Time registration in Belgium is both a legal obligation and a potential GDPR minefield. You must track working time accurately to meet NSSO obligations, yet every clock-in method, from a mobile app to a fingerprint reader, processes personal data. Here is a plain-language guide to what Belgian law allows, where the GBA draws the line, and how to build a Suivo time registration setup that is both accurate and lawful.
Why time registration is legally required in Belgium
Belgian social security law requires employers to record the actual working time of most employees. The NSSO (Nationale Sociale Zekerheidsraad / ONSS) uses these records during inspections to verify that workers are correctly declared and that social security contributions match hours worked. For construction companies, Check-in at Work (CIAW) adds a second obligation: every worker on a qualifying building site must be registered at entry, and since the extension to Check-in and Out at Work (CIAO), also at exit.
This legal obligation is important for privacy law too. Under GDPR Article 6(1)(c), processing personal data to comply with a legal obligation does not require the employee’s consent. The NSSO obligation is that legal basis. You do not need to ask workers for permission to log their working time.
What counts as personal data in time registration?
Almost everything in a time registration system is personal data:
- Clock-in and clock-out timestamps linked to a named employee.
- Location data if you use GPS or geofencing to determine when a worker arrives on site.
- Device data if you use a mobile app (phone identifier, IP address).
- Biometric data if you use a fingerprint reader or facial recognition terminal.
All of it falls under GDPR. The legal basis (NSSO legal obligation) covers the basic who-worked-when-and-where. It does not give unlimited licence: you still must apply the proportionality principle and only process data that is genuinely necessary for the purpose.
The biometric exception: what Belgian law says
Fingerprint readers and facial recognition clocks are popular on construction sites because they are hard to abuse. A worker cannot badge in a colleague. But biometric data is a special category of personal data under GDPR Article 9, which means the standard NSSO legal basis is not enough on its own.
In Belgium, using biometric data in an employment context requires one of the following:
1. A sector-level collective labour agreement (CAO at national or sector level) explicitly authorising the use of biometric identification for that sector. Some sectors have negotiated such agreements; most have not.
2. Explicit, specific, and freely given consent from each individual employee, which is practically difficult in an employment relationship because consent is rarely truly free.
The Belgian DPA (GBA) has issued guidance confirming that most employers cannot rely on individual consent alone in an employment context. If your sector does not have a CAO authorising biometric data, a fingerprint clock is legally risky. A safer alternative for secure, non-transferable identification is a personal NFC badge or QR code, which does not process biometric data.
GPS and geofencing: proportionate for field workers?
For field crews who move between sites, projects, or customer locations, GPS-based time registration, where the platform logs a clock-in when a worker enters a geofenced zone around a site, is efficient and practical. Belgian privacy law allows this under the NSSO legal basis, provided you meet three conditions:
1. Transparency: The use of GPS tracking must be described in your work regulations (arbeidsreglement) and communicated to workers before it starts. Springing it on them afterwards is not lawful.
2. Proportionality: GPS during working hours is proportionate. GPS outside working hours is generally not, unless there is a separate, specific legal basis (for example, tracking a company vehicle after a theft).
3. Retention: Location data tied to a named individual should not be kept longer than necessary. A record of which site a worker attended on a given day is sufficient for NSSO purposes; continuous second-by-second tracking is rarely proportionate.
Field service companies using Suivo’s time tracking solution typically configure geofences around project sites and client locations. Workers receive a notification when they enter a zone, and the clock-in is logged automatically. That configuration, tied to work-hour windows only, is proportionate.
CBA nr. 68: electronic monitoring obligations
Collective labour agreement nr. 68 (CBA 68), concluded at the National Labour Council, governs the monitoring of electronic communications and online activity in the Belgian workplace. It does not apply directly to time registration clocks, but it does apply when you use software tools, including workforce management platforms, to observe how, when, and where an employee uses electronic means.
If your time registration system also captures data about what a worker does on their device, you are in CBA 68 territory. The agreement requires you to:
- Inform workers individually of what is monitored, why, and how the data is used.
- Define the purpose clearly: time registration, not general surveillance.
- Limit access to data to those with a genuine business need (HR, payroll, direct supervisors), not all managers.
- Set a retention period and stick to it.
Your work regulations or an addendum to the employment contract is the normal place to record these commitments.
What the GBA can do if you get it wrong
The Belgian Data Protection Authority (GBA / Autorité de protection des données) investigates complaints, conducts audits, and can impose administrative fines of up to €20 million or 4% of global annual turnover, whichever is higher. For most Belgian SMEs, the GBA’s typical response to first-time procedural violations is a formal warning and an order to remedy the issue. However, for cases involving biometric data used without a proper legal basis, the fines are real.
Workers also have the right to access the personal data you hold on them, request corrections, and in some circumstances request deletion. A well-structured time registration system, with clear data categories and retention schedules, makes responding to these requests straightforward rather than burdensome.
Building a compliant time registration setup
A practical checklist for Belgian employers:
- Update your work regulations to describe the time registration method, what data is collected, its purpose, and retention period.
- Choose your clock-in technology carefully: mobile app or NFC badge for most situations; avoid biometric unless your sector has a specific CAO.
- Limit GPS tracking to working hours and ensure workers are informed before rollout.
- Configure role-based data access in your workforce management platform so only authorised staff can see individual location or clock-in histories.
- Set a data retention policy: most employers keep time records for 5 years to match NSSO audit windows; location detail beyond a daily summary can often be deleted sooner.
- Carry out a Data Protection Impact Assessment (DPIA) if you are introducing GPS tracking or biometric identification for the first time. This is mandatory under GDPR Article 35 for high-risk processing.
Suivo’s workforce management solution is designed with role-based access controls and configurable data retention to support this compliance structure.
The bottom line
Time registration in Belgium is legally required, which gives you a solid GDPR foundation. Where most employers run into trouble is not the basic clock-in data but the extras: biometric readers without a proper CAO, GPS running outside work hours, or monitoring platforms that collect more data than they need. Get the legal basis right, be transparent with workers, and configure your system to collect only what the NSSO actually needs.
Ready to set up compliant time registration?
Suivo helps Belgian construction and field service companies register working time accurately, with the access controls and configuration options to stay on the right side of Belgian privacy law.