GDPR-Compliant Time Tracking: What Your Tool Must Handle

Every time tracking entry ties a timestamp to a person. Under the General Data Protection Regulation (GDPR), that makes it personal data — and that triggers a set of rules your organisation must follow.

The key principles that affect time tracking are:

• Purpose limitation — you can only collect time data for defined, legitimate reasons (payroll, project costing, legal compliance)
• Data minimisation — collect only what you actually need; no keystroke logs, no location pings, no screenshot captures unless strictly justified
• Storage limitation — keep records only as long as required by law or business need, then delete them
• Integrity and confidentiality — protect the data with appropriate technical and organisational measures

If your time tracking tool stores data on US servers, uses invasive monitoring, or lacks clear data processing documentation, you may already have a compliance gap.

As the data controller, the employer bears responsibility for how time data is collected and processed. In practice, this means:

• Inform employees about what is tracked, why, and where the data is stored
• Establish a lawful basis — typically legitimate interest or legal obligation (e.g. the 2019 EU Court of Justice ruling requiring member states to mandate working time recording)
• Provide access rights — employees can request a copy of their time data
• Enable deletion — when retention periods expire, data must be removable
• Document processing activities — maintain a record of processing that covers your time tracking system

Many teams overlook these requirements because they consider time tracking "just an internal tool." But internal tools that process personal data fall squarely under GDPR.

Not every time tracker is built with European data protection in mind. When evaluating tools, check for:

• EU data residency — is the data stored within the European Union, or does it pass through US cloud providers?
• No surveillance features — screenshot capture, keystroke logging, and activity scoring go well beyond what GDPR considers proportionate for time tracking
• Data export and deletion — can you export all employee data on request and delete it when required?
• Transparent sub-processors — does the vendor list who else handles your data?
• Encryption in transit and at rest — baseline security expectations under Article 32

A tool hosted on Hetzner servers in Germany, for example, keeps data under EU jurisdiction without complex cross-border transfer mechanisms.

Teetrack is hosted on Hetzner servers in Germany, so all time tracking data stays within the EU. There are no US sub-processors involved in data storage or processing.

The approach is straightforward:

• No screenshots, no keystroke logging, no activity monitoring — Teetrack records time entries, not employee behaviour
• Data stays in Germany — Hetzner data centres in Falkenstein and Nuremberg
• Export and deletion — workspace owners can export data and remove accounts as needed
• Minimal data collection — Teetrack captures what you need for time tracking and project management, nothing more

This makes it easier to document your processing activities and respond to employee data requests without needing a dedicated compliance project.