The new Royal Decree on urgent social protection measures and to combat precarious work in relation to working time has recently established the obligation for Spanish companies and entities to implement a system for recording working hours.

When introducing this system to record working hours, the new legislation can lead to substantial changes in defining the purposes and means that companies use to process employees’ data. Consequently, the information previously provided to employees may have become obsolete. In order to comply with the EU General Data Protection Regulation (GDPR) and the Law on Data Protection and the safeguard of digital rights (LOPD-gdd), entities must at least carry out the following:

1.- Perform an in-depth analysis of the new processing of data that they will carry out and, where necessary, carry out a data protection impact assessment about the impact that this new process will have on employees’ privacy. The following aspects, among others, must be addressed in particular during this analysis:

  • The type of data used. For example, the use of biometric data such as fingerprints;
  • The agreements executed with the suppliers of the timekeeping system;
  • The installation of applications to recording working hours on employees’ work devices, especially in relation to the policy on use of technology at each entity.

2.- Inform employees of this new timekeeping system as per the terms established in the privacy legislation. In the vast majority of cases, it will first be necessary to include the information obtained in the above analysis in the Record of Processing Activities.

3.- Obtain, if necessary, the consent of the employees.