Time tracking and data protection: AEPD guide
Spain's AEPD clarifies time tracking and GDPR rules: no consent needed, but you must have a DPA, data minimisation and an information protocol.
On 17 February, Spain’s AEPD published a specific guide on working-time tracking and data protection. It was only a matter of time: with the new Royal Decree mandating digital time tracking and the explosion of clocking-in apps, privacy concerns had multiplied.
The guide clarifies points that were generating a lot of confusion. And it has direct implications for any company that uses (or plans to use) time-tracking software.
Do you need the employee’s consent to track their working hours?
No. And this is the first thing the AEPD makes absolutely clear.
The legal basis for time tracking is not the employee’s consent, but compliance with a legal obligation: Article 34.9 of the Workers’ Statute requires the company to guarantee daily working-time records. In GDPR terms, we are looking at Article 6.1.c: processing necessary to comply with a legal obligation.
What does this mean in practice? That you don’t need to ask permission from your employees to clock in. There’s no consent form to sign, no checkbox to tick. Time tracking is mandatory for the company and the data processing is legitimised by law.
But not needing consent doesn’t mean you can do whatever you want.
What you DO need to do
The AEPD makes it clear that, even though you don’t need consent, there are several obligations to fulfil:
1. Inform the employee
It’s mandatory to inform each employee about:
- The fact that their working-time data is being recorded
- Who is the data controller
- The purpose of the data collection
- How long the data will be retained
- Their rights (access, rectification, erasure, etc.)
This can be done in the employment contract, in an internal privacy policy or in a specific information document. But it must be done. Failure to inform is one of the most common violations.
2. Minimise data collected
The GDPR’s data minimisation principle requires the tracking system to be the least intrusive possible. Only data strictly necessary for the purpose of time tracking should be collected.
What is “necessary”? Clock-in time, clock-out time. Perhaps the location at the moment of clocking in if there is justification (mobile workers, on-site work). But nothing more. A system that records audio, captures screenshots or tracks continuous movements goes far beyond what the law permits.
3. Retain data for 4 years (and then delete it)
The retention period is 4 years, as established by Article 34.9 of the Workers’ Statute. Once that period has elapsed, the data must be deleted or blocked.
Keeping records beyond 4 years without justification is a violation. Having records from 2018 still in the system is an unnecessary risk.
4. Include time tracking in your risk assessment
The company must incorporate the processing of time-tracking data into its risk assessment and, where applicable, into its data protection impact assessment (DPIA). This is especially relevant if geolocation or biometric data is used.
If you use external software: the DPA contract
This is where many companies fail without realising it.
When a company uses a third-party app or software for time tracking — any SaaS solution — the provider becomes a data processor under Article 28 of the GDPR. And that requires a formal contract: the DPA (Data Processing Agreement).
This contract must regulate, at a minimum:
- What data is processed and for what purpose
- The security measures applied by the provider
- What happens to the data when the relationship ends
- Confidentiality obligations
- The procedure in the event of a data breach
If your time-tracking software provider doesn’t offer you a DPA, you have a problem. The AEPD says it clearly: the company is responsible for verifying that the data processor complies.
Furthermore, if the software connects to the provider’s servers (as happens with any cloud solution), you must inform employees about this data transfer to a third party. Having a DPA contract is not enough; employees need to know that their clocking data is processed outside the company’s infrastructure.
Geolocation: the most sensitive point
The AEPD guide pays special attention to geolocation, and it’s no coincidence. It’s the area that generates the most doubts and where it’s easiest to cross the line.
The rule is clear: geolocation in time tracking is only lawful if it is necessary and proportionate. This means:
- Yes, it can be justified for employees who work outside the office (sales reps, field technicians, delivery drivers)
- No, it is not justified for employees who always clock in from the same office
- Never can it involve continuous tracking of the employee’s location
Capturing coordinates at the exact moment of clocking in is one thing. Tracking where the employee is throughout the entire working day is something very different — and the latter is not covered by the legal basis for time tracking.
If you want to dig deeper into this topic, we have two specific guides: Is geolocation time tracking legal? and the complete guide to geolocation time tracking.
The most common mistakes
After analysing the AEPD guide, these are the failures we see most frequently:
1. Not informing employees. Implementing a time-tracking system without formally communicating to employees that their data is being collected, who processes it and for what purpose. It’s the most basic and most common violation.
2. Not having a DPA with the provider. Using time-tracking software without a data processing agreement. Many cheap or generic apps don’t offer a DPA. The problem lies with the company, not the provider.
3. Retaining data longer than necessary. Keeping time-tracking records from 6, 8 or 10 years ago “just in case”. The legal period is 4 years. Anything beyond that must be deleted.
4. Using geolocation without justification. Activating geolocation for all employees, including those who always clock in at the office. Or worse: allowing continuous location tracking outside the moment of clocking in.
5. Requesting consent as a legal basis. Some companies have employees sign a “consent for time tracking”. Not only is it unnecessary, it’s incorrect: consent in an employment relationship is not considered freely given (there’s a power imbalance), and besides, it’s not the applicable legal basis.
6. Not including time tracking in the risk assessment. Treating clocking data as if it weren’t personal data. It is, and it must be covered in the company’s data protection documentation.
How Cleverfy does it
At Cleverfy, we’ve designed the time-tracking system with data protection as a priority from day one. It’s part of the design from the very start.
-
DPA included — Our data processing agreement is publicly available in our terms and conditions. No need to request it, negotiate it, or wait for legal to review it. It’s there from the moment you sign up.
-
Data in Spain — All infrastructure is hosted on AWS Spain (within the European Economic Area). Your employees’ data doesn’t cross borders or get processed in jurisdictions with weaker protection.
-
Full encryption — TLS in transit and encryption at rest. Data is protected both when travelling and when stored.
-
Geolocation only at clock-in — We capture the location only at the exact moment of clocking in, if the company has it enabled. There’s no continuous tracking, no route monitoring, no tracking outside working hours.
-
4-year retention with blocking — We comply exactly with the legal period. Data is blocked after the retention period.
-
Breach notification within 48 hours — If a security incident were to occur, our commitment is to notify within a shorter period than the GDPR requires (72 hours).
You can check out all the platform features and pricing if you’re evaluating options.
What’s coming: mandatory digital time tracking
It’s worth remembering that the new Royal Decree on time tracking will require records to be digital and accessible in real time by the Labour Inspectorate. This means that Excel spreadsheets, paper templates and manual systems have their days numbered.
When that record-keeping becomes mandatorily digital, the data protection implications multiply: more data in the cloud, more providers involved, greater need for rigorous DPAs and real security measures.
Preparing now isn’t just about complying with current law. It’s about getting ahead of what’s coming.
Frequently asked questions
Do I need the employee’s consent to track their working hours?
No. The legal basis for time tracking is compliance with a legal obligation (Art. 34.9 Workers’ Statute and Art. 6.1.c GDPR), not consent. That said, you must inform the employee that their data is being collected, for what purpose and for how long.
What is a DPA and do I need one with my time-tracking software?
A DPA (Data Processing Agreement) is the mandatory contract between your company and any external provider that processes your employees’ personal data. If you use cloud-based time-tracking software (SaaS), you need a DPA. If your provider doesn’t offer one, you have a compliance problem.
Can I use geolocation in time tracking?
Yes, but only if it is necessary and proportionate. The AEPD allows capturing the location at the moment of clocking in for employees who work outside the office. What is not permitted is continuous location tracking or geolocating employees who always clock in from the same place.
Legal notice: This article is for informational purposes only and does not constitute legal advice. For specific data protection matters, consult a data protection officer or specialised advisor.
Does your time-tracking system comply with the GDPR? Try Cleverfy for free and see how software designed with privacy as a priority can simplify compliance.
Sources: AEPD Laboratorio — El registro de jornada laboral y la protección de datos (17 February 2026), Workers’ Statute — Art. 34.9, General Data Protection Regulation (GDPR)
You might also like
Mandatory Digital Time Tracking 2026: How to Comply with the Law Step by Step
Practical guide to complying with mandatory digital time tracking in 2026. What the new regulation requires, how to implement it in your company, and the exact steps.
Time Tracking Royal Decree 2026: Complete Guide for SMEs
Everything you need to know about the new Royal Decree on digital time recording. What will change, expected requirements, and how to prepare your company.
Penalties for not having time tracking records: what the law says
Not keeping time records can cost you between €751 and €7,500 in fines. We explain the current penalties and how to avoid them.
Need time tracking?
Set up Cleverfy in less than 10 minutes and comply with regulations from today.
Start 14-day free trial →