Why is an electronic signature necessary?
26 octubre 2021
Qualified Electronic Certificate. Easily identify yourself to public bodies.
9 noviembre 2021
On 12 May 20191, the obligation for employers to implement time recording came into force. Given its data protection implications, in this post we analyse what duties must be complied with in order to avoid not only labour infringements but also those related to the RGPD and the LOPDGDD.
Article 34, paragraph 9, of the Workers' Statute (hereinafter, ET by its acronym in spanish)
The company shall guarantee the daily working day register, which shall include the specific start and end times of each worker's working day, without prejudice to the flexible working hours established in this article.
The legal basis for the processing of this data is the employment contract itself (art. 6.2.b) RGPD) in relation to the powers granted by article 20.4 ET and therefore the consent of the employee is not required.
Duty to inform
Companies have a duty to inform employees about the processing that will be carried out on their personal data. Specifically, it must inform them about the aspects listed in Article 13 RGPD:
- The identity and contact details of the controller and, where applicable, his or her representative;
- The contact details of the data protection officer, if any;
- The purposes of the processing for which the personal data are intended and the legal basis for the processing;
- Where the processing is based on Article 6(1)(f), the legitimate interests of the controller or of a third party;
- The recipients or categories of recipients of the personal data, where applicable;
- Where applicable, the controller's intention to transfer personal data
Data retention
Article 34.9 ET establishes that the period of data retention is 4 years; however, internal policies must be implemented in the company to ensure that the records are not manipulated.
In order to decide which system to implement for time recording, a triple judgement must be made as to its suitability, necessity and proportionality in relation to the fundamental right to the protection of personal data (Article 5.1 c) RGPD).
Use of biometric systems
Increasingly, the use of biometric facial recognition systems and the use of fingerprint readers is proliferating. The processing of personal data by means of these systems is considered a processing of special categories of personal data exempted from the general prohibition on the processing of such data (Article 9(2)(b) GDPR).
The AEPD clarifies that this processing will only be lawful if it is carried out through a system that associates the fingerprint with a numerical identifier for each worker so that the system does not store the fingerprint.
In this case, companies must carry out a Data Protection Impact Assessment (DPIA) prior to the start of this processing of personal data.
For more information, please consult the guide published by the AEPD 'Data protection and labour relations'.
Have a certified DPO
Certified Data Protection Officers (DPOs) have the necessary training and skills to ensure compliance with the principles relating to the processing of personal data; to keep evidence to comply with the principle of proactive responsibility in all these matters; and to inform and train the human resources department to comply at all times with data protection legislation in the control of time recording. The certified DPD can also advise you on Data Protection Impact Assessments (DPA) so that you can identify, assess and address the risks associated with your processing activities before you start them and ensure that the processing you are carrying out complies with the law from the outset.
Certification is the only way to objectively and impartially assess that the DPD has high levels of competence and professionalism for the exercise of the functions entrusted to this figure. ANF AC, as a Certification Entity recognised by ENAC, has the necessary technical competence for the certification of the DPD in accordance with the AEPD Scheme.
If you have successfully passed any of the courses given by the Training Entities recognised by any Certification Entity2 and/or accredit sufficient professional experience3 in functions related to those of the DPD, do not hesitate to take the last step and get certified.
1 By virtue of the provisions of Royal Decree-Law 8/2019, of 8 March, on urgent measures for social protection and the fight against precariousness in the working day, which implemented the working day register (Sixth final provision).
2 Consult here the training programmes recognised by ANF AC.
3 For access to the experience-based assessment phase, please refer to section 7.3 on prerequisites, which lists the years of experience required and how to prove them.