DSGVO und Zeiterfassung: A Guide to German Data Protection in Time Tracking

The DSGVO (Datenschutz-Grundverordnung) is Germany's implementation of the EU General Data Protection Regulation. While the core principles mirror GDPR, Germany often interprets and enforces them more strictly — particularly around employee data.

Time tracking records are personal data under the DSGVO because they link timestamps, durations, and project descriptions to individual employees. This means:

• Employers must have a lawful basis for collecting time data
• Employees must be informed about what data is collected, how long it is retained, and who can access it
• The data must be protected with appropriate technical measures
• Employees have rights of access, correction, and deletion

German data protection authorities (Landesdatenschutzbehörden) have historically taken a firm stance on employee monitoring, making it important to choose tools that respect the boundaries between time tracking and surveillance.

Germany has layered its own requirements on top of the EU framework:

• Arbeitszeitgesetz (ArbZG) — requires employers to record overtime and work on Sundays or public holidays
• BAG ruling (September 2022) — the German Federal Labour Court confirmed that employers must record all working time, not just overtime
• Betriebsverfassungsgesetz — if a works council (Betriebsrat) exists, it has co-determination rights over the introduction and design of time tracking systems

These obligations create a dual compliance challenge: you must record working time (labour law) while protecting the recorded data (DSGVO). The simplest path is a tool that captures only what is legally required — hours, breaks, and project assignments — without collecting behavioural data.

Works councils are especially sensitive to tools that could function as performance surveillance. Keystroke logging, screenshot capture, or idle-time detection often trigger formal objections.

When evaluating time tracking tools for German organisations, these factors matter most:

• Data location — servers in Germany or the EU remove the need for complex international data transfer assessments
• Minimal data collection — the tool should record time entries without capturing screen content, app usage, or location data
• Audit trail — you need to demonstrate compliance; look for clear logging of who accessed what data
• Data processing agreement (Auftragsverarbeitungsvertrag / AVV) — any SaaS provider handling employee data must sign one
• Sub-processor transparency — you should know exactly which third parties handle your data

Tools hosted on infrastructure like Hetzner in Germany offer a practical advantage: the data never leaves German jurisdiction, which simplifies DSGVO documentation and satisfies even cautious data protection officers.

Teetrack is hosted on Hetzner servers in Germany, placing all data under German and EU jurisdiction.

Key compliance features:

• No employee surveillance — no screenshots, no keystroke tracking, no idle detection
• German data residency — Hetzner data centres in Falkenstein and Nuremberg
• Minimal data footprint — only time entries, project assignments, and team structure are stored
• Data export — workspace owners can export all data for audit or employee access requests
• Account deletion — remove individual user data when an employee leaves or requests deletion

For organisations with a Betriebsrat, Teetrack's limited data scope makes it easier to reach agreement on tool adoption — there is no hidden monitoring to negotiate around.