Work time registration and data protection

Work time registration and data protection

The Workday Register, which is regulated in article 34.9 of the Workers’ Statute, also known as clocking in, may seem like a labor obligation, but companies must also take into account that this obligation also has direct implications for Data Protection compliance.

The Working Time Record

Every company must implement in the workplace, some mechanism to carry out the recording of working hours that must comply with the Workers’ Statute:

The format used must state the day, start and end time of the workday.

– This information will be kept for 4 years

The information must be available to workers, their representatives and labor authorities.

Once this obligation has been defined in the labor sphere, it is necessary to know what implications it has for the company:

1.- Define the method for recording working hours

2.- Comply with data protection regulations.

Modalities of the Working Time Record

When choosing which modality to use to perform the Workday Record, it is very important that you reflect on the risks involved in each of them, mainly in terms of security and data protection. We remind you that the compliance framework for companies, in terms of data protection, corresponds to the RGPD and the LOPD-GDD.

The most commonly used modalities for Workday Registration are:

Paper

This is the most popular option, as it is easy to implement, use and maintain at low cost.

It consists of recording the start and end of each employee’s working day, by means of a specific document designed by the company that must be completed and signed by the employees.

This type of record-keeping requires workers to take the initiative to record their working hours accurately and honestly, and also implies that someone in the company must and file the records properly.

While paper records can be effective, they can also be prone to error and fraud, as it is easy for workers to make unauthorized adjustments to their records of hours worked.

In terms of data protection and based on the principle of data minimization, the personal data that may be contained in these documents (name, surname, ID card number, signature and those of entries, exits, breaks, etc.), can only be accessed by authorized personnel.

Another problem with this modality is that documents can be lost with the consequent disruption and legal repercussions for both labor and data protection.

It can also be done using a time clock, in which case it is recommended that the card identify the employee by a code to prevent unauthorized access to his or her personal data.

Applications

This can be done by means of technological tools, such as specific computer applications for people management.

Recording working hours in an app is a more automated and operational process, as they can be used from mobile devices and by personnel working outside the workplace.

For people working abroad, it is usually complemented with a geolocation register, to avoid labor fraud, but the company must take into account how to use geolocation at work.

The workday record of each worker is automatic and computerized, which allows to have a historical or necessary analysis of the counting of hours. As it is usually hosted on the servers of the technological provider that owns the app, it gives more peace of mind when it comes to guaranteeing its conservation.

The worker is the one who must mark the start and end of the working day, in the application itself after downloading it to his device (e.g. PC or Smatphone) and register to ensure that he is an authorized user, whose working day record can only be accessed by the worker and personnel authorized by the company.

On the other hand, this modality must have a secure internet network that prevents unauthorized access, the app must be updated to the latest version at all times, as well as knowing the privacy policy of such providers, in order to take appropriate security measures.

This can also be done via e-mail, although it only seems really useful if the person always works on the corporate premises.

Biometrics

Workday registration using biometric data readers consists of using devices known as readers of workers’ unique physical characteristics, such as fingerprints, facial recognition, iris or voice.

Once the person has been authenticated or identified, the reader registers the day and time of entry or exit from the work center and this data is transformed by a computer system such as the Workday Register, stored and subsequently processed in a similar way to the previous modality by means of computer applications.

It is therefore a very simple modality for the workers and very operative for the management of this obligation by the company. It also provides a high level of protection against fraud, since it is impossible to breach the system, for example, to impersonate another person.

These systems can also be used as access control systems, being an additional physical security system for corporate facilities. This modality has the faculty of being a system that only allows access to restricted areas to authorized personnel.

However, it is important to note that the use of biometric data may raise issues related to privacy and personal data protection.

Therefore, the company must take into account how to use biometric data in the workplace, because depending on the type of system used (e.g. authentication or identification) and the biometric data processed (fingerprint is not the same as facial recognition), we would be dealing with a special category of data processing, with the consequent requirements that this implies.

Cards and codes

In this system, the worker swipes the card through the corresponding readers located by the company at the access doors to the facilities or inserts a security code in a keypad, which is essential to enter or exit, obtaining a record of when the worker enters and exits.

The data from the workday register are transformed by a computer system and therefore have an automatic and computerized operation, which allows a simple and safe collection and storage for the company.

Although they can be separate systems, the union of both systems (recommended) makes it very interesting at the level of physical security of facilities, with a double security factor, which if complemented with a video surveillance system, can be said to cancel any case of labor fraud.

This modality also has the ability to be a security system for access to specific areas such as offices, rooms or areas.

It is therefore a very simple modality for employees and companies, without many complications with data protection.

Data protection in the Working Time Register

In general, you will not have to seek the consent of the workers to implement the work time registration, as it derives from a legal obligation and therefore it will be legitimate according to Article 6.1 c) of the GDPR.

However, the obligation of the company to have the Working Time Register does not legitimize other processing, such as the use of biometric data of workers, in these cases the company must have another legitimate basis, according to the assumptions established in Article 6.1 of the GDPR.

From a personal data protection perspective, regardless of the workday record you use, you must comply with the following:

1.- That it be as minimally invasive as possible for the worker.

2.- Gather all the necessary security measures to protect personal data.

3.- The right of workers to be informed of the registration method chosen by the company.

4.- Exercise of the rights of access, rectification, opposition and suppression.

Conduct a Risk Analysis, including an Impact Assessment(EIPD), prior to treatment.

6.- It shall be part of the Treatment Activities Register(RAT).

7.- The principle of data minimization shall apply.

It is important that you take into account all these points, since the company will be the Data Controller of the workers’ data, with all the obligations that this entails.

Failure to comply with the Data Protection Regulation may result in sanctions by the AEPD. As an example the sanction of 20,000 euros to a company that used biometric data, as it was considered invasive and used too much data in relation to the purpose pursued; PS-00050-2021.

Business Adapter® at your service

With all of the above, you will surely understand the need for Data Protection Consultants to help you implement the best system according to your needs and above all, that the modality complies with the Data Protection Law, avoiding the dreaded penalties.

If you need help, contact us by email: info@businessadapter.es, you can also call 96 131 88 04, or leave your message in this form:

[su_button url=”https://businessadapter.es/contacto” target=”blank” background=”#f6f903″ color=”#181818″ size=”7″ center=”yes” icon_color=”#000000″]Contact us, we will be pleased to help you.[/su_button]

Contact us, we will be pleased to help you.
error: Content is protected !!