Working time records are mandatory in Spain, but they must be implemented in compliance with data protection law. Recording working hours does not authorise the employer to collect more information than necessary or to permanently monitor employees.

The usual legal basis for this processing is compliance with a legal obligation: Article 34.9 of the Spanish Workers’ Statute requires employers to record each employee’s working time. Therefore, in general terms, employee consent is not required to implement a time recording system.
In this article we will discuss...
What data the company may process
- Identification of the employee.
- Start and end time of the working day.
- Breaks or interruptions when needed to calculate working time.
- Technical records strictly necessary to evidence clocking in and resolve incidents.
The company must apply data minimisation: only the data needed for the working time record purpose should be collected, not additional information for convenience or general monitoring.
Data protection obligations
- Inform employees: explain who processes the data, the purpose, legal basis, retention periods, recipients and rights.
- Limit the purpose: time record data should not be reused for incompatible purposes.
- Control access: only authorised people should access the data when needed for their role.
- Retain data for the required period: and delete or block it when it is no longer necessary.
- Document the processing: include it in the records of processing activities and review risks if the system is intrusive.
Geolocation and clocking in from a mobile phone
If the system uses geolocation, the purpose must be clearly justified. The Spanish Data Protection Authority recalls that, if geolocation is used to record working time, it cannot become constant tracking of the employee’s location. Proportionality, transparency and purpose limitation must apply.
Forcing employees to use their personal phones can also create privacy and resource issues. Corporate devices or less intrusive alternatives are preferable where possible.
Biometrics in time recording
Biometric systems, such as fingerprint or facial recognition, process special categories of data. They therefore require a particularly strict assessment of necessity, proportionality, legal basis and less intrusive alternatives. They should not be implemented merely for convenience.
Checklist for implementing a time recording system
- Choose a tool proportionate to the size and activity of the company.
- Avoid collecting location, biometric or other data unless strictly necessary.
- Inform employees and, where applicable, employee representatives in writing.
- Configure access permissions and security measures.
- Define retention periods and an incident handling procedure.
- Review the contract with the provider if it accesses personal data.
Recommended official sources
- AEPD: consent and time recording.
- AEPD: working time records and data protection.
- AEPD: data protection in employment relationships guide.
Conclusion
Working time records must comply with labour obligations without becoming an excessive monitoring tool. The key is to inform properly, collect only necessary data, limit access and choose proportionate systems.