Is time tracking possible in a GDPR-compliant manner at all?

Yes, time tracking is not only possible in a GDPR-compliant manner – it is even required by law. The GDPR does not prohibit the processing of personal data; it merely regulates how such processing must be carried out lawfully, transparently and securely. Working time tracking has a clear legal basis (statutory obligation under the AZG, performance of a contract) and is therefore permissible.

Do I need the consent of employees for time tracking?

No, consent is not required. Time tracking is based on the statutory obligation under the Working Time Act (Art. 6(1)(c) GDPR) and on the performance of a contract (Art. 6(1)(b) GDPR). However, you must inform your employees transparently about the processing of their data.

What is a Data Processing Agreement (DPA) and do I need one?

A DPA governs the relationship between you (the controller) and an external service provider (the processor) that processes personal data on your behalf. If you use a cloud-based time-tracking system, the provider is the processor and you are strictly required to have a DPA in place (Art. 28 GDPR). Reputable providers make this agreement available as standard.

Is GPS tracking in time tracking GDPR-compliant?

GPS tracking is permissible under certain conditions: only during working hours, only where there is a legitimate interest (e.g. proof of the place of work), with transparent information provided to employees, and in companies subject to co-determination requirements, with a works agreement in place. A data protection impact assessment pursuant to Art. 35 GDPR is advisable. Continuous monitoring during breaks or leisure time is not permitted.

How long may time-tracking data be stored?

At least 2 years (under the AZG), for overtime up to 3 years (limitation periods), and under tax law in some cases up to 7 years. Once the statutory retention obligation has expired, the data must be deleted (Art. 5(1)(e) GDPR). Good systems support automatic deletion schedules.

Does time-tracking data have to be hosted within the EU?

The GDPR does not categorically prohibit hosting outside the EU, but does require an adequate level of protection (Art. 44–49 GDPR). In practice, EU hosting (e.g. Germany, Austria) is the safest option, as no additional measures for third-country transfers are required. Make sure your provider offers EU hosting.

GDPR & Time Tracking: Data-Protection-Compliant Recording %%sep%% %%sitename%%

Why GDPR and Time Tracking Are Inseparably Linked

When recording working hours, sensitive personal data is processed: who worked when, where, and for how long? This information falls under the General Data Protection Regulation (GDPR) and is subject to strict rules.

Many companies underestimate the data-protection requirements associated with time tracking. Paper timesheets, Excel lists on shared drives, or WhatsApp messages are not only inefficient – they are often also problematic from a data-protection standpoint.

The GDPR applies to all processing of personal data – including the recording of working hours. Violations can be punished with fines of up to €20 million or 4% of global annual turnover.

Which Personal Data Is Generated During Time Tracking

Various categories of personal data are collected during working-time recording:

Basic Data

Employee name and personnel number
Start and end of working time
Duration of working time
Break times
Overtime and time credits

Extended Data (depending on the system)

Location data (with GPS tracking)
Project or client assignment
Absence reasons (holiday, illness)
IP addresses with digital recording
Device information (with app usage)

All of this data is personal and must be processed in accordance with GDPR principles: lawfully, transparently, purpose-limited, data-minimised, and securely.

The 6 GDPR Principles for Time Tracking

1. Lawfulness (Art. 6 GDPR)

Time tracking requires a legal basis. In most cases this is:

� Legal obligation – the Working Time Act (AZG) requires the recording
� Performance of a contract – for calculating wages and complying with the employment contract
� Legitimate interest – for managing and organising the business

Employee consent is not required, as the statutory obligation already constitutes a sufficient legal basis.

2. Transparency (Art. 5, 13, 14 GDPR)

Employees must be informed about:

Which data is collected
For what purpose the data is used
How long the data is stored
Who has access to the data
What rights they have (access, erasure, rectification)

This information is typically provided via a privacy notice for time tracking or an information sheet.

3. Purpose Limitation (Art. 5(1)(b) GDPR)

Time-tracking data may only be used for defined purposes:

� Payroll processing
� Compliance with the Working Time Act
� Workforce scheduling
� Project post-costing
❌ Not permitted: performance monitoring or behavioural surveillance without a separate legal basis

4. Data Minimisation (Art. 5(1)(c) GDPR)

Only the data that is actually necessary for the purpose may be collected. Examples:

� Start and end of working time – necessary
� Project assignment – necessary for project billing
⚠️ GPS location – only where there is a legitimate interest and it is proportionate
❌ Health data – only with a specific legal basis

5. Storage Limitation (Art. 5(1)(e) GDPR)

Time-tracking data must be deleted once the statutory retention periods have expired:

At least 2 years (pursuant to the AZG)
For overtime: up to 3 years (limitation periods)
For tax purposes: in some cases up to 7 years

Modern systems should support automatic deletion schedules.

6. Security (Art. 32 GDPR)

Time-tracking data must be protected against unauthorised access, loss, and manipulation by means of:

Encrypted transmission and storage
Role-based access rights
Regular backups
Logging of access and changes
Secure authentication (passwords, 2FA)

The Problem with Paper, Excel, and Manual Notes

In practice, time tracking in many businesses still looks like this:

📋 Paper timesheets are filled in and brought to the office at the end of the month
📱 Working hours are reported via WhatsApp or SMS
📊 Excel lists are maintained manually and passed around
✍️ Notes on slips of paper end up somewhere in a desk drawer

These methods share a common problem: They provide no legally compliant proof and are questionable from a data-protection perspective.

Why Paper Timesheets Are Problematic

Manual records meet the legal requirements only to a limited extent, because they are:

❌ Easily manipulated – subsequent changes cannot be detected
❌ Often illegible – especially with handwritten entries
❌ Error-prone – transcription errors, forgotten entries, incorrect calculations
❌ Difficult to archive – slips get lost, fade, or are damaged
❌ Not timely – hours are often entered from memory days later
❌ Hard to locate – folders have to be searched during audits
❌ No access control – anyone can see or copy the slip

Excel Is Better Than Paper – But Still Not Sufficient

Excel lists are a step in the right direction, but they also have weaknesses:

⚠️ Changes can be made without an audit trail
⚠️ Timestamps are often missing or can be manipulated
⚠️ No automatic synchronisation between employees and administration
⚠️ Files can be lost or overwritten
⚠️ No control over who changed what and when
⚠️ Access rights on network drives are often too broad

WhatsApp & Email: Unencrypted and Uncontrolled

Transmitting working hours via WhatsApp or unencrypted email is questionable from a data-protection standpoint:

❌ WhatsApp: data transfer to Meta (processing outside Europe)
❌ Unencrypted email: data can be intercepted
❌ No structured archiving
❌ Uncontrolled forwarding possible

GPS Tracking and GDPR: What Is Permitted?

GPS tracking in time recording is a particularly sensitive area. Location data is personal data and is subject to strict rules.

When Is GPS Tracking Permissible?

GPS recording is only data-protection-compliant under the following conditions:

� Only during working hours – no monitoring during breaks or after work
� Legitimate interest – e.g. proof of place of work for field staff
� Proportionality – GPS only where less invasive means are insufficient
� Transparent information – employees must know that GPS data is being collected
� Works agreement – required in co-determination-obligatory businesses under the ArbVG
� Purpose limitation – location data only for time tracking, not for behavioural monitoring

Data Protection Impact Assessment (Art. 35 GDPR)

Where GPS data is collected systematically, a Data Protection Impact Assessment (DPIA) is recommended. This assesses:

What risks arise for employees
What protective measures are taken
Whether the use is proportionate

How Digital Time-Tracking Systems Ensure GDPR Compliance

Modern digital time-tracking solutions meet all legal requirements from the ground up:

� Encrypted Data Transmission

All data is transmitted in encrypted form (SSL/TLS) – no interception by third parties is possible.

� European Hosting

Reputable providers host their data within the EU (often Germany or Austria) – no transfer to third countries.

� Role-Based Access Rights

Only authorised persons can view the data:

Employees see only their own hours
Team leaders see only their team
Admins have full access
Accountants receive only aggregated data

� Change Logs

Every change is documented: who changed what and when? This traceability is important both for GDPR purposes and for the Working Time Act.

� Automatic Deletion Schedules

Once the statutory retention obligation expires, data is automatically deleted – no unnecessary storage for years on end.

� Data Processing Agreement (DPA)

When you use an external system, the provider is a data processor. You require a DPA (Art. 28 GDPR) that governs:

Which data is processed
Which security measures apply
That the provider does not use data for its own purposes
That data is deleted upon request

Reputable providers supply a standardised DPA.

� Right of Access and Data Export

Employees have the right to access their stored data (Art. 15 GDPR). Good systems offer:

Self-service export of personal data
A clear overview of all stored information
Export formats such as PDF or CSV

Checklist: GDPR-Compliant Time Tracking

Check whether your time tracking meets these requirements:

Organisation & Documentation

☐ Privacy notice for time tracking created
☐ Employees informed about data processing
☐ Record of processing activities (RoPA) updated
☐ For GPS tracking: Data Protection Impact Assessment carried out
☐ For co-determination-obligatory businesses: works agreement in place
☐ Data Processing Agreement concluded with software provider

Technical Measures

☐ Encrypted data transmission (HTTPS/SSL)
☐ Encrypted data storage
☐ Role-based access rights implemented
☐ Secure authentication (strong passwords, optional 2FA)
☐ Regular backups with encryption
☐ Change logs activated
☐ Automatic deletion schedules configured

Hosting & Provider

☐ Data is hosted within the EU
☐ Provider is ISO 27001 or equivalently certified
☐ No transfer to third countries without an adequate level of protection
☐ Provider has appointed a Data Protection Officer

Employee Rights

☐ Employees can view their data (transparency)
☐ Access requests can be processed
☐ Rectifications are possible and are logged
☐ Erasure upon termination of the employment relationship is regulated

Typical GDPR Mistakes in Time Tracking

Mistake 1: No Notification of Employees

Many companies introduce new time-tracking systems without informing employees about the nature and extent of the data processing. This violates the transparency obligation.

Solution: Send an information sheet or email with all relevant details.

Mistake 2: Overly Broad Access Rights

Too often, too many people have access to sensitive time data – for example, the entire accounts department instead of only the responsible person.

Solution: Grant access rights on a need-to-know basis.

Mistake 3: Missing DPA with the Software Provider

With cloud solutions, the provider is a data processor – without a DPA, a GDPR violation exists.

Solution: Request a DPA from the provider and have it signed.

Mistake 4: Retention for Too Long

Time-tracking data is often retained for years even though the statutory period has long since expired.

Solution: Create a deletion concept and set up automatic deletion schedules.

Mistake 5: GPS Tracking Without a Legal Basis

Location data is collected without a legitimate interest having been demonstrated or employees having been informed.

Solution: Carry out a Data Protection Impact Assessment, conclude a works agreement, inform employees.

What to Do in the Event of GDPR Violations

If you find that your time tracking is not GDPR-compliant:

1. Assess the Risk

Which data is affected?
How many employees are affected?
Is there a high risk to the rights of those affected?

2. Remedy the Deficiencies Immediately

Restrict access rights
Submit missing agreements (DPA) retrospectively
Inform employees
Improve technical security measures

3. Document the Measures Taken

Record which problems were identified and which steps were taken. This documentation demonstrates your commitment to compliance.

4. Consult Experts

In complex cases, you should consult your Data Protection Officer or a data-protection specialist.

Practical Example: Inspection by an Authority

Imagine this: an authority announces an inspection and requests working-time records for the past 12 months for all employees.

Scenario 1: Paper Timesheets

You search for the folders (where was the March folder again?)
Some slips are illegible or missing
Hours were partly entered retrospectively
A complete evaluation takes days
The inspection uncovers gaps and inconsistencies

Result: Administrative penalties and a requirement for remediation.

Scenario 2: Digital Time Tracking

You open the system and generate a report for the required period
All data is complete, traceable, and sorted chronologically
The PDF export is ready in under 2 minutes
Changes are transparently documented
The inspection proceeds smoothly

Result: No objections, positive conclusion.

Conclusion: GDPR Compliance Is Achievable – with the Right Solution

The GDPR is not an obstacle to digital time tracking – quite the contrary: modern systems meet the requirements better than paper or Excel.

The most important success factors:

� Choose a provider with EU hosting and a DPA
� Implement role-based access rights
� Inform your employees transparently
� Use encrypted transmission and storage
� Set up automatic deletion schedules
� Document your measures

Anyone who follows these points can implement time tracking in a legally and data-protection-compliant manner – and simultaneously benefits from the advantages of digital processes: less effort, greater clarity, better traceability.

GDPR compliance is not a luxury – it is an obligation. But it is also an opportunity to set up processes correctly from the outset.