Most companies collect and process personal data of their employees as part of their employee attendance records. Let’s have a closer look at how these employee records should be properly handled in terms of the GDPR.
Do we need a specific employee consent to record their attendance?
No, you don’t.
GDPR allows to hold and process data beyond consent on the basis of a few legitimate reasons. Two of them can be applied to employee attendance records:
- necessity for the performance of a contract;
There’s a need to process employees’ work hours and absences so that they can get their paychecks. This constitutes a necessity for the performance of a contract.
- compliance with a legal obligation;
Employers also have a legal obligation to keep records of employee working hours. This is how they are be able to demonstrate their compliance with the state work attendance policy.
Do we need an audit trail of employee attendance data?
Yes, this one you do need for various reasons.
In most cases there’s at least one administrator in the company who handles employee attendance records. Administrators process personal data as part of their role. This is why they need to fully understand and follow the GDPR compliance programme.
Company should ensure that their roles and responsibilities are clearly defined. It should also be ensured that they only ever process personal data in line with their responsibilities. For example, if there are multiple teams and team administrators in your company, a certain team administrator should only access the data of his team members and not the data of other teams. Meanwhile the person who is responsible for preparing paychecks needs to have access to all the data. An audit trail can provide documentation that those limitations and security controls are in place and functioning properly.
The data processors and controllers need to be able to show how and when the data was processed and be able to prove it. This can be achieved with an audit trail which traces the actions taken against data from the time of its creation to its erasure.
This audit trail must track the actions of employees as well as administrative users. In our online employee attendance solution, All Hours, the audit log is already a part of the solution:
You also need to keep audit data for long enough to deal with potential incidents or inquiries. In case of a data breach or accusation of misconduct, you need to ensure that the needed data remains available throughout the process. Which can sometimes take very long. This is why the audit log data stored in All Hours doesn’t have a limited time frame.
How does the GDPR affect US companies with employees in the EU?
Many US companies think the GDPR does not apply to them because they don’t have a physical presence in the EU. But the GDPR does apply to the US (and multinational) companies that have any employees working in the EU. Remote employee records are also covered by the GDPR, as it applies to the processing of personal data of subjects who ‘are’ in the EU. There is no requirement that the employee is a citizen of the EU, just that the employee is physically in the EU.