The obligation to record employees’ working hours and the implementation of a data protection-compliant time recording system are key compliance issues for employers. The decision of the Federal Labour Court (BAG) of 13 September 2022 highlights the legal importance of seamless working time recording in the company, based on the provisions of the Working Hours Act (ArbZG). At the same time, the General Data Protection Regulation (GDPR) requires sensitive handling of the personal data generated by time recording. This article highlights the legal requirements, presents best practice recommendations and addresses specific issues relating to the data protection-compliant organisation of working time recording.
Scope of the obligation to record Working Hours: To whom does the obligation to record apply?
The decision of the Federal Labour Court obliges employers to record the working hours of all employees who are subject to the provisions of the ArbZG. This includes not only traditional employees, but also mobile employees and those who work from home or as part of trust-based working hours. Senior executives are exempt from this obligation, as they are not subject to the provisions of the Working Hours Act in accordance with Section 18 ArbZG. This distinction is essential for companies in order to implement the recording obligation in a targeted and legally compliant manner.
Co-determination rights of the Works Council in the Organisation of the Time Recording System
The works council has a right of co-determination with regard to the organisation of time recording in accordance with Section 87 (1) No. 7 BetrVG. Although the employer is legally obliged to introduce a time recording system, the works council has the right to have a say in the choice of means and procedures for recording. This includes the decision on the time recording system used, the control density and the type and manner of documentation. Co-determination extends exclusively to the ‘how’ and not to the ‘whether’ of time recording.
Data Protection Requirements for Working Time Recording
As working hours are considered personal data, they are subject to the strict requirements of the GDPR. Companies are obliged to set up a data protection-compliant system for processing this data that implements the following principles:
- Legal basis for recording: working time data is recorded on the basis of Art. 6 Para. 1 lit. c GDPR in conjunction with Section 3 Para. 2 No. 1 ArbSchG (obligation to introduce a working time recording system). Art. 6 para. 1 lit. f GDPR can justify legitimate interests of the employer, such as remuneration or obligations to provide evidence.
- Data minimisation and purpose limitation: The collection of data should be limited exclusively to the data absolutely necessary for compliance with working time regulations. Utilisation of working time data for other purposes, such as performance monitoring, is only permitted if there is a clear legal basis.
- Security measures: Companies must implement appropriate technical and organisational measures (TOMs) to ensure the security of the data collected. These include encryption, access restrictions and regular reviews of the security measures in place.
- Flexible recording methods: Time recording can be digital or analogue and, if necessary, delegated to employees, for example by recording it themselves. However, the employer remains responsible for correct and complete recording and should carry out regular plausibility checks.
- Employees’ rights and transparency: Employees have the right to inspect their recorded data and to request that it be corrected or deleted if this data is no longer required. Companies are obliged to inform employees transparently about the scope, purpose and duration of storage.
Use of biometric Data for Recording Working Hours
The use of biometric data (e.g. fingerprint or iris scans) for working time recording requires particular caution, as biometric data is considered particularly sensitive information and falls under the extended protection of the GDPR. The processing of biometric data is only permitted under very strict conditions and requires a high level of justification. Companies should favour alternative procedures if they can fulfil the same purposes.
Retention Periods and Deletion
Working time data must be stored for at least two years in accordance with legal requirements, e.g. Section 16 ArbZG, in order to fulfil obligations to provide evidence under labour law. Once this period has expired, the data should be deleted or anonymised immediately and securely. Companies must also ensure that longer retention periods are complied with as part of the minimum wage documentation obligation (e.g. in accordance with Section 17 MiLoG).
Clear processes for the deletion and anonymisation of data should be implemented to ensure that no data is stored for longer than necessary. Compliance with deletion periods should be checked through regular audits.
Industry- and law-specific recording obligations
In certain sectors, such as the offshore industry, the construction industry or the meat industry, documentation obligations apply that go beyond the ArbZG, for example to comply with occupational health and safety measures. These specific obligations exist in addition to the general recording obligation and must be taken into account when designing a time recording system.
Recommendations for Practice
- Data protection impact assessment (DPIA): Before introducing a time recording system, it should be checked whether a DPIA is required. This is particularly the case when using new technologies or biometric procedures.
- Company agreement: Conclude a company agreement with the works council that regulates the data protection-compliant use of the time recording system.
- Training: Regular training of employees on the data protection-compliant handling of personal data.
- Documentation: Keeping a record of processing activities in accordance with Art. 30 GDPR, in which the processing of working time data is documented.
- Flexible recording methods: Time recording can be done digitally or manually and delegated to employees, provided the employer carries out regular plausibility checks.
- Data protection concept: Companies should develop a comprehensive data protection concept for recording working hours and review compliance with and the effectiveness of the measures at regular intervals.
