Introduction: GDPR and Mandatory Working Time Recording in the Business Context
Companies in Germany are increasingly faced with the dual challenge of complying with legal requirements for recording and documenting working hours on the one hand, and meeting the obligations set forth by the General Data Protection Regulation (GDPR) on the other. While the legal duties regarding time tracking have been further clarified through European and national legislation—most recently reinforced by the jurisprudence of the European Court of Justice (ECJ) and updates to German labor time regulations—the collection, storage, and processing of personal working time data must adhere strictly to extensive data protection requirements.
Legal Basis for Working Time Recording
European and National Frameworks
The ECJ ruling of May 14, 2019 (C-55/18) made it clear that employers are required to implement an objective, reliable, and accessible system for measuring daily working time. In line with this requirement, § 16(2) of the German Working Time Act (ArbZG), in its revised form, sets out clear documentation obligations. The practical implementation remains the responsibility of the employer, although all recorded working hours regularly constitute personal data within the meaning of the GDPR.
Scope of the Recording Obligation
The obligation to record working time applies not only to overtime or Sunday work but, going forward, to all working hours of employees. This significantly increases the data protection relevance of such processing activities in the daily operations of companies across all sizes and industries.
Data Protection Requirements for Time Recording
Processing of Personal Data and Legal Grounds
Working time data relates directly to identifiable natural persons and thus constitutes personal data. Any form of collection, storage, use, or transfer of this data falls under the rules of the GDPR, particularly the principle of lawfulness as defined in Article 6 GDPR. Processing is typically based on Article 6(1)(c) GDPR, since employers are legally obligated to record working time. Consent from employees is therefore usually not required, although it may be relevant in specific cases.
GDPR Principles in Time Tracking
Companies must strictly observe the principles of data minimization (Art. 5(1)(c) GDPR), purpose limitation (Art. 5(1)(b) GDPR), and transparency (Art. 5(1)(a) GDPR). The collected data may only be stored and processed for the purpose for which it was originally gathered—namely, to fulfill timekeeping obligations and, where applicable, for payroll and compliance with labor time laws.
Furthermore, the time tracking system used must incorporate appropriate technical and organizational measures to protect data from unauthorized access, loss, or manipulation (Art. 32 GDPR). This applies to both digital systems and traditional methods such as paper timesheets.
Special Categories of Personal Data
While working time data generally does not fall under the special categories of personal data as defined by Art. 9 GDPR, additional requirements may arise in specific cases—such as when data about sick leave or incapacity for work is included or inferred in the time tracking process. The processing of such information is subject to stricter protection requirements and must be based on a more specific legal basis.
Employees’ Rights
Right to Information and Access
Employees have the right to receive comprehensive information from their employer about which personal (working time) data is being processed and in what form (Art. 13, 14 GDPR). They also have the right to access their data under Art. 15 GDPR and may request rectification, deletion, or restriction of processing where applicable.
Limits of Data Processing and Retention Periods
Data may only be stored for as long as necessary to meet legal requirements. In the case of working time records, § 16(2) ArbZG generally mandates a retention period of two years. After this period, data must be deleted—subject to any additional tax or commercial law retention obligations.
Technical and Organizational Implementation in Companies
Choosing a Time Tracking System
When introducing and designing working time recording systems, technical functionality is not the only consideration. Key factors include compliance with data protection requirements in line with the principles of “Privacy by Design” and “Privacy by Default” (Art. 25 GDPR). Access to working time data must be restricted to authorized personnel. If third parties—such as external payroll service providers—are involved, the provisions of Art. 28 GDPR must be observed.
Data Protection Impact Assessment
Whether a Data Protection Impact Assessment (DPIA) is required under Art. 35 GDPR depends on the specific case. In standard scenarios, where only the start, end, and duration of working time are recorded, a DPIA is generally not mandatory. However, more complex systems that collect location data, biometric data, or movement profiles increase the risk and may require such an assessment.
Current Developments and Legal Situation
Trends in Case Law and Legislation
Both legislative developments and court decisions are continually refining the requirements for working time recording and data protection. The Federal Labor Court (BAG) ruled on September 13, 2022 (1 ABR 22/21) that the obligation to record working time exists regardless of whether a specific law has been enacted. Detailed questions regarding practical implementation and data protection compliance are subject to ongoing developments and remain partially unresolved.
Some proceedings on related issues are still pending (as of June 2024). The presumption of innocence applies, and it cannot be ruled out that future high court rulings or amendments to the Working Time Act may change the legal situation.
Conclusion and Outlook
Recording and processing working time data in companies lies at the intersection of legal obligations and comprehensive data protection requirements. Companies must operate a time tracking system that complies with statutory regulations while also fully adhering to the principles of the GDPR. The dynamic legal landscape and the complexity of the requirements make data protection-compliant implementation and ongoing review of time tracking systems a continuous task.
For companies, investors, and high-net-worth individuals facing uncertainty or seeking clarity on compliance, an individual legal assessment is recommended. For questions regarding the interpretation or practical application of data protection law in the context of working time tracking, MTR Legal Rechtsanwälte offers specialized support. Further information can be found under legal advice in data protection.
