Under Article 5(c) of the GDPR, any personal data processed by a Controller must be adequate, relevant and limited to what is necessary in relation to the purposes for which the data was gathered. This is the principle of data minimisation.
A recent ruling from the European Court of Justice (ECJ) raises the importance of addressing this principle correctly, especially with respect to HR data and specifically to the number of hours worked by employees. This requirement is covered by the EU Working Time Directive which was passed into Irish law the through the Organisation of Working Time Act 1997 (as amended) and the Organisation of Working Time (Records) (Prescribed Form and Exemptions) Regulations, 2001.
The responsibility of accurately collecting adequate personal data required to meet these obligations and the means of doing so as addressed by the ECJ ruling are of importance to all employers in both the public and private sectors.
The European Court of Justice (ECJ) ruling (issued 14 May 2019) stems from a case (Case C‑55/18) passed to it by the Spanish High Court. The court was seeking clarification of an issue raised by a trade union (Federación de Servicios de Comisiones Obreras (CCOO)) regarding whether a bank (Deutsche Bank) was required to keep more detailed records of the actual number of hours worked by the staff it employed.
The case arose because the bank had implemented a system that Deutsche Bank management deemed complied with a Spanish law written to implement the EU Directive on Working Time. The bank’s system only enabled employees to record absences for full working days such as for annual leave, sick leave, etc. Critically, it did not record the actual working hours of an employee on any particular day. In other words, the CCOO claimed Deutsche Bank was collecting too little personal information to meet the requirements of the EU Directive which likely formed the lawful basis for such processing.
The ECJ stated that as the EU Directive was issued to “guarantee better protection of the safety and health of workers” by means of the provision of adequate beaks and by the imposition of a ‘ceiling’ where the total number of hours worked per week could not be exceeded. Member States are required to ensure that the effectiveness of these rights is guaranteed in full and employers must respect the national measures in line with the requirement of the Directive. In order to protect these key rights, the ECJ ruled:
The onus is on the employer and not the employee to record the daily and weekly hours worked because it would be “excessively difficult, if not impossible” for employee to ensure compliance.
To achieve this, the ECJ ruled that a system which is “objective, reliable and accessible” must be implemented which would record the time worked by each worker on each day. There were submissions regarding the cost of implementing such a system being potentially unreasonable, but the Court made very clear that economic considerations cannot undermine the “effective protection of the safety and health of workers”.
The Irish law
Although the ruling made it clear employers must set up this objective, reliable and accessible system, the ECJ leaves it up to the Member States to determine the national specific measures for implementing this time-recording system. Currently Ireland has passed the EU Working Time Directive Organisation of Working Time Act 1997 (as amended) and the Organisation of Working Time (Records) (Prescribed Form and Exemptions) Regulations, 2001. These place an obligation on employers to gather the type of data raised in the ECJ case and inspections are carried out by Workplace Relations Committee, with the power to fine of up to €1,900.
Specifically, Irish employers are required to record (under OWT 2001 section 3(c)):
- the days and total hours worked in each week by each employee concerned,
- any days and hours of leave in each week granted by way of annual leave or in respect of a public holiday to each employee concerned and the payment made to each employee in respect of that leave,
- any additional day’s pay referred to in section 21(1)(d) provided in each week to each employee concerned, and
While the Irish law sets out the requirement to record the type and granularity of data highlighted by the ECJ, many organisations currently do not have as formalised a system in place as might be expected, even a paper one. Often organisations are rightly concerned about collecting/retaining too much data but can lose sight of the equally important requirement to make sure they process sufficient/adequate amounts of personal data to achieve their declared purposes of processing. In other words, in relation to timekeeping data, employers should be asking themselves:
- Have we an ‘objective, reliable and accessible’ system in place to record the hours worked by our employees?
- Do we capture enough information needed to meet our obligations while avoiding excessive data capture or intrusion into an employee’s privacy?
- Are we sure we retain this personal data only for as long as it is required to meet the declared purpose(s) or as mandated by legislation?
Currently, the Irish law says a basic template form may be used when a coking-in system has not been implemented. Given the progress in the technology and reduction in its cost since 2001, such a paper form may no longer meet the ECJ’s requirement for an ‘objective, reliable and accessible’ system.
Employers are recommended to undertake a Data Privacy Impact Assessment to assess the whether their time recording system is meeting their obligations under the EU ruling and Irish law while simultaneously protecting the rights and freedoms of their employees. Where considering installing a new system, it is advised to avoid biometric systems, given the Special Category data involved. Such systems should only be considered in situations where their use could be fully justified. (See our previous article, Biometrics in the workplace: The French perspective). Our advisors can assist your organisation in meeting assessing existing or future systems including completing a full DPIA.
For more information please refer to our service pages, or contact our Data Governance team.