In 2026, working time tracking remains one of the most inspected labour obligations in Spain. Since Real Decreto-ley 8/2019 (Royal Decree-Law 8/2019) made daily working time registration mandatory, the Labour Inspectorate has intensified its activity and the number of penalties for non-compliance has continued to grow. But the regulatory landscape has not stood still: the Spanish Data Protection Agency (AEPD) has restricted the use of biometrics, the ITSS Strategic Plan 2025-2027 incorporates artificial intelligence to cross-reference data, and a draft regulation currently in progress will require digital records with full traceability. This article covers the current regulations point by point, without speculation.
The foundation: RDL 8/2019 and Article 34.9 of the Workers' Statute
Real Decreto-ley 8/2019, of 8 March (BOE no. 61, 12 March 2019), introduced Article 34.9 into the Estatuto de los Trabajadores (Workers' Statute). Its mandate is clear: "The company shall guarantee the daily recording of working hours, which must include the specific start and end times of each employee's working day, without prejudice to the flexible working arrangements established in this article." Records must be kept for four years and must be accessible to the Labour Inspectorate, employees, and their legal representatives. There are no exceptions based on company size, sector, or working arrangement.
What the law requires exactly
The regulations do not impose a specific format: paper, spreadsheet, or digital system are all valid provided the record is complete and preservable. What it does unequivocally require is that the data is captured at the moment it occurs — not reconstructed after the fact — and that it remains accessible. The ITSS Technical Criterion no. 101/2019, published on 10 June 2019, specifies how the inspectorate will operate: it will verify that records are consistent with the company's actual activity, cross-reference data with payroll and Social Security contributions, and require that any modification to a record is documented with an audit trail (who changed what, when and why). A system without an audit trail is indefensible in an inspection.
What is coming: the draft digital registration regulation
In active processing since autumn 2025, there is a draft Royal Decree that, when it comes into force, will raise the standard. The most relevant points: records must be digital and unalterable, with full traceability of any modification; they must be available remotely and immediately upon a request from the Inspectorate; and the system must be able to generate exports in a readable format. As of the publication date of this article, the text does not yet have a definitive publication date in the BOE. Emplyx already meets all these requirements today: its records are unalterable with a complete audit trail, inspector access can be activated in seconds, and exports are generated automatically. If the regulation is approved tomorrow, Emplyx clients will not need to change anything.
Biometrics: what the AEPD permits and what it prohibits
The Spanish Data Protection Agency (AEPD) published in November 2023 its "Guide on presence control processing using biometric systems". The message is unequivocal: fingerprints and facial recognition are special category data under the GDPR, which requires a reinforced legal basis and a prior Data Protection Impact Assessment (DPIA). For the vast majority of companies, using biometrics for time registration does not pass the necessity and proportionality test: there are less intrusive alternatives (mobile app, QR code, NFC) that fulfil the same obligation without processing high-risk data. Using biometrics without the appropriate legal basis exposes the company to penalties from both the ITSS and the AEPD.
Remote work: registration requirements also apply at a distance
Ley 10/2021, of 9 July, on remote work (BOE 10 July 2021) does not exempt companies from working time registration. On the contrary, Article 14 of this law establishes that the working time recording system must accurately reflect working time, including when working from home, without prejudice to agreed flexible working arrangements. The company remains responsible for ensuring that the record exists, is accessible, and meets the requirements of the Workers' Statute. Mobile applications with remote time registration, device validation, or optional geolocation are the most common solutions for this scenario.
The right to digital disconnection
Article 88 of Ley Orgánica 3/2018 (LOPDGDD) recognises employees' right to digital disconnection outside working hours, in order to guarantee respect for their rest periods, leave, and holidays. The company must draw up an internal policy defining how this right is exercised. Although not directly linked to working time registration, both are two sides of the same coin: a good time tracking system makes working time visible and, with it, also evidences whether disconnection is being respected. Inspectors take this into account.
Workers' representatives and access to records
Article 64 of the Workers' Statute guarantees the works council the right to receive information on working conditions, which includes working time monitoring and overtime. The applicable collective agreement may specify the frequency and format. In practice, companies with a works council must be able to generate working time reports by employee or by group to respond to such requests without difficulty. A digital system does this in seconds; a spreadsheet file can turn into days of work.
The Inspectorate also uses algorithms: ITSS Plan 2025-2027
The Strategic Plan of the Labour and Social Security Inspectorate 2025-2027 (published in the BOE in September 2025) expressly establishes the use of data analysis tools and artificial intelligence for the detection of labour fraud. The Inspectorate cross-references working time records with Social Security contribution data, activity on digital platforms, and tax declarations. A company with inconsistent records — declaring employees on part-time contracts with clearly full-time activity, for example — may trigger an automatic alert without any inspector having set foot on their premises. Data consistency is the best protection.
Penalties: how much does non-compliance cost
The Ley sobre Infracciones y Sanciones en el Orden Social (LISOS) classifies the absence of working time records or their manipulation as a serious infringement, with fines of between 751 and 7,500 euros at the maximum level. If the inspectorate detects systematic fraud — for example, repeatedly undeclared overtime — the infringement may be classified as very serious, with fines of up to 225,018 euros. On top of this, there may be employee claims for wage differences and Social Security contingencies arising from the situation. The cost of non-compliance far exceeds that of any working time tracking solution.
Why a digital system makes a difference
The regulations do not require digital, but practical reality does. A paper record cannot generate an audit trail. An Excel file cannot prove it was not modified. No manual solution can respond in minutes to a telematic request from the Inspectorate. Emplyx is designed to comply not only with the regulations currently in force, but also with the requirements that the draft digital registration regulation sets out: unalterable records, full traceability, remote access for the Inspectorate activatable instantly, multi-device recording and remote clock-in for remote workers without the need for biometrics. If the law changes tomorrow, Emplyx clients are already on the other side.