On 12 May 20191, the obligation for employers to implement time recording came into force. Given its data protection implications, in this post we analyse what duties must be complied with in order to avoid not only labour infringements but also those related to the RGPD and the LOPDGDD.
The legal basis for the processing of this data is the employment contract itself (art. 6.2.b) RGPD) in relation to the powers granted by article 20.4 ET and therefore the consent of the employee is not required.
Companies have a duty to inform employees about the processing that will be carried out on their personal data. Specifically, it must inform them about the aspects listed in Article 13 RGPD:
Article 34.9 ET establishes that the period of data retention is 4 years; however, internal policies must be implemented in the company to ensure that the records are not manipulated.
In order to decide which system to implement for time recording, a triple judgement must be made as to its suitability, necessity and proportionality in relation to the fundamental right to the protection of personal data (Article 5.1 c) RGPD).
Increasingly, the use of biometric facial recognition systems and the use of fingerprint readers is proliferating. The processing of personal data by means of these systems is considered a processing of special categories of personal data exempted from the general prohibition on the processing of such data (Article 9(2)(b) GDPR).
In this case, companies must carry out a Data Protection Impact Assessment (DPIA) prior to the start of this processing of personal data.
For more information, please consult the guide published by the AEPD 'Data protection and labour relations'.
Certified Data Protection Officers (DPOs) have the necessary training and skills to ensure compliance with the principles relating to the processing of personal data; to keep evidence to comply with the principle of proactive responsibility in all these matters; and to inform and train the human resources department to comply at all times with data protection legislation in the control of time recording. The certified DPD can also advise you on Data Protection Impact Assessments (DPA) so that you can identify, assess and address the risks associated with your processing activities before you start them and ensure that the processing you are carrying out complies with the law from the outset.
Certification is the only way to objectively and impartially assess that the DPD has high levels of competence and professionalism for the exercise of the functions entrusted to this figure. ANF AC, as a Certification Entity recognised by ENAC, has the necessary technical competence for the certification of the DPD in accordance with the AEPD Scheme.
If you have successfully passed any of the courses given by the Training Entities recognised by any Certification Entity2 and/or accredit sufficient professional experience3 in functions related to those of the DPD, do not hesitate to take the last step and get certified.
1 By virtue of the provisions of Royal Decree-Law 8/2019, of 8 March, on urgent measures for social protection and the fight against precariousness in the working day, which implemented the working day register (Sixth final provision).
2 Consult here the training programmes recognised by ANF AC.
3 For access to the experience-based assessment phase, please refer to section 7.3 on prerequisites, which lists the years of experience required and how to prove them.