Work time tracking

Time recording and data protection: what the GDPR says

DSGVO and project time recording: How we protect your data. Find out how ZEP ensures secure and data protection-compliant project time recording & why IT security is crucial.
Time recording and data protection: what the GDPR says

In an increasingly digital world, the question arises for employers and employees as to which rules and regulations must be observed with regard to project time recording. With the General Data Protection Regulation (GDPR), project time recording has also been viewed in a new light, as personal data is involved here that is subject to strict regulations. As a company, you are therefore obliged to ensure that the recording and storage of this data complies with the legal requirements. To ensure that you can record, store and process your project times in compliance with the law, we at ZEP focus on the security of your data!

The most important information at a glance:

General information on the GDPR
Time recording - what is permitted and what is important?
Permitted storage duration of recorded working times
The role of the works council
Can the employer monitor time recording?

General information on the GDPR

The GDPR is a Regulation of the European Unionwhich regulates the handling of personal data in public spaces. It was introduced on 25 May 2018 to harmonise data protection policies across the EU. The GDPR applies to groups, companies, authorities, practices, associations and both inside and outside the European Union. Outside the EU, the rules apply as soon as personal data of EU citizens are processed or the data controller has an establishment within the EU (Art. 3, GDPR).

What is personal data?

Personal data is not protected according to Article 4 of the DGSVO Information that refers to identifiable natural persons. A person is identifiable if they can be identified or classified on the basis of certain criteria. This can be, for example, the name, the personnel number in companies, the appearance or even individual data for time recording. Yes, this data can also be used to recognise a person! For this reason, (project) time recording is also subject to the provisions of the GDPR.

Comply with data protection: What is important for time recording?

Digital time recording is in compliance with data protection law, in particular in accordance with § Section 26 (1) BDSGas long as you comply with the principles of the GDPR such as lawfulness, purpose limitation, data minimisation and accuracy. However, as an employer, you must ensure that the data collected is used exclusively for work-related purposes.

ImportantMake sure you comply with the data protection guidelines! This includes the recording and storage of working hours - even in the case of the Time recording in the home office.

Legal basis for the recording of working hours

Since the so-called Time clock judgement of the Federal Labour Court of 13 September 2022 is clear: employers must record all of their employees' working hours. This obligation arises from § 3 Para. 2 No. 1 ArbSchG and § Section 16 (2) ArbZG. You must document not only the daily working hours over eight hours, but also the working hours of your employees on Sundays and public holidays.

In addition, you must keep the time sheets for at least two years and present them to the supervisory authority or send them for inspection upon request.

In April 2023, the Federal Ministry of Labour and Social Affairs prepared a draft bill to clarify the exact form of this recording obligation, which is currently still subject to internal government discussions and further elaboration.

Time recording law coming in 2024?

Permitted storage duration of recorded working times

The data protection guidelines regarding the recording of working hours are similar to those for other personal data. As an employer, you are obliged to delete data that is not earmarked for a specific purpose, i.e. recorded working times may only be stored for as long as they are actually needed. In this way, you avoid data protection offences.

In contrast, overtime must be stored for two years in accordance with § 16 ArbZG. Payrolls must even be stored in accordance with tax regulations, such as § Section 147 para. 1 no. 2, para. 3 AOsix to ten years.

In order to meet the requirements of the GDPR and other labour law regulations, it is advisable to create a detailed deletion concept. It is particularly important to note that personal data must not be stored for longer than is absolutely necessary. Limiting data storage is intended to prevent data loss and unauthorised use of personal data, while at the same time guaranteeing the right to be forgotten for the data subjects.

IT security & digital time recording - an unbeatable team

In addition to the GDPR, IT security is of course also very important in project time tracking. If you store time recording data using software for project time recording, you must ensure that the data is treated confidentially. Ideally, the server for this is located in Germany to ensure compliance with the General Data Protection Regulation. Some project time tracking software providers - such as ZEP - host their software with ISO 27001 certified partners, which ensures compliance with information security guidelines.

The works council has a say

Does your company have a works council? Then you should note that according to § Sec. 87 (1) no. 6 of the Works Constitution Act (BetrVG) has a right of co-determination in the introduction of a time recording system. However: The works council must also consider the GDPR-compliant aspects of (project) time recording. Agreements between works council and employer should include the following points on working time and project time recording:

  • Definition of the data collected and their purpose of collection
  • Access rights and evaluations within the scope of recording
  • Arrangements for GPS location transmission during acquisition

Typical pitfalls in data protection-compliant time recording

After the careful review and selection of a tool for data protection-compliant and flexible working time recording is implemented in your day-to-day business. It is important that you pay particular attention to purpose limitation and data minimisation in accordance with the GDPR, because: pitfalls lurk around every corner.

Who is authorised to view the working time account?

Apart from the works council (pursuant to Section 80 (1) No. 1 BetrVG), the individual employees and the employer are not authorised to access the working time recording data. Exception: The person concerned has given their express consent for another person outside the authorised persons mentioned to view the working time account.

Posted duty rosters and data protection

Employees have no automatic right to view the complete duty roster. Publication should only take place with the express consent of all employees in order to fulfil data protection guidelines. As an employer, you must obtain consent for publication and may not publish data against the will of individual employees. The internal provision of duty rosters and shift schedules can be authorised in accordance with § 26 BDSGif this is necessary for the employment relationship.

Monitoring in the workplace

As an employer, you are allowed to monitor the work performance of your employees, but you must comply with data protection guidelines and the general right to privacy. Art. 2 para. 1 GG comply with. Permanent monitoring is inadmissible - However, random checks are permitted. Detailed insights into bookings via software must be regulated by a service agreement with your employees.

Time recording in compliance with the GDPR: ZEP helps...

... with order processing contracts:
We conclude an order processing agreement (AVV) with every customer who purchases a ZEP licence for time recording in accordance with Article 28(3) GDPR from. This is crucial in order to clarify the legal aspects of data processing. The DPA defines data protection standards, specifies responsibilities and obligations and regulates liability issues in the event of data protection violations. It also serves as proof of data protection regulations and creates a transparent and legally binding basis for cooperation between the parties. After all, time recording involves sensitive data that must be protected to prevent unauthorised access.

... with high-security data centres:
The security of your data is our top priority. Our hosting partners are ISO/IEC 27001 certified and fulfil the highest security standards. We also attach great importance to physical security aspects when selecting our data centres, including fire protection measures and an uninterruptible power supply, to ensure that your data is protected at all times.

... with round-the-clock data access:
By permanently monitoring the availability and capacity of our servers, we guarantee you reliable 24/7 access to your data. This continuous monitoring ensures that you can access your data at any time and on any day, without interruptions or outages. We offer you secure and digital access that fully complies with the requirements of the General Data Protection Regulation (GDPR).

... with automated data backup:
Automated redundant data backup with encrypted storage takes place in our data centres. The backup intervals range from daily for the first 14 days to longer intervals of up to 133 days. This means that you can request a backup of your ZEP version at any time, ensuring both the security of your data and rapid recovery in the event of an emergency. In addition, we have implemented a disaster recovery concept to provide you with an additional layer of security in the unlikely event of a total system failure.

Conclusion: Rely on future-orientated time recording with ZEP

Digitalisation has long since found its way into all areas of our working lives and project time recording is no exception. Especially in times when data protection and data security are becoming increasingly important, it is essential that you adapt your time recording systems to the requirements of the GDPR.

With ZEP, we not only offer you a solution for the Mobile time recordingbut are also a reliable partner when it comes to data protection and IT security. We understand the sensitivity of your data and have therefore implemented the highest security standards.

At a time when the digital transformation is progressing inexorably and data protection is becoming a key issue, it is more important than ever to focus on future-oriented solutions.

ZEP trial version - 30 days free of charge

Tanja Hartmann CEP

Tanja Hartmann

Content Marketing Manager at ZEP

More interesting articles

Burnout prevention: 11 tips to prevent burnout! ✓
In our hectic working world with constant availability, burnout prevention is becoming increasingly important. Effective time recording plays a central role here, not only for productivity, but also as protection against burnout.

Read article

Statutory break regulations " These rules apply in labour law! ✓
Breaks at work are important for health and productivity, experts advise regular short breaks, the legislator prescribes rest and break times - ZEP makes time recording easier and supports the statutory break regulations.

Read article