On March 23, 2026, the Council of State issued its opinion on the draft Royal Decree that aims to make digital time tracking mandatory in Spain. The conclusion was blunt: "It is not appropriate to approve the projected royal decree." The country's oldest advisory body pointed out serious deficiencies in the economic report, in the protection of workers' data, in the lack of sectoral adaptation, and in the legislative path itself chosen by the Ministry of Labor. However, the Council of State's opinion is not binding, and Minister Yolanda Díaz has announced that she will move forward with the project. This leaves 1.35 million companies and 15.6 million workers in a regulatory limbo that demands preparation, not paralysis. Royal Decree-Law 8/2019 (Official State Gazette no. 61, March 12, 2019) has required tracking working hours for seven years, but allows it to be done on paper. The new decree will eliminate that option: only digital, unalterable, traceable systems that are remotely accessible by the Labor Inspectorate will be valid. This article details the legislative chronology, the upcoming technical requirements, the economic impact quantified by the Council of State itself, the three possible scenarios following the opinion, and the concrete actions every company should start today.
Complete chronology: from RDL 8/2019 to the Council of State's opinion
The obligation to track working hours was born with Royal Decree-Law 8/2019, of March 8, which added section 9 to article 34 of the Workers' Statute (BOE-A-2019-3481). It entered into force on May 12, 2019, after a two-month adaptation period. Its mandate was simple: every company must daily record the specific start and end time of each worker's shift, keep the records for four years, and have them available for the ITSS, employees, and their representatives. What the law did not do was impose a format: paper, Excel, or software were equally valid. Seven years later, the Government decided to close that gap. On September 30, 2025, the Council of Ministers approved the urgent processing of a new Royal Decree that would require mandatory digital tracking. Between October 10 and October 20, 2025, the public hearing and information phase for the draft was opened, receiving allegations from employers' associations (CEOE, CEPYME), unions (UGT, CCOO), professional associations, and technology companies in the sector. In parallel, the draft Ministerial Order on technical requirements for tracking systems was published, with its public consultation extending until March 21, 2026. The text of the Royal Decree was sent to the Council of State, which issued its opinion on March 23, 2026, rejecting its approval. It is important to note that this rejection occurred just ten days after the Congress of Deputies rejected, on September 10, 2025, the processing of the Draft Law on reducing the workweek to 37.5 hours, which included supplementary provisions on digital tracking. The Government has run out of its two preferred legislative paths, but has not abandoned either.
What the Council of State said exactly
The opinion of March 23, 2026, identified five main deficiencies. First: the project's economic report is insufficient. The Council itself calculated that the implementation of mandatory digital tracking would cost the Spanish business fabric 867 million euros, which is equivalent to 55.40 euros per worker per year. The Ministry of Labor had stated that the measures "would not impose a significant burden," an assessment that the Council described as "unrealistic." Second: the project does not consider sectoral peculiarities. The same digital tracking model cannot be applied equally to a financial services office, a restaurant with split shifts, railway personnel with irregular schedules, or building doormen with permanent availability. Third: data protection guarantees are insufficient. The Council warned that "it is not enough to say that unauthorized persons will not access the data" and noted that remote access by the Inspectorate poses privacy risks that the text does not adequately resolve, in line with what was already pointed out by the AEPD in its Guide on biometric systems of November 2023. Fourth: the legislative path chosen is incorrect. An obligation of this magnitude should be processed as an ordinary law in Parliament, not as a Royal Decree approved directly by the Council of Ministers. And fifth: the adaptation period of only 20 days from publication in the BOE is manifestly insufficient for 1.35 million companies to deploy software, train their staff, and adapt their processes. The Ministry of Economy, for its part, had also issued unfavorable reports requesting longer transition periods and specific support tools for SMEs.
The eight technical requirements that the decree will impose
Despite the negative opinion, the draft's technical requirements are clear because they were subject to public consultation. The decree will modify articles 34.9, 12.4.c, and 35.5 of the Workers' Statute, as well as article 7.5 of the LISOS. These are the eight requirements that tracking systems must meet: 1) Complete digitization: tracking must be done exclusively through electronic systems (app, web, terminal, QR, NFC). Paper and spreadsheets are expressly prohibited as a permanent method of compliance. 2) Detailed minute-by-minute tracking: it will not be enough to note entry and exit. The system must record the start of the shift, end of the shift, breaks, overtime worked, and its compensation, all with minute-level granularity. 3) Individual worker identification: each clock-in must be linked to the employee's identity via PIN, personal QR, username and password, or another non-biometric high-risk mechanism. 4) Immutability and traceability: records cannot be modified without automatically generating an audit log that documents who changed what, when, and why. Any alteration without a technical trail will constitute an infraction. 5) Remote access for the ITSS: the Labor Inspectorate will be able to consult records in real time without traveling to the workplace or relying on the company's active collaboration. 6) Access for legal representatives: company committees and staff delegates will have direct access to the system under the terms of article 64 of the Workers' Statute. 7) Minimum four-year custody: data must be kept with agile retrieval, backup, and redundancy mechanisms throughout the entire legal period. 8) Export in standard formats: the system must generate exports in readable and standardized formats (CSV and XML with a defined schema are being considered) to facilitate automated processing by the ITSS.
The sanctioning regime: from €751 to €225,018 and application per worker
The current sanctioning framework, regulated by the Law on Infractions and Sanctions in the Social Order (LISOS, Royal Legislative Decree 5/2000), already punishes non-compliance with time tracking. Article 7.5 of the LISOS classifies the violation of rules on time tracking as a serious infraction, with fines ranging between 751 euros (minimum degree) and 7,500 euros (maximum degree) according to article 40.1.b. When the Inspectorate detects systemic fraud—repeated undeclared overtime, for example—the infraction can be reclassified as very serious, with fines of up to 225,018 euros in accordance with article 40.1.c. What the new decree intends to add is blunt: on one hand, raising the ceiling for serious infractions to 10,000 euros at the maximum degree; on the other, and this is the most relevant part, the application will be calculated per affected worker, not per company. This means that if the Inspectorate detects that 50 employees lack compliant digital tracking, it can impose 50 independent sanctions. For a medium-sized company with 200 workers without a digital system, the theoretical exposure at the maximum degree could reach 2,000,000 euros. To this must be added individual worker claims for unpaid overtime and Social Security contribution settlements for unpaid contributions. The ITSS Strategic Plan 2025-2027 (Resolution of September 8, 2025, BOE-A-2025-18078, published in the BOE on September 12, 2025), already establishes the use of artificial intelligence to cross-reference time tracking records with contribution data, activity on digital platforms, and tax returns, which allows for detecting inconsistencies in an automated way without any inspector setting foot in the company.
Three possible scenarios following the negative opinion
The Council of State's opinion is not binding, which opens three scenarios for the coming months. Scenario 1: approval with modifications (the most likely). The Government partially incorporates the Council's observations—especially the extension of the adaptation period and some reference to sectoral modulation—approves the Royal Decree in the Council of Ministers, and publishes it in the BOE between May and July 2026. This is the path that Minister Díaz has publicly indicated. The effective entry into force would depend on the revised adaptation period, which could be extended from the initial 20 days to 6-12 months, placing mandatory compliance between late 2026 and mid-2027. Scenario 2: resubmission and parliamentary processing. The Government accepts the objection regarding the legislative path and chooses to process the digital obligation as part of an ordinary law in Congress. This would significantly lengthen the deadlines: parliamentary processing, amendments, voting, and publication could push the text to 2027 or even 2028. However, it would give it greater legal solidity and avoid possible challenges before the Constitutional Court. Scenario 3: indefinite postponement. Tensions within the governing coalition and the lack of parliamentary support—remember that the reduction of the workweek was rejected by Congress in September 2025—mean the project remains on the back burner, similar to what happened with the mandatory electronic invoice (Verifactu), which has suffered multiple delays. In this scenario, the tracking obligation would continue to be governed by RDL 8/2019 without a digital requirement. Whatever the scenario, the trend is unequivocal: digital tracking will be mandatory, the only unknown is when.
The real cost of inaction: 867 million euros and 35% of SMEs undigitized
The figure of 867 million euros calculated by the Council of State deserves careful analysis. According to its estimates, 1.35 million companies will have to implement or adapt digital tracking systems, affecting 15.6 million workers. The average cost per worker is 55.40 euros per year, which includes software licensing, implementation, and technical support, but not training or internal process adaptation, which the Council considered undervalued. Sectoral data reveal that approximately 35% of SMEs and self-employed workers with employees still use paper or Excel as their main method of time tracking, according to the TeamSystem Spain Observatory (Ipsos study, December 2025). For these companies, the transition is not a simple change of tool: it implies digitizing a complete process, training staff, defining incident protocols, and configuring a system that complies with the decree's eight technical requirements. However, the cost of inaction far exceeds that of adaptation. A single serious sanction at the maximum degree (7,500 euros with the current LISOS, up to 10,000 with the reform) applied to ten workers would amount to between 75,000 and 100,000 euros, a figure that would make the annual cost of any SaaS solution on the market pale in comparison. Added to this are reputational risks, labor claims for unpaid overtime, and loss of competitiveness against companies that already operate with integrated digital systems.
Data protection and biometrics: the AEPD draws the red line
One of the most sensitive points of the debate is the intersection between time tracking and personal data protection. The Spanish Data Protection Agency published in November 2023 its "Guide on attendance control processing using biometric systems," establishing that fingerprints and facial recognition are special category data according to article 9 of the GDPR. Their use for clock