Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Denmark: New rules on working time registration
In May 2019, the Court of Justice of the European Union (CJEU) delivered a judgment1 on the understanding of specific requirements under the EU Working Time Directive. More specifically, the CJEU ruled that an employer is required to have a system in place that allows registration of the employees' daily working time to ensure that all the requirements of the EU Working Time Directive are complied with. As a consequence of this judgment, the Danish Ministry of Employment presented an amendment to the Danish Working Time Act. Anna de Vos- Zehngraff, Mille Selbach Rasmussen, and Rasmus Martens, from Bruun & Hjejle Advokatpartnerselskab, take a look at this amendment and the implications of this on data protection.
Amendment to Danish legislation on working time
On January 23, 2024, new rules on the registration of employees' daily working time were adopted by the Danish Parliament. These new rules in the Danish Working Time Act will require employers to implement a system that can register employees' daily working time. Such a system must be implemented no later than July 1, 2024. In addition, the system must comply with the following general requirements:
- the system must be able to register the daily working time of each employee;
- the system must be objective – not arbitrary;
- the system must be reliable – ensuring control and data quality; and
- the system must be accessible – employees must have access to their own working time data in the system.
The requirement that employers must register their employee's daily working time will, however, not apply to all employees. Firstly, employees who have the possibility to plan (all) their daily working time and fulfill management functions or may make independent decisions are not covered. Secondly, employees whose working time – due to special characteristics of the work performed – cannot (as a whole) be measured or determined in advance are also not covered. Regardless of these exceptions, employers are allowed to register the daily working time of their employees even though the employees are not covered by the new requirements.
Data protection implications
The new requirements for daily working time registration are not only interesting from an employment law perspective. The processing of personal data in connection with time registration will be covered by the General Data Protection Regulation (GDPR). Therefore, employers must also be aware of and comply with the various requirements laid down in the GDPR when implementing or updating a system for employee working time registration. In the following section, we outline some of the important GDPR compliance requirements that employers must comply with in relation to working time registration systems.
Appropriate legal bases for the processing of personal data must be established
Any processing of personal data must have a legal basis, which may be found in the GDPR or the supplementary Danish Data Protection Act (DDPA).
As information about an employee's daily working time registrations will not be considered so-called 'sensitive personal data,' the relevant legal bases to be established for such data processing activities must be found in Article 6 of the GDPR and Section 6 and/or Section 12 of the DDPA.
The legal basis will vary from case to case depending on whether the registration of the daily working time takes place due to requirements laid down in the Danish Working Time Act or due to specific interests of the employer, such as logistic optimization, control measures, etc.
If the registration of daily working time is done in order to comply with the legal obligation set out in the Danish Working Time Act, the appropriate legal bases for such processing of personal data will be Article 6(1)(c) of the GDPR and the special Danish rule on processing of personal data in employment relationships inSection 12(1) of the DDPA.
In situations where the employer is not required under the Danish Working Time Act to register certain employees' daily working time, the employer may still have working time registered if the employer can demonstrate an appropriate necessary legitimate interest in doing so. In that case, the legal bases for the processing of personal data will be Article 6(1)(f) of the GDPR and Section 12(2) of the DDPA.
Working time registration must be retained for five years after the end of a four-month period
According to the GDPR, personal data must not be kept in a form that permits identification of data subjects for longer than is necessary for the purposes for which the personal data is processed (see Article 5(1)(e) of the GDPR). Consequently, information on employees' daily working time must be deleted or anonymized when the information is no longer necessary for the purposes pursued.
The new Danish Working Time Act will require employers to store information about the daily working time for five years after the end of the four-month period from which the average working time is calculated. This means that employers must store personal data for five years and four months.
Employers – who are not required to register daily working time under the Danish Working Time Act but do for other (legitimate) reasons – cannot rely on the purposed storage period in the Danish Working Time Act. Instead, these employers must determine the necessary storage period in accordance with Article 5 (1)(e) of the GDPR. In this respect, employers must assess how long it will be necessary to store the registration of daily working time for the (legitimate) purposes and reasons for which the information is initially registered, and must not retain the information for longer than this necessary period.
Employees must be informed about the working time registrations
To comply with Articles 13 and 14 of the GDPR, employers must ensure that employees are sufficiently informed about the collection and processing of their working time registrations. Thus, employees must, for instance, be informed about the purpose, the legal basis, any data recipients, and the storage period in relation to the processing of the working time registrations.
The information should generally be provided to employees before the registration of daily working time is initiated and no later than at the time of the first registration.
However, the obligation to provide certain information to employees when processing their personal data also applies to employers who, to some extent (and in some way), already register their employees' working time. If the processing activities in this regard change (e.g., due to new requirements laid down in the Danish Working Time Act) employers will – as a main rule – be required to fulfill the information obligation again towards their employees about the specific changes of such processing activities.
Furthermore, if an employer intends to use the information on daily working time for controlling measures (e.g., to check employees' 'coming-and-going time' within agreed time frames), the employer must – in addition to ensuring sufficient legal bases for this – explicitly in advance inform the employees of this purpose as well. Please note that specific requirements may apply to the initiation of controlling measures in employment relationships.
Records of data processing activities must be updated
According to Article 30 of the GDPR, the data controller is required to prepare and maintain a record of the data processing activities for which the data controller is responsible. The employer must revisit and update these records to ensure a sufficient description of the processing of personal data in relation to working time registration. The parts of the records that are most likely to be affected by the initiation of any new working time registration will be those concerning the purposes for processing, the categories of personal data, and the time limits for the erasure of personal data.
Risk assessments must be conducted
Moreover, Article 32 of the GDPR requires the data controller to conduct risk assessments of all data processing activities. Consequently, the employer must ensure that a sufficient risk assessment is prepared and documented in relation to the registration of the employees' daily working time and that necessary security measures have been implemented to mitigate any unacceptable risk before initiating such registration. If a risk assessment of the data processing activities relating to registration of daily working time has previously been carried out, the employer must revisit the assessment and update it, if necessary.
Data processing agreement must be concluded, if relevant
It is not a requirement that working time is registered in an electronic system, but many employers will most likely choose to use some kind of system.
As the supplier of such a system will be processing personal data on behalf of the employer, the employer must ensure that the processing is governed by a data processing agreement in accordance with the requirements laid down in Article 28 of the GDPR for such agreements.
If an employer already uses a system that can also be used for time registration, the employer must assess and ensure that a data processing agreement covers all data processing activities in relation to the registration of the daily working time (see Article 28 of the GDPR).
Anna de Vos-Zehngraff Associate Partner
[email protected]
Mille Selbach Rasmussen Attorney
[email protected]
Rasmus Martens Assistant Attorney
[email protected]
Bruun & Hjejle Advokatpartnerselskab, Copenhagen
1. See: Case C-55/18, Federación de Servicios de Comisiones Obreras (CCOO) v Deutsche Bank SAE