Data Protection Impact Assessment (DPIA)
Last updated: 23 May 2026 (v3.55.4 EN translation v3.55.8) · Compliant with GDPR Art. 35, AEPD «DPIA Lists» Guidance (Resolution 26-Oct-2024), Article 29 Working Party WP248 rev.01 and Regulation (EU) 2024/1689 (AI Act).
This document constitutes the Data Protection Impact Assessment (DPIA) for the personal-data processing carried out by the Timglas service in its capacity as Data Processor on behalf of the Data Controller (the Customer). It is prepared prior to the start of high-risk processing pursuant to Article 35 GDPR.
This is the English translation of the Spanish DPIA published at legal.html#dpia. In case of any discrepancy between the Spanish and English versions, the Spanish original prevails.
1. Identification of the processing and parties
- Processing name: «Time-tracking, HR management and workplace supervision in a multi-tenant SaaS environment».
- Controller: the Customer (the employing organisation). Each Timglas installation has a distinct Controller.
- Processor: the operator of the Timglas platform (see Legal Notice for details).
- Data Protection Officer (DPO): on the Processor side, a DPO will be appointed when the conditions of Art. 37 GDPR apply. On the Controller side, the DPO is appointed by the Customer.
- Assessment date: 23 May 2026.
- Next mandatory review: 23 May 2027 (annual) or upon material changes (new sub-processors, new data categories, significant incidents).
2. Systematic description of the processing
2.1. Processing operations
- Daily clock-in/clock-out tracking (Spanish RD-law 8/2019 + Art. 34.9 Workers' Statute).
- Absence, vacation, leave and sick-leave management.
- Shift scheduling and workforce planning.
- Project assignment and time-on-project tracking.
- Internal communications (announcements, push notifications).
- HR document archive (contracts, payslips, certificates).
- Report generation and exports for Labor Inspections.
- Optional geolocation (geofence) to verify presence at the workplace.
- Optional device-side biometric authentication (fingerprint, face).
- Optional modules: ATS (recruitment), LMS (training), Pulse (surveys), 360 (performance).
- Optional AI recommendations: candidate↔vacancy matching, training suggestions, coverage alerts.
2.2. Nature, scope, context and purposes
- Nature: automated processing in a multi-tenant SaaS platform hosted on EEA-located cloud infrastructure (Hetzner Frankfurt, Germany).
- Scope: active and inactive employees of the Customer, candidates in recruitment processes, business contacts (optional CRM module). Estimated volume: up to several thousand data subjects per installation.
- Context: pre-existing employment relationship between Customer and data subjects.
- Purposes: compliance with the Customer's legal obligations as employer (Art. 6.1.c GDPR), performance of the employment contract (Art. 6.1.b), legitimate interest of the Customer in organising work (Art. 6.1.f) and, where required (biometrics, health), the explicit consent of the data subject (Art. 9.2.a).
2.3. Categories of data and data subjects
Detailed in clause 4 of the DPA (Spanish legal.html · «DPA» tab). They include identification data, contact data, employment data, time-tracking data with optional geolocation, technical data and, when activated by the Customer, biometric data (Art. 9) processed exclusively on the data subject's device.
3. Necessity and proportionality of the processing
- Legal basis: compliance with a legal obligation (Art. 34.9 Spanish Workers' Statute and RD-law 8/2019 mandate daily clock-in/out records). The processing is necessary: no less intrusive legal alternative exists.
- Data minimisation (Art. 5.1.c): Timglas collects only the data described above. Geolocation is optional, activated by the Customer and notified to the data subject. Biometrics are processed on-device: the server receives only a signed boolean «verified/not verified» — the biometric template never leaves the device.
- Storage limitation (Art. 5.1.e): clock-in records retained for 4 years (RD-law 8/2019). Unsuccessful candidate data: max 1 year. Employment documentation: during the contract + applicable legal periods. Audit logs: 12 months for analysis with progressive anonymisation starting at 6 months.
- Accuracy (Art. 5.1.d): the data subject can rectify their own personal data from the profile. The Customer periodically reviews employment data.
- Purpose limitation (Art. 5.1.b): data are not used for purposes incompatible with those described. Timglas does not sell or share personal data with third parties for marketing or profiling.
- Data-subject rights (Art. 12-22): access, rectification, erasure, restriction, portability and objection. Available from the user interface («My profile → Privacy → Download my data»). Max response time: 1 month (Art. 12.3).
4. Risk identification and assessment
Risks are evaluated based on their likelihood (L: low=1, medium=2, high=3) and severity on data-subject rights (S: low=1, medium=2, high=3). The final risk level is L × S.
| Risk |
Origin and consequences |
L | S | Level |
Status after mitigations |
| R1. Excessive workplace surveillance |
Continuous GPS geolocation or disproportionate use of clock-in records to profile productivity outside the employment scope. Violates dignity and privacy (Spanish CC Art. 18; STC 119/2022). |
2 | 3 | 6 – High |
Mitigated |
| R2. Confidentiality breach |
Unauthorised access to personal data through compromise of the backend, a sub-processor or stolen credentials. Affects the entire Customer workspace. |
2 | 3 | 6 – High |
Mitigated |
| R3. Automated decision with significant effects |
Working-hours scoring algorithms, fraud detection or candidate↔vacancy matching producing automated decisions (Art. 22 GDPR) with sanctioning or dismissal impact. |
2 | 3 | 6 – High |
Mitigated |
| R4. Biometric data processing |
Capture and processing of fingerprint/face for clock-in. Special category under Art. 9 GDPR, prohibited save for narrow exceptions. |
1 | 3 | 3 – Medium |
Mitigated |
| R5. International transfers |
Sharing data with sub-processors outside the EEA (Stripe Inc. USA for payments). Schrems II risk (C-311/18). |
2 | 2 | 4 – Medium |
Mitigated |
| R6. Accidental loss or destruction |
Hardware failure, human error of the Customer, ransomware or natural disaster at the datacenter. |
1 | 3 | 3 – Medium |
Mitigated |
| R7. Inference of sensitive data from working hours |
Absence patterns revealing pregnancy, chronic illness, religion or trade-union membership. Not directly collected but inferable from analysis. |
2 | 2 | 4 – Medium |
Residual |
| R8. AI use in HR processes |
Algorithmic bias in candidate matching, training recommendations or 360 evaluations. Classified as «high-risk» under the AI Act (Annex III §4 «employment»). |
2 | 3 | 6 – High |
Residual |
| R9. Excessive retention |
Data retained beyond the legally necessary period due to Customer inaction or system default. |
2 | 2 | 4 – Medium |
Mitigated |
5. Technical and organisational mitigation measures
5.1. Measures against R1 (excessive surveillance)
- Geolocation is optional and disabled by default. The Customer must activate it explicitly and notify the data subject under Art. 13 GDPR.
- Accuracy limited to ±10 m (no unnecessary sub-metre precision).
- Location captured only at clock-in, no continuous tracking.
- The data subject has the «right to digital disconnection» (Art. 88 Spanish LOPDGDD): outside working hours no feature forces availability.
5.2. Measures against R2 (confidentiality breach)
- TLS 1.3 in transit with HSTS preload.
- Encryption of sensitive fields at rest (Pro+ module via
Encryption.setupMasterKey client-side).
- Filesystem-level encryption on servers (LUKS).
- JWT HS256 authentication with 30-minute rotation.
- Mandatory TOTP 2FA for admin/super_admin roles.
- Optional WebAuthn / passkeys for users.
- Rate limiting (120 req/min) + DLP (Data Loss Prevention).
- Immutable audit log with SHA-256 chain (
chain_anchors).
- Public bug bounty (security.txt RFC 9116).
- Instant session revocation from admin panel.
- AutoSync detects HTTP 401 → automatic logout within 60 s of revocation.
- Breach notification to the Customer within max 24 h (stricter than the 72 h required between Controller and AEPD).
5.3. Measures against R3 (automated decisions)
- Fraud detection and scoring features never make automated decisions with legal or similarly significant effects on the worker. They only generate warnings for the administrator, who decides personally.
- The data subject may request human review of any automated warning via the
auto_decision_reviews module (v2.9.1).
- Transparent information to the data subject on the logic applied (Art. 13.2.f and 14.2.g GDPR).
5.4. Measures against R4 (biometrics)
- Biometric processing takes place entirely on the data subject's device using WebAuthn / TouchID / FaceID. The biometric template never leaves the device.
- The server receives only a cryptographically signed boolean result «verified/not verified».
- Voluntary activation by the data subject in their profile. Revocable at any time.
- Password + 2FA alternative always available (the worker who declines biometrics is not penalised).
5.5. Measures against R5 (international transfers)
- Primary hosting in the EEA (Hetzner Frankfurt, Germany). Secondary backups in the EEA.
- Non-EEA sub-processors: only Stripe Inc. (USA) for payment processing, under EU Standard Contractual Clauses 2021/914.
- Transfer Impact Assessment carried out per Schrems II.
- End-to-end encryption of payment data: Timglas does not store PAN or CVV; uses Stripe tokens.
- 30-day advance notification to the Customer before adding any new sub-processor.
5.6. Measures against R6 (loss or destruction)
- Encrypted daily backups with 30-day retention.
- Geographic replication between two Hetzner datacenters (Frankfurt and Falkenstein).
- Quarterly restoration tests, documented.
- Business Continuity Plan (BCP) with RTO < 4 h and RPO < 1 h.
- Point-in-Time Recovery (PITR) snapshots configured.
5.7. Measures against R7 (sensitive-data inference) — residual
- Access to clock-in records restricted to the direct supervisor + the Customer's HR department (role-based access).
- Pseudonymisation in aggregate productivity reports.
- Mandatory training for Customer staff on the processing of worker data (the «GDPR» course in the LMS module).
- Accepted residual risk: the mere existence of clock-in data enables certain statistical inferences that cannot technically be eliminated without giving up compliance with Art. 34.9 Workers' Statute. Considered proportionate to the legal purpose pursued.
5.8. Measures against R8 (AI in HR) — residual
- Under the AI Act (Regulation (EU) 2024/1689), AI systems applied to «employment, workforce management and access to self-employment» (Annex III §4) are classified as «high-risk».
- Timglas will progressively implement AI Act obligations on the EU's phased timeline (2025–2027):
- Quality management system (AI Act Art. 17).
- Registration of AI systems in the EU database (Art. 49).
- Meaningful human oversight (Art. 14): every AI recommendation is accompanied by the model name, its confidence and a «Why this recommendation?» link with a human-readable explanation.
- Traceability and activity logging (Art. 12).
- Periodic bias and accuracy evaluation (Art. 15).
- By default, AI modules are disabled until the Customer explicitly enables them and signs the DPA AI annex.
- Partially accepted residual risk: until each model's CE certification is completed (expected by 2027), AI modules are offered only as «humanly supervised recommendations» in strict compliance with AI Act Art. 14.
5.9. Measures against R9 (excessive retention)
- Automated cron jobs (
php/jobs/job_cleanup_*.php) purge data at the legal expiry.
- Progressive anonymisation: after 6 months, audit logs replace
username/ip with *** while keeping the action and timestamp.
- Self-service deletion: the data subject can request erasure from their profile (Art. 17 «right to be forgotten»), subject to legal retention obligations.
- Signed erasure certificate issued to the Customer at service termination (DPA clause 11).
6. Final assessment and decision
After applying the above measures, residual risks are at acceptable levels under the proportionality criterion of Art. 35.7.d GDPR. Prior consultation with the Supervisory Authority is not required (Art. 36 GDPR), as the processing does not entail an unmitigated high risk.
Residual risks R7 (inference) and R8 (HR AI) remain under semi-annual observation, with a commitment to re-evaluation upon enactment of new AI Act technical standards or updated AEPD criteria on processing derived from Art. 34.9 Workers' Statute.
7. Review and monitoring plan
- Annual review: mandatory, target date 23 May 2027.
- Ad-hoc review: upon (i) changes in processing scope, (ii) new sub-processors, (iii) significant security incidents, (iv) entry into force of new material regulation (AI Act, NIS2, Data Act, AEPD/CJEU case law), (v) introduction of AI in new modules.
- Monitoring KPIs:
- Number of breaches notified in the past 12 months.
- Average response time to data-subject rights requests.
- Number of audits passed (internal + external).
- Compliance rate with automated erasure deadlines.
- Number of human reviews requested on automated warnings.
- Responsible for monitoring: the DPO or, where absent, the designated security officer of the Processor's organisation.
- Review log: each review is electronically signed and retained for the processing lifecycle + 5 years.
8. Documentary acceptance
This DPIA is published for the information of the Data Controller (the Customer) and the data subjects (the workers). Any affected person may request a copy, clarifications or initiate the protection procedure before the AEPD if they believe their rights are not adequately guaranteed, through the form available at https://sedeagpd.gob.es.
To request a bilaterally signable version or clarifications on the content, contact legal@timetrack.app.