GDPR & Time Tracking

GDPR & Employee Time Tracking:
What's Legal for SMEs?

GPS clock-in, QR code attendance, and digital timesheets — all legal under GDPR when done right. Here's exactly what the regulation requires and how to stay compliant.

Quick answer: Employee time tracking is legal under GDPR provided you have a lawful basis (typically a legal obligation or legitimate interest), inform employees about data collection, store data securely on EU servers, and retain records only as long as legally required. GPS and QR code attendance systems like NoBadge are fully compliant when configured correctly.
Start Free 15-Day Trial See How It Works

No credit card · No contract · Setup in 2 minutes

100%

EU-hosted infrastructure

€0

Hardware required

2 min

Setup time

15d

Free trial, no card

The Regulation

What Does GDPR Actually Say About Time Tracking?

The General Data Protection Regulation (GDPR), in force across the EU and EEA since May 2018, governs how organisations collect, store, and process personal data — including employee attendance records. Time tracking data (clock-in/out timestamps, GPS coordinates, worked hours) is personal data under Article 4 GDPR and must be handled accordingly.

The good news: employee time tracking is explicitly recognised as lawful under GDPR. Article 6 provides at least two applicable legal bases for most SMEs:

  • Article 6(1)(c) — Legal obligation: In many EU countries (Germany, Spain, France, Romania), employers are legally required by labour law to record working hours. GDPR processing is lawful when it fulfils a legal obligation.
  • Article 6(1)(b) — Contract performance: Processing attendance data to calculate pay and manage employment contracts is inherently necessary for the employment relationship.
  • Article 6(1)(f) — Legitimate interests: Preventing time fraud and managing workforce operations constitutes a legitimate interest, provided it is proportionate and does not override employee rights.
"NoBadge processes attendance data exclusively on EU-hosted servers, retains only what is legally required, and gives employees full transparency — making GDPR compliance a built-in feature, not an afterthought."
Pain Points

The 3 GDPR Mistakes SMEs Make With Time Tracking

Most compliance failures come down to the same avoidable errors. Here's what to watch out for.

Data stored outside the EU

Using US-based SaaS tools (spreadsheets synced to US clouds, apps with servers in non-adequate countries) creates immediate GDPR exposure. Transferring employee data outside the EEA without Standard Contractual Clauses is a violation.

No transparency with employees

GDPR Article 13 requires you to inform employees — before processing begins — about what data is collected, why, for how long, and who has access. Surprise GPS tracking or covert monitoring is unlawful regardless of business need.

Retaining data longer than necessary

The data minimisation and storage limitation principles (Articles 5(1)(c) and (e)) require you to delete attendance records once they are no longer needed. Many SMEs keep years of unnecessary data in spreadsheets — a liability waiting to happen.

GPS Tracking

Is GPS Time Tracking Legal Under GDPR?

GPS clock-in is lawful — but the scope and transparency of tracking matter enormously. Here's the clear line.

GPS Time Tracking GDPR compliant — employee clocks in via smartphone at construction site

✅ What is GDPR-compliant GPS time tracking

  • Recording GPS location only at the moment of clock-in and clock-out — a single coordinate pair per shift
  • Informing employees in writing (privacy notice) that location is captured at timekeeping events
  • Using location data solely to verify attendance at the registered work site — not for behavioural surveillance
  • Storing coordinates on EU-hosted servers with access restricted to authorised managers
  • Applying a configurable geofence radius so minor GPS drift does not penalise employees

❌ What is NOT compliant

  • Continuous real-time GPS tracking throughout the working day without a specific, documented purpose
  • Tracking employees outside working hours or during breaks
  • Using location data for disciplinary purposes beyond attendance verification without additional legal basis

NoBadge's GPS time tracking feature captures a single location stamp at clock-in/out. No continuous tracking. No background location access outside the timbra action.

QR Code Attendance

Is QR Code Attendance GDPR Compliant?

QR code clock-in is one of the most privacy-friendly attendance methods available. Here's why.

Unlike biometric systems (fingerprint scanners, facial recognition) which process special category data under Article 9 GDPR and require explicit consent or a specific legal basis, QR code attendance collects only:

  • Employee identifier (account ID — not biometric)
  • Timestamp of scan
  • Work location (via the QR code's registered site)

This is standard personal data — processed under Article 6(1)(b) or (c) — with no special category complications. NoBadge's dynamic QR code regenerates every second, preventing screenshot fraud without any biometric collection.

Key GDPR advantage: QR code systems eliminate the need for fingerprint or facial recognition entirely — removing the highest-risk category of employee monitoring data from your processing activities.

QR code time tracking GDPR compliant — dynamic QR code at office entrance eliminates physical badges
Compliance Checklist

GDPR Time Tracking Compliance: 6-Step Checklist for SMEs

Follow these steps to make your employee time tracking fully compliant with GDPR — regardless of which tool you use.

1

Establish a lawful basis before you start

Document which Article 6 basis applies: legal obligation (most common for EU employers under labour law), contract performance, or legitimate interest. Record this in your Records of Processing Activities (RoPA) under Article 30.

2

Issue a clear privacy notice to all employees

Before any tracking begins, provide employees with an Article 13 notice covering: what data is collected, why, how long it's kept, who can access it, and their rights (access, correction, deletion). Written, dated, and signed confirmation is best practice.

3

Choose EU-hosted software

Ensure your time tracking software processes and stores data exclusively on servers within the EU/EEA. If data is transferred to third countries (e.g. US), Standard Contractual Clauses or an adequacy decision must be in place. NoBadge is 100% EU-hosted.

4

Apply data minimisation

Collect only what you actually need. Clock-in/out timestamps and work location are sufficient for most SMEs. Avoid collecting real-time location throughout the day, personal device data, or behavioural metrics unless you have a specific, documented purpose.

5

Set clear data retention periods

Most EU labour laws require attendance records to be kept for 2–5 years (varies by country). Delete or anonymise records after the retention period expires. Document your retention schedule in your RoPA. Automated deletion or archiving is strongly recommended.

6

Sign a Data Processing Agreement (DPA) with your software provider

Under Article 28 GDPR, if a third-party processes personal data on your behalf (as any SaaS attendance tool does), you must have a signed DPA in place. This document defines the processor's obligations and is mandatory — not optional.

Country-Specific Rules

GDPR + Local Labour Law: What Changes by Country

GDPR sets the baseline. National labour laws add specific requirements on top — and some are mandatory regardless of company size.

🇩🇪

Germany — ArbZG + ECJ C-55/18

Since the 2019 ECJ ruling, German employers must systematically record all working hours. The Arbeitszeitgesetz (ArbZG) requires records to be kept for at least 2 years. DSGVO (German GDPR implementation) applies in full. Works councils (Betriebsrat) have co-determination rights over time tracking systems.

Legal obligation basis confirmed
🇪🇸

Spain — Real Decreto-Ley 8/2019

Since May 2019, all Spanish employers must record daily start and end times for every employee. Records must be kept for 4 years and made available to the Inspección de Trabajo. Non-compliance fines reach €6,250. LOPDGDD governs data protection. This makes time tracking both legally mandatory and GDPR-regulated.

Fines up to €6,250 for non-compliance
🇫🇷

France — Code du travail + CNIL

French labour law requires tracking of heures supplémentaires, RTT, and congés payés. The CNIL (French DPA) has issued specific guidance on employee monitoring: covert or disproportionate tracking is prohibited. Employees must be informed via the company's règlement intérieur or individual notice before any tracking system is deployed.

CNIL prior notice required
🇷🇴

Romania — Codul Muncii + REVISAL

Romanian law (Legea 53/2003) requires employers to maintain a foaie de pontaj (timesheet) for all employees. REVISAL (HG 905/2017) mandates electronic reporting to the Labour Inspectorate. Legea 190/2018 implements GDPR locally. The Inspecția Muncii actively audits compliance — attendance records must be accurate and available on request.

REVISAL integration required
🇬🇧

United Kingdom — UK GDPR + Working Time Regulations 1998

Post-Brexit, the UK retained GDPR in domestic law as UK GDPR (Data Protection Act 2018). The ICO (Information Commissioner's Office) enforces it. The Working Time Regulations 1998 require employers to keep adequate records to demonstrate compliance with the 48-hour weekly limit and rest requirements. Records must be kept for 2 years. The ICO's Employment Practices Code provides detailed guidance on monitoring at work — transparency and proportionality are the key tests.

UK GDPR applies ICO Employment Practices Code 2-year record retention
How NoBadge Helps

How NoBadge Makes GDPR Compliance Built-In

Compliance shouldn't require a legal team. NoBadge is designed so that doing things the right way is also the easiest way.

100% EU-hosted infrastructure

All attendance data is stored and processed exclusively on EU servers. No transfers to the US or third countries. Full adequacy from day one.

Point-in-time GPS only

Location is captured only at the moment of clock-in or clock-out — never continuously. No background tracking. No movement data. Proportionate by design.

No biometric data collected

QR code attendance collects zero biometric data — no fingerprints, no facial recognition. This eliminates the highest-risk category of employee data processing entirely.

Role-based access control

Admin, Manager, and Employee roles ensure each person sees only the data they need. Access logs maintained. Principle of least privilege enforced at the platform level.

Article 28 DPA available

NoBadge provides a Data Processing Agreement to all customers — mandatory under GDPR when a SaaS provider processes personal data on your behalf. Available on request from day one of your trial.

Export-ready audit records

One-click Excel export of complete attendance records — ready for labour inspections, payroll auditors, or subject access requests. 70% less admin time compared to manual spreadsheets.

Learn more about our full feature set, including leave management and GPS attendance tracking — all GDPR-compliant by design.

Social Proof

SMEs Already Tracking Time Compliantly

"We simplified attendance management for teachers, tutors, and admin staff across multiple sites. We save hours every week compared to the old Excel sheets — and we know the data is handled correctly."

CQ

Claudio Querelante

Director, Accademie AIEM

"On construction sites nobody has time for complications. Our workers clock in from their phones and we monitor everything in real time. No badges, no hardware, no compliance headaches."

SL

Silviu Lascu

Owner, Sistad Italia

"We used to manage attendance via WhatsApp and paper. Now everything is centralised in NoBadge and the GPS clock-in also helps with operational oversight. Much cleaner for audits."

GF

Giovanni Fala

Founder, Fala Noleggi

The Numbers

The Cost of Getting Time Tracking Wrong

Non-compliance has a price — both financial and operational. These numbers apply to SMEs with 20–30 employees.

€6,250

Maximum fine per violation in Spain under RDL 8/2019

€14k

Annual cost of manual attendance management for a 20–30 person SME

70%

Reduction in admin time when switching from spreadsheets to NoBadge

<30d

Typical ROI payback period for a 30-person team

FAQ

GDPR Time Tracking — Frequently Asked Questions

Answers to the questions SME owners and HR managers ask most about GDPR and employee time tracking.

Yes. Recording employee working hours is lawful under GDPR when you have a valid legal basis — typically a legal obligation (Article 6(1)(c)) or contract performance (Article 6(1)(b)). In Germany, Spain, France, and Romania, tracking working hours is actually mandated by national labour law. You must inform employees in advance and process only the data you genuinely need.

GPS tracking is lawful under GDPR when it is proportionate and transparent. Capturing a single GPS coordinate at clock-in and clock-out — to verify the employee is at the registered work location — is considered proportionate for most businesses. Continuous real-time tracking throughout the working day requires a stronger justification and is more likely to be challenged by data protection authorities. Always inform employees in writing before deploying any GPS-based system.

In most cases, no. Consent (Article 6(1)(a)) is rarely the appropriate basis for employment data because of the power imbalance — employees cannot freely refuse. Instead, rely on legal obligation (where national law mandates time tracking) or contract performance (necessary to calculate pay). You do need to inform employees via a privacy notice, but that is different from requesting consent.

Retention periods vary by country: Germany requires at least 2 years under ArbZG; Spain requires 4 years under RDL 8/2019; the UK Working Time Regulations require 2 years. GDPR's storage limitation principle (Article 5(1)(e)) requires deletion once the legal retention period expires. Document your retention schedule in your Records of Processing Activities and automate deletion where possible.

Biometric data is "special category" data under Article 9 GDPR and requires an explicit legal basis beyond Article 6 — typically explicit consent or a specific national law authorisation. Several EU data protection authorities (including Italy's Garante and France's CNIL) have ruled against the use of fingerprint scanners for routine time tracking, finding it disproportionate. QR code and GPS systems avoid this issue entirely by collecting no biometric data.

Yes — a Data Processing Agreement (DPA) is mandatory under Article 28 GDPR whenever a third-party processor handles personal data on your behalf. Your time tracking software provider processes employee attendance data on your behalf, making them a data processor. The DPA must specify the nature of processing, data types, retention periods, security measures, and sub-processor arrangements. NoBadge provides a DPA to all customers on request.

GDPR-Compliant Time Tracking

Track Time Legally.
Start in 2 Minutes.

NoBadge is 100% EU-hosted, collects no biometric data, and gives you a Data Processing Agreement from day one. 15 days free — no credit card, no contract.

Start Free Trial — 15 Days Ask Us on WhatsApp

No credit card · No contract · Cancel anytime · EU-hosted · GDPR compliant

This article is for informational purposes only and does not constitute legal advice. Consult a qualified data protection advisor or employment lawyer for guidance specific to your organisation and jurisdiction.