Attendance lists and GDPR - what should you remember?


The attendance list is a document that contains the basic identification data of an employee and a way of confirming employees' arrival and presence at work. Is this list a personal data and is adding reasons for absence to it compatible with the protection of personal data?

Personal data and GDPR

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (referred to as GDPR in Poland) clearly specifies what personal data are. There you can read that personal data means information about an identified or identifiable natural person. An identifiable natural person is a person who can be directly or indirectly identified, in particular on the basis of an identifier such as name and surname, identification number, location data, internet identifier or one or more specific physical, physiological, genetic, mental factors, economic, cultural or social identity of a natural person (Article 4 (1) of the GDPR).

Start a free 30-day trial period with no strings attached!

Attendance lists and data protection in the aspect of GDPR

In the aspect of the provision that we find in the GDPR Regulation (Article 4 (1) of the GDPR), it can undoubtedly be stated that the employee attendance list is personal data. There you can find the name and surname of the employee and the reason for the absence. It is his responsibility to report the reason for the absence to his supervisor, who then records it in his timesheet.

The attendance list is not the same as timesheets. The employer himself keeps records of the employee's working time for the purposes of correct determination of his remuneration and other work-related benefits (Article 149 (1) of the Labor Code).

It is the reason of absence that becomes the most problematic from the point of view of personal data protection, as it is a sensitive data. The employee is obliged to inform the employer about the reason for his absence, but his colleagues do not need to know about it. Indication of a specific reason for the absence, e.g. whether it is an illness, business trip or a special leave, on the attendance list may be considered a breach and data processing contrary to its purpose.

GDPR compliant attendance list - what to remember?

It is the work time record that should be the document on the basis of which the employer performs work time settlements and determines the remuneration. The attendance list is only a tool and a way of confirming attendance at work. Therefore, both in this aspect and in the aspect of personal data protection, marking the reasons for absence on the attendance list is unjustified. Such practice may be considered contrary to the provisions on the protection of personal data. Therefore, in order for the keeping of the attendance list to be compliant with the provisions of the GDPR, it is absolutely necessary to stop the practice of entering the reasons for absence in the attendance list. It may be a good solution to keep an attendance list for each employee individually. The most important thing, however, is not to forget about the purpose of their conduct, which is confirming attendance at work, and not recording working time.