How does GDPR affect the use of a staff register?

GDPR requires that staff registers are processed lawfully, securely and with proper documentation. We help you identify the lawful basis, put in place data processing agreements and ensure the staff register is correctly described in your Article 30 register.

How can Morling Consulting help us secure GDPR compliance for our staff register?

We review your data processing agreements, map roles and responsibilities, prepare or update your Article 30 register and provide legal advice when implementing or reviewing ID06-based systems and on-site staff attendance registers.

Staff register

Q: Who is the controller for the data in the staff register?

In the ID06 Stamp service, the connected company (client, main contractor or subcontractor) is normally the controller, while ID06 AB and system providers act as processors. We help you confirm the roles in your specific setup and reflect them in contracts and GDPR documentation.

GDPR and the staff register on construction sites

On construction sites, it is a legal requirement to maintain an electronic staff register — an obligation stemming from the Swedish Tax Procedure Act. Employers must document who is active on the site, including entry and exit times, and be able to present this to the Swedish Tax Agency (Skatteverket) upon request.

The statutory obligation is to keep an electronic staff register, not to use an ID06 card. Despite this, the ID06 system and identity card have become the industry standard. A majority of companies use it to meet this requirement — and more. ID06 AB provides a complete system with several services: ordering, issuance, activation, administration and use of ID06 cards, plus functions such as ID06 Status Control, ID06 Competence Database, ID06 Company Declaration and ID06 Stamp.

Many perceive the ID06 card as merely an identity card for building sites. Behind the card lies a system that simplifies compliance with legal requirements — whilst raising GDPR questions. Although the ID06 system facilitates a digital staff register, the company that deploys employees or subcontractors remains responsible for the processing of personal data. It is crucial to determine who is the controller and what that entails from a data protection perspective, including where an on-site staff attendance register is operated.

Illustration of an HR and compliance professional updating a GDPR-compliant staff register, mapping employee data, employer obligations and legal requirements.

Roles for the staff register and GDPR in the ID06 ecosystem

Under the ID06 agreements, the connected company is the controller for the staff register — regardless of whether its role is client, main contractor or subcontractor. Records in the staff register are available via ID06 Stamp and may be provided to the Swedish Tax Agency upon request. The company must ensure that all processors (including ID06 AB where applicable and its partners) are bound by valid data processing agreements and that processing is secure and correct.

This means the company must have oversight and understand how personal data are processed in the staff register in accordance with GDPR, which actors are involved and their legal roles. Mistakes can have consequences — both fines and loss of trust. A simplified allocation of roles (the company must always assess roles for its own processing) is:

ID06 AB is the controller for the identity card.
ID06 AB is the processor for ID06 Stamp (the staff register).
Your company is the controller for the staff register (held in the ID06 Stamp service).
Partners (for example, Infobric with the Ease system) are your processors.
The company must know which systems are used and have the right agreements in place.

Roles and responsibilities

Who is the controller — and who is the processor?

This description follows the agreements available on ID06’s website in mid-2025; as noted, the company performing the processing must always assess processing roles for itself. For ID06 Stamp — the service where the data constituting the staff register are handled — the connected company is the controller. ID06 AB is the processor, under the general terms for connecting to the system.

The data that end up in the staff register originate from ID06’s partners — i.e., the technical system providers supplying, for example, access control. These partners are processors to the connected company. Accordingly, each company must have a data processing agreement not only with ID06 AB but also with each partner that supplies data into ID06.

For the ID06 card itself, ID06 AB is the controller. ID06 AB determines the purposes and means of processing in connection with, for example, ordering and administering cards. The company ordering cards for its staff is not the controller for that processing — though it must, for example, ensure there is a lawful basis to order an ID06 card.

Support with assessing your staff register under GDPR

Role allocation in processing relating to a staff register can be complex, particularly as several actors are involved at different stages. Our GDPR lawyers can map processing roles, processing purposes and ensure your Article 30 register (records of processing activities) is correct and complete. We serve clients across Europe.

Illustration of HR and compliance professionals reviewing a staff register to ensure employee data is accurate, GDPR-compliant and properly documented.

GDPR sets requirements for how personal data are processed, including in a staff register. Companies must:

Ensure there is a lawful basis for the processing.
Have data processing agreements with all actors processing data under the company’s controllership.
Fulfil responsibilities as controller.
Document the processing in an Article 30 register.

The connected company — i.e., the client, main contractor or subcontractor using the system — is the controller for the data in the staff register (stored in the Stamp service). ID06 AB is only the processor for this processing.

You need data processing agreements with:

ID06 AB (for ID06 Stamp).
All partners and system providers that process personal data under your controllership, for example Infobric and its Ease system.
Any other IT or service providers that have access to the data.

ID06 AB is the controller for the card and the processing around ordering, issuance and administration.
The company using the card is responsible for processing of data in the staff register, for example access events recorded via ID06 Stamp.

Supervision by the Data Protection Agency.
Administrative fines.
Damaged trust from staff and partners.

We offer:

Review of your data processing agreements.
Mapping of processing roles and responsibilities.
Preparation or review of your Article 30 register.
Legal advice when implementing or reviewing systems used to maintain an on-site staff attendance register.

Yes. Under GDPR, each individual has the right to be informed about how their personal data are processed. You must clearly explain the purpose of the staff register, which data are collected, how long they are retained and who will have access. Information should be easily available, for example via your intranet or your privacy notice.

No. Consent is not an appropriate lawful basis here. Processing is based on a legal obligation under the Swedish Tax Procedure Act and would therefore not be voluntary — a prerequisite for valid consent.

Personal data must not be kept longer than necessary. Under Chapter 8, Section 5, third paragraph of the Swedish Tax Procedure Ordinance (2011:1261), the data in the staff register must be kept for two years after the end of the calendar year in which the tax year ended. Thereafter the data must be deleted or anonymised.

A compliant agreement should include, among other things:

The purpose(s) of the processing.
The types of personal data processed.
Clear role allocation.
Rules for security, incident reporting and sub-processors.
Conditions for return or deletion of data at termination.

Using an on-site staff attendance register entails ongoing, often real-time, processing of personal data. Risks include:

Insufficient access control, allowing unauthorised viewing of entry/exit data.
Unclear allocation of responsibilities between providers and contractors.
Inadequate logging and traceability during incidents.
Retention beyond necessity, breaching the storage limitation principle.

Identifying and addressing these risks is essential to meet GDPR requirements. A structured review of systems, agreements and routines reduces the risk of breaches and sanctions.

Examples of legal advisory in digital staff registers and GDPR:

Review of data processing agreements with ID06 AB and system providers.
Support in drafting correct and lawful information for employees and subcontractors.
Support in preparing the Article 30 register (records of processing activities).
Legal analysis of role allocation and responsibilities between construction actors.
Risk assessment for processing in electronic staff registers and other ID06-based systems.

Contact

Felix Morling

Contact us

If you prefer phone, please feel free to contact Felix Morling at +46 70 444 42 85

"*" indicates required fields