system chosen may affect the rights and freedoms of workers in terms of the protection of their personal data and, therefore, generates important limits for the company.
This situation means that companies cannot take the choice of time recording system lightly, because an error in the choice of the time recording system and its features can lead to a serious and continuous infringement of data protection regulations.
It is for this reason that the Spanish Data Protection Agency (the Agency) has recently included, in its new Guide on data protection in labor relations, a series of recommendations and indications expressly referring to the processing of data in the time recording system, with the aim of guiding companies in complying with data protection regulations.
As a fundamental principle, the Agency recommends in its Guide that companies adopt the least invasive system possible with respect to employee privacy and that, therefore, they comply with the principle of minimization of data processing in terms of recording the least amount of employee data, i.e. the essential data, and keeping it only for the time strictly necessary. Since the ET establishes the obligation to keep these records for 4 years, the recording system established by the company must guarantee that the records will not be kept for longer than this period, after which they must be deleted.
As the Agency points out, although the choice of the registration system chosen by the company may require a company-employee representatives agreement, the basis that legitimizes the company to carry out this type of data processing is compliance with the obligation established in the ET, so that, consequently, the involvement of these records does not require the consent of the employees, although they do have the right to be informed and, where appropriate, to exercise the rights of access, rectification, opposition and erasing, regardless of whether the record is more or less sophisticated.
In addition, the system chosen must guarantee the confidentiality of the records; therefore, the records must not be kept in a visible place where anyone can see them, even if they are manual systems. The company must therefore adopt the necessary security measures to guarantee the confidentiality of the records, preventing access by unauthorized persons, including the employees themselves if such access allows them to check the data of other colleagues. The company can only give access to these records to persons authorized by law (interested workers, their representatives and entities or authorities that need such data for the purposes of an investigation, such as the Labor and Social Security Inspection, or the Courts).
The Agency also points out that, as in any data processing, the legal basis only reaches what is necessary to fulfill the purposes for which the data are collected, therefore, the company may not use the data of this record for purposes other than the control of the working day, such as checking the location of the employee, for example. It is common that many companies accustomed to the mobility of their employees or teleworking have opted for time recording systems through an App that employees download to their smartphone. These Apps can base their recording system on the geolocation of the device, but, in these cases, this should be a purely technical requirement, and not an end in itself for the company, in fact, this information should not even reach the company, because we must not forget that the only purpose of this record is to check when the working day begins and when it ends, but not to verify where the employee is at any time. Therefore, this limitation is not incompatible with the possibility of “remote” time recording for workers who do not physically go to the workplace (e.g., teleworking, salespeople, etc.) through remote access to a corporate intranet or App, even if such systems require the use of geolocation systems, provided that this geolocation is not used by the company to permanently locate its employees.
Special mention should also be made of “clocking-in” or time recording systems based on fingerprint or other biometric data, such as facial recognition. Depending on the system used for these types of records, we would be dealing with the processing of special categories of data, which could result in the obligation for the company to carry out a data protection impact assessment, as they are methods that may be particularly invasive of the employee’s privacy and, therefore, could affect his or her rights and freedoms.
To avoid this, the company, in case of using registration systems based on biometric data of the employee (fingerprint, facial recognition, for example), should opt for a biometric verification or authentication system and not for a biometric identification system. In the first case, it is a system in which the employee’s fingerprint or face is recorded, and then each time there is a record, the system performs a one-to-one correspondence search. In the second case, biometric identification is a more complex process that compares the biometric data of the employee (acquired at the time of identification) with a series of biometric templates stored in a database, therefore, it is a one-to-many matching process.
The AEPD has generally stated that biometric data will only be considered a special category of data in cases where they are subject to technical processing aimed at biometric identification (one-to-many) and not in the case of biometric verification/authentication (one-to-one), therefore, when choosing a biometric day record system, it is advisable to use a verification or authentication system as it is a less invasive system.
Do not hesitate to consult us on any of these matters, we will be happy to help you ensure compliance with data protection regulations in your organization.