Can the employer require the employee to use his or her personal mobile phone to record attendance?

On 29 January 2026, the Labour Directorate issued a new pronouncement on this matter, specifying the applicable criteria in accordance with the administrative regulations in force, contained in the Exempt Resolution of 26 April 2024.

Below, we review the main aspects to be considered by employers and workers.

Telework vs. face-to-face work: is there a difference?

In the case of teleworking or remote work, there is an express rule that obliges the employer to provide the tools, equipment and materials necessary for the provision of services.

In other forms of face-to-face or hybrid work, the use of a personal mobile phone is legally possible, but under strict conditions:

• There must be express consent of the worker, recorded in the employment contract or in an annex.
• The employer must assume all costs derived from the use of the device, including data plan, technical support, applications, licenses and insurance, among others.

When is the use of a personal mobile phone in the workplace valid?

In order for the system to be considered lawful, certain requirements must be met:

• Express written consent of the employee. In other words, it cannot be imposed unilaterally by the employer. The parties must
• Assumption of all costs by the employer (data plan, applications, support, licences, etc.).
• Prior agreement on marking methods (password, fingerprint, photograph, QR, etc.).
• Strict limitation of the application's permissions to those necessary to record attendance and working hours.

It is not considered lawful for the application to require access to:

• Photographic material,
• email,
• Social networks,
• or other private information of the employee.

What happens if the employee refuses?

The employee's refusal to use his or her personal mobile phone to clock in does not constitute a breach of employment.

There are no disciplinary sanctions for such refusal.

The burden of implementing a valid attendance monitoring system always falls on the employer, who must offer an alternative means that complies with the regulations in force.

Protection of personal data: applicable standards

Law No. 19.628 on the Protection of Privacy establishes key standards for the processing of personal data, which have been reinforced by the amendments introduced by Law No. 21.719.

The applicable principles include

• Valid consent: It must be informed and given in writing. Furthermore, according to the new regulation, consent must be free, prior, specific, informed and unambiguous.
• Principle of purpose: Personal data may only be processed for the purposes informed at the time of collection. The employer cannot access photographs, e-mails, social networks or other private information unrelated to time and attendance.
• Workers' rights: Workers retain control over their personal data and can exercise rights of information, rectification, blocking and erasure, including within the employment relationship.
• Proportionality and minimisation: If there is a less invasive means of time and attendance monitoring, it should be preferred. Also, no more data may be collected than is strictly necessary for the purpose pursued. For example, permanent geolocation would be disproportionate if the aim is only to record attendance.
• Comparative approach: European standards: From a European perspective, the use of an employee's personal telephone for work purposes is analysed under the General Data Protection Regulation (GDPR) and complementary employment legislation.

In this context, the use of the personal telephone is not normally considered necessary for the performance of the employment contract and is therefore not automatically legitimised.

Moreover, in the employment context, consent is particularly problematic due to the subordination that exists. If there is pressure or consequences for refusal, consent may be considered invalid.

The Spanish Data Protection Agency (AEPD) has sanctioned companies for using personal telephones without a valid legal basis or even after the termination of the employment relationship, with fines of up to 80,000 euros. European doctrine reinforces that the employee is not obliged to provide his or her own technological means.

Practical obligations for the company, considering the new obligations of Law No. 21.719, which amends Law No. 19.628.

In order to implement a personal mobile phone tagging system in accordance with the new Law on Personal Data Protection, the company must:

• Have valid consent from workers.
• Ensure that the application only accesses the necessary data.
• Clearly and expressly inform about the purpose of the processing and its scope.
• Formalise the processing through contracts, RIOHS and applicable internal policies.
• Incorporate the processing in the Register of Processing Activities.
• Assess and document the proportionality of the system.
• Implement an effective data deletion procedure within 90-120 days after termination of employment.
• Formalise a processor contract with the system provider.
• Analyse and prioritise less invasive alternatives when available.
• Do not transfer data to third parties outside the context of time and attendance, with the exception of the service provider.
• The employee has the right to have personal data deleted at any time, as long as it is not background information required by other regulations. The employer is obliged to destroy the data: Between 90 and 120 days after the end of the employment relationship.

Risks of non-compliance

Failure to comply with these requirements may result in significant contingencies for the company:

From an employment point of view:

• Protection action for violation of fundamental guarantees.

From a data protection perspective:

• Sanctions from the future Data Protection Agency, with fines of up to 10,000 UTM.
• Actions for violation of rights.
• Inclusion in the National Register of Sanctions and Compliance.
• Reputational damage.

Finally, the use of personal mobile phones to record attendance is not a prohibited practice in absolute terms, but it is not free from requirements either.

Labour and data protection regulations impose clear conditions: valid consent, strict limitation of processing, proportionality and active liability of the employer.

In this scenario, it is advisable for companies to review their attendance control systems, evaluate less invasive alternatives and ensure full compliance with current regulations, in order to avoid labour contingencies, administrative sanctions and reputational risks.