Skip to content
Time and attendance management: clocking and reporting — KYTOM
Team Works

Time and attendance management: clocking and reporting

Labour Code and CNIL: an enforceable framework over 5 years maximum

Biometrics have no place in an office time and attendance system: the CNIL restricts them to critical zones (decision 2019-001), and an RFID badge covers 95% of clocking needs with a GDPR risk divided by ten. How can you make clocking reliable for 80 employees without complicating payroll or triggering a CNIL audit? Three benchmarks structure the answer: automated counting significantly reduces payroll discrepancies compared with manual declarative entry, the retention of clocking data is capped at 5 years (CNIL, Reference framework on personnel management processing, decision 2019-160), and commissioning is completed in 12 weeks with acceptance testing over 2 payroll cycles. Kytom deploys these architectures on floors of 50 to 500 employees, pooling the physical badge with access control, staff catering and parking when the IT architecture allows it.

Time and attendance management: clocking and reporting
02

Time and attendance management addresses three converging challenges for the IT department: enforceable legal compliance, payroll reliability, auditable traceability. The Labour Code sets a weekly threshold of 35 hours (article L3121-27) and a minimum daily rest of 11 consecutive hours (article L3131-1), with an obligation to count effective working time (article L3171-2). Our experience shows that the majority of payroll disputes originate in an approximate manual counting of overtime or absences. An automated time and attendance system brings this error rate below 2%.

On the GDPR side, the CNIL imposes a strict framework (CNIL, Personnel management reference framework, decision 2019-160):

  • explicit purpose documented in the processing register
  • maximum retention period of 5 years for clocking data
  • prior information of employees via the internal regulations
  • mandatory consultation of the Social and Economic Committee (CSE) under article L2312-8 (minimum 1-month period)
  • mandatory DPIA for any biometric system (GDPR article 9 on sensitive data)

For a head office hosting 80 employees, Kytom sizes a median of 2 physical time clocks in the reception area and 1 mobile module for travelling staff. Connection to the HRIS is carried out via REST API or daily SFTP flow, on a dedicated VLAN.

Time and attendance management: clocking and reporting
03

A 4-phase architecture, commissioning over 12 weeks

Kytom structures each time and attendance project according to a proven four-phase sequence:

  1. Regulatory audit and population mapping (2 weeks): day-rate package for autonomous executives, annualised 35-hour schemes, part-timers, work-study trainees, external service providers.
  2. Choice of architecture (2 weeks): standalone IP time clocks for sites with fewer than 100 employees, centralised time and attendance server for multi-site groups.
  3. Payroll and HRIS integration (4 weeks): native connectors to the leading payroll solutions on the market, with monthly export of variable elements.
  4. Parallel acceptance testing (4 weeks) over 2 complete payroll cycles, with a contractually guaranteed match rate above 99.5%.

The infrastructure relies on TCP/IP with a dedicated VLAN, 7-day local backup in case of network outage, and NTP synchronisation for enforceable legal timestamping. The configuration generally covers around twenty absence reasons and several variable schedule ranges depending on the organisation. On sites coupled with access control, the physical badge is pooled: a single medium manages door opening, time clocking and staff catering, with a single database on the IT side.

For the IT department: a time and attendance project is first and foremost an IT integration project, not an HR project. Contrary to the widespread practice of placing HR as the lead, our reading differs: projects led by the IT department with an HR sponsor keep to deadlines better than those led by HR alone. The reason is technical: the quality of the AD/HRIS repository, the robustness of the API connectors and the security of the VLAN determine most of the success. IT leadership also smooths the CSE consultation, by appointing a single technical contact to answer surveillance questions.

When the sequence does not apply. Below 25 employees on a single-location site, the ROI of a time and attendance server is not reached before several years: a declarative record tooled via the HRIS is sufficient. Likewise, for a population mostly on a day-rate executive package, investing in time clocks is hard to justify, with monthly self-declaration remaining the reference practice.

Time and attendance management: clocking and reporting
04

Measured gains: HR productivity and immediate URSSAF extraction

Deploying a time and attendance system generates four concrete benefits on office sites.

HR productivity: payroll preparation, previously requiring several days per month, is reduced to a few hours thanks to the automation of entries, freeing up time for HR development. Financial reliability: reducing clocking discrepancies significantly limits the risks of over- or under-declaration of payroll, particularly for workforces with a high proportion of executives on day-rate packages. Operational management: real-time dashboards on attendance rates, cumulative overtime and leave balances allow the CFO to anticipate activity peaks several weeks ahead. Documentary compliance: extracting the 5-year history takes a few minutes during a URSSAF audit or a Labour Inspectorate visit.

For the IT department: time and attendance is the only IT system where a URSSAF audit can occur without notice. The ability to produce in real time an enforceable clocking log over 5 years is not a marketing nicety, it is a contractual prerequisite of auditability: a time and attendance system unable to do so exposes the employer to a flat-rate URSSAF reassessment. This translates into three technical requirements: indexing of logs by employee number and date, immutable WORM-type backup, documented restoration plan.

When these gains do not materialise. On sites with high turnover, such as call centres, clocking anomalies linked to arrivals and departures absorb a substantial part of the theoretical HR gain: plan for a dedicated HR resource over the first few months. Likewise, without prior cleaning of the HRIS repository, the announced savings erode considerably.

05

Frequently asked questions

What is the retention period for time and attendance clocking data?

5 years maximum after the employee’s departure, in accordance with the CNIL Personnel management reference framework (decision 2019-160). Beyond that, intermediate archiving only in the event of open litigation. Any retention beyond 5 years without litigation justification exposes you to a CNIL sanction.

Are biometrics authorised for clocking in companies?

No, not in standard office environments. The CNIL restricts biometrics to high-risk areas under Deliberation 2019-001, such as sensitive laboratories, trading floors or data centres. An RFID badge covers 95% of clocking needs with a significantly lower GDPR risk. Any biometric system requires a DPIA under Article 9 of the GDPR on sensitive data.

05 — Inspirations

Browse our
projects

Explore Explore

Planning a fit-out project?

Get a complimentary audit of your spaces: an expert eye, concrete recommendations, no commitment.

Request my free audit