What employers must observe in terms of data protection law when using digital time recording

In many workplaces, working hours are now recorded digitally. While this usually provides more transparency and saves time and effort, it also means that employers have to deal with how to handle their employees' data.

The problem

For the employer, the advantages of digital time recording are obvious: accurate and traceable documentation of working time with relatively little effort and almost no loss of time.

With the data generated by chip cards, Transponders or apps can be recorded on the cell phone, work behavior and movement profiles of employees can also be tracked very precisely. These risks are already present within the company. However, the data could also fall victim to an external hacker attack or similar, just like all other data stored by the company. If biometric Data from employees In the case of the data collection systems used for time recording, access by unauthorized persons can have even more far-reaching consequences.

The company is facing the challenge of digital time recording, Data protection and privacy of the employees.

This should be noted

In most cases, data processing for time recording can be justified by the fact that it serves the performance of the employment relationship (Section 26 I BDSG). Working hours can thus be accounted for accurately and fairly. This is also in the legitimate interest of the employer (Section 326 I BDSG, Art. 88 I GDPR).

However, if time recording is done digitally, the data is exposed to a higher risk than with analog solutions. Particular attention must be paid here to the purpose limitation (Art. 5 I lit. b GDPR). If the employer collects the data for time recording, it may only use it for this purpose and may not, for example, create a movement profile of the employee. On the other hand, the employer may record when the employee is present or absent (especially in the case of flexible working hours), but not specifically record why they are absent (e.g. "absence due to illness" may be recorded, but not the specific illness). This would legitimate interest and violate the protection of data.

Special features of biometric time recording

If the employer captures the employee's fingerprint or iris by means of a scan during time recording, the employee can be identified quite clearly and assigned to the data, but on the other hand, data of the special category (Art. 9 I DSGVO) are processed, which are particularly worthy of protection.

• Section 26 III BDSG permits the processing of such data if it is necessary for the exercise or fulfillment of rights and obligations within an employment relationship. In order to determine whether this is the case in a specific company, the protection of the special category of personal data with the level of security required in the company (sensitivity of the data, etc.). The more sensitive the information and data that can be found in the workplace, the more permissible biometric access control (with time recording) is.

Here, too, a transparent procedure is always crucial for the employer. In any case, expert advice should be sought regarding the question of which methods are most suitable in one's own company and how they can be implemented.