Spain :: Working time data and retention

Data Retention

Spanish data protection legislation does not provide for any specific employee data retention periods. However, these are regulated through other laws and are normally determined based on the relevant limitation periods for legal claims.

◉ Administration of wages (including tax-free reimbursements)

Ten years (minimum).

◉  Tax records 

Four years, which is the relevant period of limitation [General Taxation Law].

◉ Accounting and finance records (including books, correspondence and supporting documents) 

Six years [Code of Commerce].

◉  Payroll records including wages, tax and social security records, payslips etc

Four years (minimum) from the end of the employment relationship, which is the relevant period of limitation [Royal Decree 5/2000].

◉  Severance pay records

Four years (minimum) from the end of the employment relationship.

◉ Employment contracts and other relevant documents

Three years from the end of the employment relationship, which is the relevant period of limitation [Royal Decree 5/2000].

◉ Pension plans, social plans and other HR policies

Four years (minimum) from date of termination of the plan.

◉ Unsuccessful job applicant data

Three years (minimum).

◉Medical files, documents relating to health and safety

Five years (minimum), which is the relevant period of limitation [Royal Legislative Decree 5/2000].

Electronic Records

Companies have been actively handling HR data transmission in Spain for many years. It is subject to three principal laws

  • Spanish Law 39/2015 on Administrative Proceedings (Administrative Proceedings Act)
  • Spanish Law 59/2003 on Electronic Signature (E-Signature Act) which establishes the general regulatory scheme for electronic signatures in Spain and distinguishes between Qualified electronic signatures (QES) and non-qualified Basic or Advanced electronic signatures
  • Spanish Civil Code, Article 1278 which establishes the general principle of the freedom of forms for contracts meaning that no specific form is generally required in order for a contract to be valid.

There are also principally two relevant EU measures

  • European Union Regulation 910/2014 of July 23 2014  (eIDAS)
  • The General Data Protection Regulation (GDPR)

All data handled electronically must be subject to the GDPR. This may seem obvious, but privacy, security and data loss are the three biggest issues when it comes to litigation in this field.

The European Regulation 910/2014 puts in place an EU-wide framework for electronic transactions in the internal market. It defines three types of signatures of differing strength and validity.

  • Standard electronic signature (SES): This is the most basic type of eSignature. The signatory can type or draw their name, and there is no electronic form to validate the signature.
  • Advanced electronic signature (AES): An AES has more identifying marks that are unique to the signer. This type of signature is usually drawn using a pen or stylus, but there is no accompanying qualified certificate.
  • Qualified electronic signature (QES): A QES is considered the strongest type of electronic signature. The signer will draw their name on a secure signature creation device, and the contract comes with an electronic form to validate the document.

It is the QES that is necessary when it comes to employment contracts – as it is equivalent to a pen and ink signature.

For other documents employers should agree with employees, in advance, on their purpose, who is responsible for providing the data, how frequently it must be submitted, in what form, within what safeguards and how they may access it. In some cases, everyday data may be transmittable via the email system, but for many essential documents it will be necessary to use a Qualified Trust Service Providers (QTSPs) to handle the transmission. 

◉ Working Time Data

Work records ranging from daily hours to sick leave are subject to strict rules in Spain. This is sensitive in Spain because of a European Court of Justice case (14th May 2019) that arose from a referral by a Spanish Court. This was brought into Spanish law through section 34.9 of the Workers’ Statute (introduced by Royal Decree-Law 8/2019 of 8 March). All hours each day must be recorded in detail at source (for every employee) and it remains the responsibility of the employer to achieve this (that is why an employee time recording App may not be legally sufficient). The rules state that:

  • All companies must maintain an hourly record for each employee whatever work schedule they follow
  • The record must be kept for four years and must be accessible to the employee and their worker representatives
  • Employee have a right to know their detailed working time requirements, in advance, each day
  • Trade unions (where applicable) must be given a monthly report of all overtime hours, whether or not paid.

Due to company vulnerability in respect to the recording of working time we recommend that this data is handled separately (bearing in mind that it is personal data). It will require secure transmission of all employee data to its company destination for payroll purposes and yet availability on an individual basis for inspection by each employee and on an aggregate basis for their representatives and factory inspectors. This will thus go beyond the normal services of a QTSP.

DISCLAIMER: This document is for general guidance only. Its contents do not constitute legal advice and are not intended to be complete or exhaustive. Although we try to ensure the information is accurate and up-to-date, all users should seek legal advice before taking or refraining from taking any action and no liability is accepted for any loss which may arise from reliance on information contained in this document.