On March 21, 2026, the Consejo de Estado (Council of State) issued its opinion on the draft Real Decreto (Royal Decree) that seeks to make digital time tracking mandatory in Spain. The conclusion was emphatic: 'The proposed Royal Decree should not be approved.' The country's oldest advisory body identified serious deficiencies in the economic impact assessment, in worker data protection, in the lack of sector-specific adaptation, and in the legislative pathway chosen by the Ministry of Labor. However, the Consejo de Estado's opinion is non-binding, and Minister Yolanda Díaz has announced she will press ahead with the project. This leaves 1.35 million businesses and 15.6 million workers in a regulatory limbo that demands preparation, not paralysis. Real Decreto-ley 8/2019 (Royal Decree-Law 8/2019, BOE No. 61, March 12, 2019) has required time tracking for seven years, but allows it on paper. The new decree will eliminate that option: only digital, tamper-proof, traceable systems with remote access for the Inspección de Trabajo (Labor Inspectorate) will be accepted. This article walks through the full legislative timeline, the upcoming technical requirements, the economic impact as quantified by the Consejo de Estado itself, the three possible scenarios following the opinion, and the concrete actions every company should begin today.
Full Timeline: From RDL 8/2019 to the Consejo de Estado Opinion
The obligation to track working hours was born with Real Decreto-ley 8/2019 of March 8, which added section 9 to article 34 of the Estatuto de los Trabajadores (Workers' Statute, BOE-A-2019-3481). It came into force on May 12, 2019 after a two-month adaptation period. Its mandate was simple: every company must record each worker's exact daily start and end times, retain the records for four years, and keep them available for the ITSS (Labor and Social Security Inspectorate), employees, and their representatives. What the law did not do was mandate a format: paper, spreadsheets, or software were equally valid. Seven years later, the Government decided to close that gap. On September 30, 2025, the Consejo de Ministros (Council of Ministers) fast-tracked a new Real Decreto requiring mandatory digital tracking. Between October 15 and 30, 2025, a public consultation period was held for the draft, receiving submissions from employer associations (CEOE, CEPYME), trade unions (UGT, CCOO), professional bodies, and technology companies in the sector. In parallel, the draft Orden Ministerial (Ministerial Order) on technical requirements for tracking systems was published, with its public consultation running until March 21, 2026. The Real Decreto text was then sent to the Consejo de Estado, which issued its rejection opinion on March 21, 2026. It is important to note that this rejection came just ten days after the Congreso de los Diputados (Congress of Deputies) rejected, on September 10, 2025, the preliminary bill to reduce the working week to 37.5 hours, which included complementary provisions on digital tracking. The Government has lost both of its preferred legislative routes, but has not abandoned either.
What the Consejo de Estado Actually Said
The opinion of March 21, 2026 identified five main deficiencies. First: the project's economic impact assessment is insufficient. The Consejo de Estado itself calculated that implementing mandatory digital time tracking would cost the Spanish business sector 867 million euros, equivalent to 55.40 euros per worker per year. The Ministry of Labor had claimed the measures 'would not impose a significant burden' — an assessment the Consejo called 'unrealistic.' Second: the project fails to account for sector-specific characteristics. A single digital tracking model cannot apply equally to a financial services office, a restaurant with split shifts, railway personnel with irregular schedules, or building concierges with permanent on-call duties. Third: data protection safeguards are insufficient. The Consejo warned that 'it is not enough to state that unauthorized persons will not access the data' and noted that remote access by the Inspectorate raises privacy risks that the text does not adequately address, in line with what the AEPD (Spanish Data Protection Agency) had already highlighted in its November 2023 Guide on biometric systems. Fourth: the chosen legislative pathway is incorrect. An obligation of this magnitude should be processed as ordinary legislation through Parliament, not as a Real Decreto approved directly by the Consejo de Ministros. Fifth: the adaptation period of just 20 days from publication in the BOE (Official State Gazette) is manifestly insufficient for 1.35 million businesses to deploy software, train their workforces, and adapt their processes. The Ministry of Economy, for its part, had also issued unfavorable reports requesting longer transition periods and specific support tools for SMEs.
The Eight Technical Requirements the Decree Will Impose
Despite the negative opinion, the draft's technical requirements are clear because they were subject to public consultation. The decree will amend articles 34.9, 12.4.c, and 35.5 of the Estatuto de los Trabajadores, as well as article 7.5 of the LISOS (Ley sobre Infracciones y Sanciones en el Orden Social — Law on Labor Offenses and Penalties). These are the eight requirements that tracking systems must meet: 1) Full digitization: tracking must be performed exclusively through electronic systems (app, web, terminal, QR, NFC). Paper and spreadsheets are expressly prohibited as a permanent compliance method. 2) Minute-level detailed tracking: recording entry and exit alone will not suffice. The system must record shift start, shift end, breaks, overtime hours worked, and their compensation, all with minute-level granularity. 3) Individual worker identification: each clock-in must be linked to the employee's identity via PIN, personal QR code, username and password, or another non-high-risk biometric mechanism. 4) Immutability and traceability: records cannot be modified without automatically generating an audit log documenting who changed what, when, and why. Any alteration without a technical trail will constitute a violation. 5) Remote access for the ITSS: the Labor Inspectorate will be able to consult records in real time without traveling to the workplace or depending on the company's active cooperation. 6) Access for legal representatives: works councils and staff delegates will have direct access to the system under the terms of article 64 of the Estatuto de los Trabajadores. 7) Minimum four-year retention: data must be preserved with agile recovery mechanisms, backups, and redundancy throughout the legal retention period. 8) Export in standard formats: the system must generate exports in readable, standardized formats (CSV and XML with a defined schema are being considered) to facilitate automated processing by the ITSS.
The Penalty Regime: From €751 to €225,018 — Applied per Worker
The current penalty framework, regulated by the LISOS (Real Decreto Legislativo 5/2000 — Royal Legislative Decree 5/2000), already punishes non-compliance with time tracking. Article 7.5 of the LISOS classifies breach of time-tracking rules as a serious offense, with fines ranging from 751 euros (minimum level) to 7,500 euros (maximum level) under article 40.1.b. When the Inspectorate detects systematic fraud — systematically undeclared overtime, for example — the offense can be reclassified as very serious, with fines of up to 225,018 euros under article 40.1.c. What the new decree intends to add is significant: on one hand, raising the ceiling for serious offenses to 10,000 euros at maximum level; on the other, and most critically, penalties will be calculated per affected worker, not per company. This means that if the Inspectorate finds 50 employees lacking compliant digital tracking, it can impose 50 independent penalties. For a mid-sized company with 200 workers without a digital system, the theoretical maximum exposure could reach 2,000,000 euros. Add to this individual worker claims for unpaid overtime and Social Security contribution assessments for unpaid dues. The ITSS Strategic Plan 2025–2027, published in the BOE in September 2025, already establishes the use of artificial intelligence to cross-reference time-tracking records with contribution data, digital platform activity, and tax filings, enabling automated detection of inconsistencies without an inspector setting foot in the company.
Three Possible Scenarios After the Negative Opinion
The Consejo de Estado's opinion is non-binding, which opens three scenarios for the coming months. Scenario 1: Approval with modifications (the most likely). The Government partially incorporates the Consejo's observations — especially extending the adaptation period and adding some reference to sector-specific modulation — approves the Real Decreto in the Consejo de Ministros, and publishes it in the BOE between May and July 2026. This is the path Minister Díaz has publicly indicated. The effective entry into force would depend on the revised adaptation period, which could be extended from the initial 20 days to 6–12 months, placing mandatory compliance between late 2026 and mid-2027. Scenario 2: Referral and parliamentary processing. The Government accepts the objection about the legislative pathway and opts to process the digital obligation as part of ordinary legislation in Congress. This would significantly extend timelines: parliamentary processing, amendments, voting, and publication could push the text to 2027 or even 2028. However, it would provide greater legal solidity and avoid potential challenges before the Tribunal Constitucional (Constitutional Court). Scenario 3: Indefinite postponement. Tensions within the governing coalition and the lack of parliamentary support — recall that the working-time reduction was rejected by Congress in September 2025 — cause the project to be shelved, similar to what happened with mandatory e-invoicing (Verifactu), which has suffered multiple delays. In this scenario, the tracking obligation would continue to be governed by RDL 8/2019 with no digital requirement. Regardless of the scenario, the trend is unequivocal: digital time tracking will become mandatory — the only question is when.
The Real Cost of Inaction: 867 Million Euros and 35% of SMEs Still Not Digitized
The 867-million-euro figure calculated by the Consejo de Estado deserves closer examination. According to its estimates, 1.35 million companies will need to implement or adapt digital tracking systems, affecting 15.6 million workers. The average cost per worker stands at 55.40 euros per year, which includes software licensing, implementation, and technical support, but not training or internal process adaptation, which the Consejo considered undervalued. Sector data reveals that approximately 35% of SMEs and self-employed individuals with employees still use paper or spreadsheets as their primary time-tracking method. For these companies, the transition is not a simple tool change: it means digitizing an entire process, training staff, defining incident protocols, and configuring a system that meets all eight of the decree's technical requirements. However, the cost of inaction far exceeds the cost of adaptation. A single serious penalty at maximum level (7,500 euros under current LISOS rules, up to 10,000 under the reform) applied to ten workers would amount to between 75,000 and 100,000 euros — a figure that dwarfs the annual cost of any SaaS solution on the market. Add to this reputational risks, employment claims for unpaid overtime, and the competitive disadvantage against companies already operating with integrated digital systems.
Data Protection and Biometrics: the AEPD Draws the Red Line
One of the most sensitive points in the debate is the intersection between time tracking and personal data protection. The AEPD (Agencia Española de Protección de Datos — Spanish Data Protection Agency) published in November 2023 its 'Guide on the processing of attendance control through biometric systems,' establishing that fingerprints and facial recognition are special category data under Article 9 of the GDPR. Their use for clocking in requires a reinforced legal basis and a prior Data Protection Impact Assessment (DPIA) that, in most cases, does not pass the necessity and proportionality test: less intrusive alternatives exist (PIN, QR, mobile app, NFC) that serve the same purpose without processing high-risk biometric data. The Real Decreto draft reflects this line: it expressly prohibits high-risk biometrics without proportional justification and bans requiring personal devices with geolocation without the worker's prior agreement. The Consejo de Estado went further by pointing out that the text's privacy safeguards are insufficient, especially regarding the Inspectorate's remote access. Who holds the access credentials? What audit trail exists for ITSS queries? How is it guaranteed that an inspector does not access data of workers outside the scope of their investigation? These are questions the current text does not answer and that will foreseeably need to be addressed in the revised version or in the technical Orden Ministerial.
Why Emplyx Makes Compliance Immediate
For companies already using Emplyx, the Consejo de Estado's opinion and the scenarios ahead pose no operational alarm — rather, they confirm that their investment was sound. Emplyx's architecture was designed from the ground up to comply with exactly the requirements the legislator intends to impose. Every clock-in — whether from a mobile app, web browser, or physical terminal — generates an immutable digital record backed by a complete audit trail: who clocked in, from which device, at what exact time (to the minute), and any subsequent modification is documented with authorship, date, and justification. It is not possible to alter a record without leaving a trace. Remote access is native: as a cloud platform, data is available from any authorized device. Setting up a read-only account for an ITSS inspector takes seconds, not days. Exports are generated with a single click in standard formats, ready for the automated analysis the Inspectorate already performs with its AI tools. Data retention for the legally required four years is guaranteed by cloud infrastructure with geographic redundancy and automatic backups. Multi-device clocking (web, mobile with optional geolocation, kiosk, QR) adapts to each employee profile without imposing high-risk biometrics. And all of this at a cost per worker significantly below the 55.40 euros per year that the Consejo de Estado estimates as the market average. In practice, when the Real Decreto is published in the BOE — whether in 2026 or 2027 — Emplyx customers will not need to change a single thing. While 35% of Spanish SMEs invest time, money, and effort in a last-minute digitization rush, companies already using Emplyx can dedicate those resources to what truly matters: their business.