In an increasingly digital world, employers and employees are faced with the question of which rules and regulations must be observed with regard to project time recording. With the General Data Protection Regulation (GDPR), project time recording was also viewed in a new light, as this involves personal data that is subject to strict requirements. As a company, you are therefore obliged to ensure that the collection and storage of this data complies with legal requirements. So that you can record, store and process your project times in accordance with the law, we at ZEP focus on the security of your data!
General information about the GDPR
The GDPR is a Regulation of the European Union, which regulates the handling of personal data in public spaces. It was introduced on May 25, 2018 to standardize data protection guidelines in the EU. The GDPR applies to corporations, companies, authorities, practices, associations and both within and outside the European Union. Outside the EU, the rules apply as soon as personal data is processed by EU citizens or the data processing body has a branch within the EU (Art. 3, GDPR).
What is personal data?
Personal data is according to Article 4 of the GDPR Information that links to identifiable natural persons. A person is identifiable when identification or classification is possible on the basis of certain criteria. This could be, for example, the name, the personnel number in a company, the appearance or even individual data for time recording. Yes, this data can also be used to recognize a person! For this reason, (project) time recording is also subject to the provisions of the GDPR.
Comply with data protection: What is important when recording time?
Digital time recording is in accordance with data protection law, in particular in accordance with Section 26 (1) BDSGas long as you comply with the principles of the GDPR such as lawfulness, purpose limitation, data minimization and accuracy. However, as an employer, you must ensure that the data collected is used exclusively for work-related purposes.
important: Be sure to comply with the privacy policy! This includes recording and saving working hours — including when Time recording in the home office.
Legal basis for tracking working hours
Since the so-called Time clock verdict of the Federal Labour Court of September 13, 2022, it is clear: Employers must record the entire working time of their employees. This obligation results from Section 3 Paragraph 2 No. 1 ArbSchG as well as Section 16 (2) ArbZG. You must not only document the daily working hours of over eight hours, but also the working time of your employees on Sundays and public holidays.
In addition, you must keep the time sheets for at least two years and submit them to the supervisory authority or send them for inspection upon request.
In order to clarify the exact structure of this recording requirement, the Federal Ministry of Labour and Social Affairs prepared a draft bill in April 2023, which is currently still subject to internal government discussions and further preparation.
Permissible storage period of tracked working hours
The privacy policies relating to working time recording are similar to other personal data. As an employer, you are obliged to delete data that is not intended for the purpose, i.e. recorded working hours may only be stored for as long as they are really needed. This is how you avoid data breaches.
In contrast, overtime must be stored for two years in accordance with Section 16 ArbZG. Payrolls are even subject to tax regulations, such as Section 147 (1) No. 2, paragraph 3 AOto store for six to ten years.
In order to comply with the requirements of the GDPR and other employment regulations, it is advisable to create a detailed deletion concept. It is particularly important to note that personal data may not be stored longer than is absolutely necessary. Limiting data storage is intended to prevent data loss and unauthorized use of personal data, while at the same time ensuring the right to be forgotten for data subjects.
IT security & digital time recording — an unbeatable team
In addition to the GDPR, IT security is of course also of great importance when recording project time. When you store time tracking data using project time recording software, you must ensure that the data is kept confidential. Ideally, the server for this is located in Germany to ensure compliance with the General Data Protection Regulation. Some providers of project time recording software — such as ZEP — host their software with ISO 27001-certified partners, which ensures compliance with information security guidelines.
The works council has a say
Does your company have a works council? Then you should note that this is in accordance with Section 87 (1) No. 6 of the Works Constitution Act (BetrVG) has a right of participation in the introduction of a time recording system. However, the works council must also take into account the GDPR-compliant aspects of (project) time recording. Agreements between works council and employer should include the following points on working time and project time recording:
Typical pitfalls in data protection-compliant time recording
After careful review and selection of a tool for data protection-compliant and flexible working time recording It is implemented in your day-to-day business. It is important that you pay particular attention to earmarking and data minimization in accordance with the GDPR, because: Tripping hazards lurk around every corner.
Who can view the working time account?
Apart from the works council (in accordance with Section 80 Paragraph 1 No. 1 BetrVG), individual employees and the employer are not authorized to access working time recording data. Exception: The person concerned has given their express consent that another person outside the specified authority may also view the working time account.
Pending rosters and data protection
In principle, employees have no automatic right to view the complete work schedule. The publication should only be made with the express consent of all employees in order to comply with data protection guidelines. As an employer, you must obtain consent to publish data and may not publish data against the will of individual employees. The internal provision of duty and shift schedules can be carried out in accordance with Section 26 BDSG take placeif this is necessary for the employment relationship.
Workplace monitoring
As an employer, you may monitor the work performance of your employees, but you must do so with data protection guidelines and general personal rights from Art. 2 para. 1 GG comply. Permanent monitoring is prohibited - but random sampling is permitted. You must regulate detailed insights into bookings via software through a service agreement with your employees.
Time tracking in line with the GDPR: ZEP helps...
With every customer who purchases a ZEP license for time recording, we conclude an order processing contract (AVV) in accordance with
The security of your data is our top priority. Our hosting partners are
By constantly monitoring the availability and capacities of our servers, we guarantee you reliable 24/7 access to your data. This continuous monitoring ensures that you can access your data anytime, any day, without interruptions or outages. In doing so, we offer you secure and digital access that fully meets the requirements of the General Data Protection Regulation (GDPR).
In our data centers, redundant data backup with encrypted storage takes place. Backup intervals range from daily for the first 14 days to longer intervals of up to 133 days. This allows you to request a backup of your ZEP version at any time, which enables both the security of your data and quick recovery in the event of an emergency. In addition, we have implemented a disaster recovery concept to provide you with an additional layer of security in the unlikely event of a total system failure.
Conclusion: Rely on future-oriented time recording with ZEP
Digitalization has long since found its way into all areas of our working life and project time recording is no exception. Especially in times when data protection and data security are becoming increasingly important, it is essential that you adapt your time recording systems to the requirements of the GDPR.
With ZEP, we not only offer you a solution for mobile time recording, but are also a reliable partner when it comes to data protection and IT security. We understand the sensitivity of your data and have therefore implemented the highest security standards.
At a time when digital transformation is advancing relentlessly and data protection is becoming a central issue, it is more important than ever to rely on future-oriented solutions.
