/ Working Hours and Attendance: New Requirements and Authorization for Platforms

Jaime Urzúa W.
Associate

With the implementation of Law 21,561, which amends the Labor Code to reduce working hours, the Labor Directorate (DT) issued Exempt Resolution No. 38. This resolution establishes mandatory requirements and a procedure for authorizing electronic systems used for recording and controlling attendance and determining working hours. The resolution governs the protection of information contained within these platforms, especially personal data, used to monitor employees’ attendance and working hours.

Among other technical requirements that these platforms must meet, the DT has established new obligations related to:

1. Worker enrollment or authentication;
2. Security of system entries or records;
3. Data communication between the platform and databases;
4. Security and availability of the solutions;
5. Enabling an oversight portal to facilitate the DT’s work;
6. Access control; and
7. Databases supporting the platform’s information.

The resolution also outlines several legal considerations that must be observed, particularly regarding the protection of workers’ personal data. The DT mandates that when systems require personal or sensitive data from workers for enrollment or records, certain rules must be followed:

• Consent: For processing personal data not covered by Article 10 of the Labor Code or other regulations (e.g., fingerprint and personal phone number), the worker must give prior written consent in the employment contract or its annexes.
• Purpose of Processing: The document containing the worker’s consent must explicitly state the purpose of the data processing and prohibit the employer from transferring the information to third parties outside the employment relationship, except for the service provider (who is also prohibited from transferring the data for any purpose unrelated to attendance and working hours control).
• Data Deletion: Workers may request the deletion of their personal information at any time during the employment relationship, unless the information is required by law.
• Data Destruction: Upon termination of the employment relationship for any reason, personal data collected by the system must be destroyed according to rules specified in the resolution.

For the last two points, the DT clarifies that the obligation to delete/destroy personal data applies only to data not covered by Article 10 of the Labor Code or other regulations.

The resolution also mandates the following:

• Electronic Record Keeping: Information provided by the systems must be maintained in electronic format and be available for review for up to five years from the data generation date.
• Employer Responsibility: Employers must respond to non-compliance, and a non-exhaustive list of violations includes failure to comply with rules on the collection, processing, and/or destruction of workers’ personal data.

Service Provider Responsibility: Service providers (those offering the platforms to employers) are also responsible for a separate list of violations (also non-exhaustive), including the same cause related to the collection, processing, and/or destruction of workers’ personal data.