What employers must observe in terms of data protection law when using digital time recording

In many workplaces, working hours are now recorded digitally. While this usually provides more transparency and saves time and effort, it also means that employers have to deal with how to handle their employees' data.

The problem

For the employer, the advantages of digital time recording are obvious: accurate and traceable documentation of working time with relatively little effort and almost no loss of time.

However, the data collected by chip cards, transponders or apps on cell phones can also be used to track employees' work behavior and movement profiles very precisely. These dangers are already present within the company. In addition, the data could also fall victim to a hacker attack from outside or similar, just like all other data stored by the company. If biometric data of employees used for time recording is also affected, access by unauthorized persons can have even more far-reaching consequences.

The company faces the challenge of maintaining employee data protection and privacy when it comes to digital time recording.

This should be noted

In most cases, data processing for time recording can generally be justified by the fact that it serves to implement the employment relationship (Section 26 I BDSG). Working hours can thus be accounted for accurately and fairly. This is also in the legitimate interest of the employer (§ 326 I BDSG, Art. 88 I DSGVO).

However, if time recording is done digitally, the data is exposed to a higher risk than with analog solutions. Particular attention must be paid here to the purpose limitation (Art. 5 I lit. b DSGVO). If the employer collects the data for time recording, it may only use it for this purpose and may not, for example, create a movement profile of the employee. In contrast, the employer may record when the employee is present or absent (especially in the case of flexible working hours), but may not specifically record why he is absent (e.g., "absence due to illness" may be recorded, but not the specific illness). This would exceed the legitimate interest and violate data protection.

Special features of biometric time recording

If the employer captures the employee's fingerprint or iris by means of a scan during time recording, the employee can be identified quite clearly and assigned to the data, but on the other hand, data of the special category (Art. 9 I DSGVO) are processed, which are particularly worthy of protection.

• Section 26 III BDSG permits the processing of such data if it is necessary for the exercise or fulfillment of rights and obligations within an employment relationship. To determine whether this is the case in a specific company, the protection of the special category of personal data must be weighed against the level of security required in the company (sensitivity of the data, etc.). The more in need of protection and security the information and data that can be found at the workplace, the more likely it is that biometric access control (with time recording) is permissible.

Here, too, a transparent procedure is always crucial for the employer. In any case, expert advice should be sought regarding the question of which methods are most suitable in one's own company and how they can be implemented.