Time tracking and data protection: That's what the GDPR says

In an increasingly digital world, employers and employees are faced with the question of which rules and regulations must be observed with regard to project time recording. With the General Data Protection Regulation (GDPR), project time recording was also viewed in a new light, as this involves personal data that is subject to strict requirements. As a company, you are therefore obliged to ensure that the collection and storage of this data complies with legal requirements. So that you can record, store and process your project times in accordance with the law, we at ZEP focus on the security of your data!

General information about the GDPR

The GDPR is a Regulation of the European Union, which regulates the handling of personal data in public spaces. It was introduced on May 25, 2018 to standardize data protection guidelines in the EU. The GDPR applies to corporations, companies, authorities, practices, associations and both within and outside the European Union. Outside the EU, the rules apply as soon as personal data is processed by EU citizens or the data processing body has a branch within the EU (Art. 3, GDPR).

What is personal data?

Personal data is according to Article 4 of the GDPR Information that links to identifiable natural persons. A person is identifiable when identification or classification is possible on the basis of certain criteria. This could be, for example, the name, the personnel number in a company, the appearance or even individual data for time recording. Yes, this data can also be used to recognize a person! For this reason, (project) time recording is also subject to the provisions of the GDPR.

Comply with data protection: What is important when recording time?

Digital time recording is in accordance with data protection law, in particular in accordance with Section 26 (1) BDSGas long as you comply with the principles of the GDPR such as lawfulness, purpose limitation, data minimization and accuracy. However, as an employer, you must ensure that the data collected is used exclusively for work-related purposes.

❗ Important ❗

Be sure to comply with the privacy policy! This includes tracking and saving working hours - also when working remote.

Legal basis for tracking working hours

Since the so-called time tracking verdict of the Federal Labour Court of September 13, 2022, it is clear: Employers must record the entire working time of their employees. This obligation results from Section 3 Paragraph 2 No. 1 ArbSchG as well as Section 16 (2) ArbZG. You must not only document the daily working hours of over eight hours, but also the working time of your employees on Sundays and public holidays.

In addition, you must keep the time sheets for at least two years and submit them to the supervisory authority or send them for inspection upon request.

In order to clarify the exact structure of this recording requirement, the Federal Ministry of Labour and Social Affairs prepared a draft bill in April 2023, which is currently still subject to internal government discussions and further preparation.

Permissible storage period of tracked working hours

The privacy policies relating to working time recording are similar to other personal data. As an employer, you are obliged to delete data that is not intended for the purpose, i.e. recorded working hours may only be stored for as long as they are really needed. This is how you avoid data breaches.

In contrast, overtime must be stored for two years in accordance with Section 16 ArbZG. Payrolls are even subject to tax regulations, such as Section 147 (1) No. 2, paragraph 3 AOto store for six to ten years.

In order to comply with the requirements of the GDPR and other employment regulations, it is advisable to create a detailed deletion concept. It is particularly important to note that personal data may not be stored longer than is absolutely necessary. Limiting data storage is intended to prevent data loss and unauthorized use of personal data, while at the same time ensuring the right to be forgotten for data subjects.

IT security & digital time recording — an unbeatable team

In addition to the GDPR, IT security is of course also of great importance when recording project time. When you store time tracking data using project time recording software, you must ensure that the data is kept confidential. Ideally, the server for this is located in Germany to ensure compliance with the General Data Protection Regulation. Some providers of project time recording software — such as ZEP — host their software with ISO 27001-certified partners, which ensures compliance with information security guidelines.

The works council has a say

Does your company have a works council? Then you should note that this is in accordance with Section 87 (1) No. 6 of the Works Constitution Act (BetrVG) has a right of participation in the introduction of a time recording system. However, the works council must also take into account the GDPR-compliant aspects of (project) time recording. Agreements between works council and employer should include the following points on working time and project time recording:

• Definition of the captured data and its purpose of collection
• Access rights and evaluations within the scope of collection
• Regulations for GPS location tracking during the collection

Typical pitfalls in data protection-compliant time recording

After careful review and selection of a tool for data protection-compliant and flexible working time tracking It is implemented in your day-to-day business. It is important that you pay particular attention to earmarking and data minimization in accordance with the GDPR, because: Tripping hazards lurk around every corner.

Who can view the working time account?

Apart from the works council (in accordance with Section 80 Paragraph 1 No. 1 BetrVG), individual employees and the employer are not authorized to access working time recording data. Exception: The person concerned has given their express consent that another person outside the specified authority may also view the working time account.

Pending rosters and data protection

In principle, employees have no automatic right to view the complete work schedule. The publication should only be made with the express consent of all employees in order to comply with data protection guidelines. As an employer, you must obtain consent to publish data and may not publish data against the will of individual employees. The internal provision of duty and shift schedules can be carried out in accordance with Section 26 BDSG take placeif this is necessary for the employment relationship.

Workplace monitoring

As an employer, you may monitor the work performance of your employees, but you must do so with data protection guidelines and general personal rights from Art. 2 para. 1 GG comply. Permanent monitoring is prohibited - but random sampling is permitted. You must regulate detailed insights into bookings via software through a service agreement with your employees.

Time tracking in line with the GDPR: ZEP helps...

… with Data Processing Agreements (DPA):

With every customer who acquires a ZEP license for time tracking, we enter into a Data Processing Agreement (DPA) in accordance with Article 28, Paragraph 3 of the GDPR. This is crucial to clarify the legal aspects of data processing. The DPA defines data protection standards, outlines responsibilities and obligations, and addresses liability issues in the event of data protection violations. It also serves as proof of compliance with data protection regulations and establishes a transparent and legally binding foundation for collaboration between the parties. Finally, time tracking involves sensitive data that must be protected to prevent unauthorized access.

… with High-Security Data Centers:

The security of your data is our top priority. Our hosting partners are ISO/IEC 27001 certified and meet the highest security standards. We also place great emphasis on physical security aspects when selecting our data centers, including fire protection measures and uninterrupted power supply to ensure that your data is always protected.

… with 24/7 Data Access:

Through continuous monitoring of availability and the capacity of our servers, we ensure reliable 24/7 access to your data. This constant monitoring ensures that you can access your data at any time, on any day, without interruptions or outages. We provide secure and digital access that fully complies with the requirements of the General Data Protection Regulation (GDPR).

… with Automated Data Backup:

Our data centers perform automated redundant data backups with encrypted storage. The backup intervals range from daily in the first 14 days to longer intervals of up to 133 days. This enables you to request a backup of your ZEP version at any time, ensuring the security of your data and quick recovery in case of an emergency. Additionally, we have implemented a disaster recovery plan to provide an extra layer of security in the unlikely event of a system failure.

Conclusion: Rely on future-oriented time recording with ZEP

Digitalization has long since found its way into all areas of our working life and project time recording is no exception. Especially in times when data protection and data security are becoming increasingly important, it is essential that you adapt your time recording systems to the requirements of the GDPR.

With ZEP, we not only offer you a solution for mobile time tracking, but are also a reliable partner when it comes to data protection and IT security. We understand the sensitivity of your data and have therefore implemented the highest security standards.

At a time when digital transformation is advancing relentlessly and data protection is becoming a central issue, it is more important than ever to rely on future-oriented solutions.