Time recording and data protection: current obligations and risks of using biometrics
Time recording continues to be one of the areas with the highest volume of inspections and labour disputes. The obligation affects all companies and must be applied to the entire workforce, regardless of size or sector. In recent years, the issue of data protection has also become particularly relevant, as some time recording systems incorporate biometric technologies such as fingerprint or facial recognition.
1. What the regulations currently require regarding time recording
Article 34.9 of the Workers' Statute establishes the obligation to ensure daily time recording, including the specific start and end times of each worker's working day. The system must be reliable, accessible and verifiable, and the records must be kept for four years.
The company must organise and document the recording system in accordance with the law and, where applicable, in accordance with collective bargaining or company agreements. In practice, the risk is not limited to the total absence of records, but also to purely formal records that do not reflect the actual working day or that allow modifications without traceability.
2. Common errors that lead to penalties and claims
- Identical records every day or automatically generated records that do not correspond to the actual working day.
- Failure to record incidents, corrections or anomalies, or lack of traceability of changes.
- Teleworking or flexible working hours without real control of working time.
- Failure to keep records for the required period or inability to provide them when requested by the Inspectorate.
- Confusing working time records with attendance records, without reflecting the start and end of the actual working day.
3. Time recording and data protection: special attention to biometrics
The use of fingerprint or facial recognition for clocking in involves the processing of biometric data. When used to uniquely identify a person, this data is considered a special category of data under Article 9 of the General Data Protection Regulation. Therefore, its use requires reinforced justification and additional safeguards.
In the workplace, the general criterion is that the company must opt for proportionate and necessary measures. Given that there are less intrusive alternatives for time recording, such as cards, personal codes, clocking-in applications or username and password systems, the use of biometrics is often difficult to justify in most organisations.
Consequently, except in exceptional cases that are duly justified, documented and subject to enhanced compliance measures, it is not advisable to implement biometric systems for time recording. When biometrics are to be used, it is essential to analyse the legal basis, apply minimisation, assess risks and implement appropriate technical and organisational measures.
4. Reform in progress: strengthening time control and traceability
At the regulatory level, the Government has expressed its intention to strengthen the requirements for time control and traceability of records, within the framework of reducing working hours and modernising the control of working time. At the date of this publication, certain measures are in the announcement and processing phase, so it is advisable for companies to anticipate this by reviewing their systems, internal policies and documentary evidence.
Applicable legislation and criteria
- Royal Legislative Decree 2/2015, of 23 October, approving the revised text of the Workers' Statute Act, Article 34.9.
- Royal Decree-Law 8/2019, of 8 March, on urgent measures for social protection and the fight against job insecurity in the working day.
- Royal Legislative Decree 5/2000, of 4 August, approving the revised text of the Law on Infractions and Penalties in the Social Order (LISOS), in particular Article 7.5.
- Regulation (EU) 2016/679 (GDPR), Article 9 (special categories of data), and principles of Article 5.
- Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD).
SFAbogados advises companies on the implementation and review of time recording systems, as well as on compliance with data protection in working time control systems and on defence against Labour Inspection requirements.
