What data you may collect, how long you may keep it, and how to register hours lawfully under the GDPR and Belgian DPA guidance.
Belgium’s move toward mandatory daily time registration in 2027 creates an obvious tension: employers must record more about when and where staff work, while the GDPR requires them to collect as little personal data as possible. Get the balance wrong and a well-intentioned time tracking rollout becomes a privacy complaint. Get it right and you satisfy both the labour-law duty and the data-protection one at the same time. This article explains, for privacy officers, HR, and legal teams, exactly what data you may collect for time registration, on what lawful basis, how long you may keep it, and what rights your employees retain, all under the guidance of the Belgian Data Protection Authority. For the practical tooling side, our comparison of the best digital time-registration tools in Belgium shows which platforms handle this well.
Quick Navigation
- Why Time Tracking Is a GDPR Matter
- Lawful Basis: Why You Are Allowed to Track
- Data Minimisation: What You May and May Not Collect
- Retention: How Long You May Keep the Data
- Employee Rights and Transparency
- Compliance Quick-Reference Table
- Managing Privacy-Safe Time Tracking with Technology
- Take Action Today
- Frequently Asked Questions
Why Time Tracking Is a GDPR Matter
Working-hours records are personal data: they identify a named individual and reveal patterns about their daily life. That brings time registration squarely within the GDPR, enforced in Belgium by the Data Protection Authority (APD/GBA). At the same time, the 2027 mandate, derived from the EU “CCOO” ruling and overseen by the FPS Employment, obliges you to keep an objective record. The two regimes are not in conflict; they simply require you to track the right data, for the right reason, for the right length of time.
Lawful Basis: Why You Are Allowed to Track
Under the GDPR you need a lawful basis to process employee data. For time registration, consent is usually the wrong choice, the power imbalance between employer and worker makes it hard to call freely given. Most Belgian employers rely instead on two stronger bases:
- Legal obligation, you are required to keep working-time records (and, in some sectors, Check in at Work registrations).
- Legitimate interest / contract performance, accurate payroll and workforce management are core to the employment relationship, handled through your time tracking system.
Document which basis applies before you switch the system on. That record is itself a GDPR accountability requirement.
Data Minimisation: What You May and May Not Collect
Data minimisation is the principle most often breached in time tracking. Collect what the purpose requires, and nothing more.
- ✅ Worker identity (e.g. National Register Number where legally required), date, start and end times.
- ✅ Site or project reference where needed for payroll and the 2027 record.
- ✅ Coarse location confirmation (a geofence yes/no) where a sector rule such as CIAW requires presence verification.
- ❌ Continuous GPS tracking of an employee’s movements when only presence is needed.
- ❌ Biometric data unless strictly necessary and separately justified.
- ❌ Health, union, or other special-category data dressed up as “notes.”
| ⚠️ Location is the danger zone. Verifying that a worker is on site (a geofence check at the moment of clock-in) is proportionate; tracking their location continuously through the day is not, and will attract a complaint. Choose a system that confirms presence without building a movement profile. |
Retention: How Long You May Keep the Data
GDPR storage limitation means you keep personal data only as long as the purpose, or the law, requires, then delete it. For Belgian time records the practical drivers are payroll, social-security, and labour-law retention periods. Set an explicit retention schedule, automate deletion, and never keep “just in case.” A purpose-built time tracking platform should let you configure retention and purge automatically rather than leaving old data in spreadsheets and inboxes.
Employee Rights and Transparency
Your workers retain their full GDPR rights over time-tracking data, and transparency is non-negotiable.
- Inform staff clearly, in a privacy notice, what is collected, why, on what basis, and for how long.
- Honour access requests: a worker can ask for their own registration data.
- Allow correction of genuine errors via a controlled process in the time tracking system.
- Consult the works council or employee representatives where required before rollout, per FPS Employment guidance.
Note the tension between correction rights and audit integrity: employees may request fixes, but the system should log who changed what and when, so the record stays trustworthy. Because Suivo captures each registration live and time-stamped, the original entry is preserved and any correction is auditable, protecting both privacy rights and inspection readiness.
Compliance Quick-Reference Table
| GDPR principle | What it means for time tracking | Practical action |
| Lawful basis | Legal obligation / legitimate interest | Document basis before go-live |
| Data minimisation | Only identity, time, presence | Disable continuous GPS |
| Purpose limitation | Payroll & legal record only | No repurposing for surveillance |
| Storage limitation | Keep only as long as required | Automate retention & deletion |
| Transparency | Workers must be informed | Issue a clear privacy notice |
| Integrity | Records must be reliable | Live, time-stamped, auditable |
Green = compliant practice; red-zone behaviours (continuous tracking, indefinite retention, hidden collection) are the ones that draw Belgian DPA complaints.
Managing Privacy-Safe Time Tracking with Technology
Suivo, a Belgian IoT company with over 15 years of experience in workforce, asset, and fleet management, builds data protection into its time tracking by design. The platform helps you:
- Collect only the data the purpose needs through the time tracking app
- Verify presence with a geofence check rather than continuous location tracking
- Configure retention schedules and automate deletion
- Keep tamper-resistant, time-stamped records that preserve integrity
- Handle sector duties such as Check in at Work and CIAO lawfully
- Support access and correction requests with a full audit trail
- Apply Belgian DPA-aligned controls across construction, cleaning, and transport
Suivo’s IoT platform integrates seamlessly with existing payroll and ERP systems, helping companies like Antwerpnatie and Molenbergnatie meet both their labour-law and data-protection duties across large, multi-site workforces.
Our works council’s first question was about surveillance. Being able to show that we verify presence, not movement, and that data auto-deletes on schedule, turned a tense meeting into a quick approval.
– Privacy Officer, logistics company near Antwerp
Take Action Today
Don’t let a privacy gap turn your 2027 readiness into a complaint. Start by documenting your lawful basis, mapping exactly what data you collect against what the purpose requires, setting a retention schedule, and issuing a clear privacy notice to staff before any system goes live.
For more information about privacy-safe time tracking under the GDPR in Belgium, contact Suivo at +32 3 375 70 30 or visit the time tracking solution page to see how data protection is built in by design.
Free Time-Tracking GDPR Compliance Guide
Want to roll out time tracking without a privacy headache? Our GDPR Compliance Guide gives you a simple, practical overview to track hours lawfully and keep employees and regulators comfortable.
Inside, you’ll find:
- The biggest GDPR mistakes in employee time tracking today
- How Suivo helps minimise data, automate retention, and stay audit-ready
- Real-life success stories from Antwerpnatie, Molenbergnatie, and Water-link
- Practical solutions for workforce, fleet, and asset management
Download the free GDPR Compliance Guide →
Frequently Asked Questions
Do I need employee consent to track working hours?
Usually no, and consent is often the wrong basis because of the employer-employee power imbalance. Most Belgian employers rely on legal obligation or legitimate interest, documented before the time tracking system goes live.
Is GPS location allowed in time tracking?
A geofence check confirming presence at clock-in is generally proportionate; continuous movement tracking is not. Where sector rules require presence verification, Check in at Work handles it without building a movement profile.
How long can I keep time-registration data?
Only as long as payroll, social-security, and labour-law retention require, then delete it. A platform that automates retention, see options in our tools comparison, keeps you on the right side of storage limitation.
Can employees ask to see or correct their time data?
Yes. They have access and rectification rights. A good time tracking system supports these requests while logging every change, so corrections do not undermine audit integrity.
Does meeting the 2027 mandate conflict with GDPR?
No. The mandate requires an objective record; the GDPR requires you to keep it minimal and secure. A privacy-by-design time tracking platform satisfies both at once, as the Belgian DPA guidance anticipates.
