Fingerprint time tracking: why it's no longer legal in 2026
Spain's AEPD considers biometric time tracking (fingerprint, iris, facial recognition) illegal for attendance control. Million-euro fines and legal alternatives.
If your company uses fingerprint, facial recognition, or iris scanning for time tracking, you have a problem. And it’s not a small one.
Spain’s Data Protection Agency (AEPD) has made it clear that these systems are illegal for recording working hours. In 2024, it fined dozens of companies with penalties exceeding €2 million in total.
Why is biometric time tracking illegal?
Article 9 of the GDPR classifies biometric data (fingerprint, iris, facial features) as special category data. Its processing is prohibited except for very specific exceptions.
The AEPD, in its Guide on presence control through biometric systems, establishes that:
- It’s disproportionate: Less invasive alternatives exist for clocking in
- Consent is not valid: In an employment relationship, the worker cannot give “free” consent (there’s a power imbalance)
- It doesn’t pass the necessity test: Time tracking can be done without collecting biometric data
In summary: just because you can do it doesn’t mean you should.
The fines are real
This isn’t theory. The AEPD is taking action:
- 2024: Fines exceeding €2 million to companies for improper biometric time tracking
- Obligation to cease: Sanctioned companies must delete collected biometric data
- No size exceptions: It doesn’t matter if you’re an SME or a large company
And with the new mandatory digital time tracking regulations in 2026, the Labour Inspectorate is paying more attention than ever to how companies track time, not just whether they do.
Which time tracking systems ARE legal?
The AEPD and labour regulations accept non-biometric systems:
- ✅ Mobile app with username and password
- ✅ Web with credentials
- ✅ Shared tablet/computer with personal PIN (kiosk mode)
- ✅ RFID card
- ✅ QR code
The key is that the system identifies the worker without collecting biometric data.
Kiosk mode: the alternative for shared devices
“Okay, but we had fingerprint because the device is shared. Not every employee has a company phone.”
We understand the problem. That’s why kiosk mode exists.
How does it work?
- You place a tablet, phone, or computer at an accessible point (entrance, reception, warehouse…)
- The employee approaches, enters their personal PIN, and clocks in
- The system records the time, the employee, and which workplace the clock-in was made at
Advantages over fingerprint
| Fingerprint | Kiosk mode with PIN |
|---|---|
| ❌ Illegal according to AEPD | ✅ 100% legal |
| ❌ Sensitive biometric data | ✅ Just a PIN (basic data) |
| ❌ Risk of sanction | ✅ GDPR compliant |
| ❌ Problems if the reader fails | ✅ Always works |
| ❌ Specific hardware cost | ✅ Any device works |
Multiple workplaces
If you have multiple locations (stores, warehouses, offices), you can have a kiosk mode device at each one. The system automatically records where each employee clocked in.
This is especially useful for:
- Store chains
- Companies with multiple warehouses
- Businesses with workers rotating between locations
What to do if you still use biometric time tracking?
- Stop now. Every day that passes is a risk
- Don’t wait for the fine. The AEPD can act on its own initiative
- Migrate to a legal system. The change is easier than it seems
- Delete the biometric data you’ve collected
Cleverfy: legal time tracking without complications
At Cleverfy, we don’t use biometrics. Period.
Our system allows:
- Mobile app for employees with smartphones
- Kiosk mode for shared devices (tablet, computer)
- Personal PIN for quick and secure identification
- Workplace-based tracking if you have multiple locations
- Full compliance with GDPR and 2026 Spanish labour regulations
Frequently asked questions
What if my employees already gave consent for fingerprint?
It doesn’t matter. The AEPD considers that consent in the workplace is not free due to the power imbalance between employer and employee. It’s not a valid legal basis.
Is facial recognition also prohibited?
Yes. Any biometric data (fingerprint, iris, face, voice) has the same restrictions. The AEPD doesn’t distinguish between them.
Can I use biometrics for access control to high-security areas?
Potentially yes, but with very strict conditions (impact assessment, demonstrated proportionality, etc.). For ordinary time tracking, it’s not justified.
How much does it cost to change systems?
Less than a fine costs. With Cleverfy, you can start for free and the change takes minutes, not weeks.
You might also like
Mandatory Digital Time Tracking 2026: How to Comply with the Law Step by Step
Practical guide to complying with mandatory digital time tracking in 2026. What the new regulation requires, how to implement it in your company, and the exact steps.
Time Tracking Royal Decree 2026: Complete Guide for SMEs
Everything you need to know about the new Royal Decree on digital time recording. What will change, expected requirements, and how to prepare your company.
Penalties for not having time tracking records: what the law says
Not keeping time records can cost you between €751 and €7,500 in fines. We explain the current penalties and how to avoid them.
Need time tracking?
Set up Cleverfy in less than 10 minutes and comply with regulations from today.
Start 14-day free trial →