All questions

Data protection

i General principles

Issues regarding the keeping and disclosing of personal data relating to employees are governed by the GDPR and the Data Protection Act 2018. Under the GDPR, an employer established in Ireland that gathers, stores and processes any data about employees in any computerised or structured manual filing system is deemed to be a controller of that data.

Controllers must follow eight fundamental data protection rules:

  1. obtain and process information lawfully, fairly and in a transparent manner;
  2. only keep the information for one or more specified, explicit and legitimate purposes;
  3. process the information only in ways compatible with these purposes;
  4. ensure the information is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing, and against accidental loss, destruction or damage, using appropriate technical and organisational measures;
  5. keep the information accurate, complete and up to date;
  6. ensure that the information is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
  7. retain the information for no longer than is necessary; and
  8. be responsible for and demonstrate compliance with the above principles.

When collecting personal data from an employee, the controller is required to provide certain information to the employee, including:

  1. the identity and contact details of the controller;
  2. the contact details of the data protection officer (if applicable);
  3. the purposes of the processing and the legal basis for the processing;
  4. the recipients or categories of recipient that personal data has been disclosed to;
  5. the safeguards provided by the employer if it transfers personal data to a third country or international organisation;
  6. the period for which personal data will be stored;
  7. the existence of the various data subject rights;
  8. the employee's right to request rectification, erasure or restriction, or to object to such processing;
  9. the right to lodge a complaint with the Data Protection Commission;
  10. the existence of automated decision-making, including profiling (if applicable); and
  11. information about the source of the data, if not obtained directly from the employee.

In practice, some of this information may be provided in the employer's privacy notice.

Employees have a number of rights under the GDPR, including the right (subject to certain exceptions) to obtain a copy of any personal data relating to them that is kept on the employer's computer system or in a structured manual filing system by any person in the organisation.

The GDPR does not specify how to make a valid request, so it may be done verbally or in writing, and employers must respond to the request within one calendar month of receipt of the request. The right to access personal data does not apply if that access would adversely affect the rights and freedoms of others.

Under the GDPR, all public bodies and authorities (other than courts acting in their judicial capacity) are mandated to have a data protection officer (DPO), as well as any employer whose core activities consist of:

  1. data processing operations that, by virtue of their nature, scope and purposes, require regular and systematic monitoring of employees on a large scale; or
  2. data processing on a large scale of the special categories of data and data relating to criminal convictions.

Where appointment of a DPO is not mandatory but one is appointed through choice, the organisation will be subject to the same provisions set out in the GDPR as though the appointment was mandatory. A DPO may be a member of staff at an appropriate level, part-time or full-time, an external DPO or one shared by a group of organisations, provided that they have the required expertise and that any other role that they may hold in the organisation does not give rise to a conflict of interest with the DPO role.

Details of DPOs must be registered with the Data Protection Commission and published to relevant individuals (including employees and other data subjects).

ii Cross-border data transfers

Ireland, like other EU Member States, restricts the transfer of personal data from Ireland to jurisdictions outside the EEA that do not 'ensure an adequate level of protection', unless the transfer meets one of a number of conditions, including but not limited to:

  1. the transfer is pursuant to the standard contractual clauses that have been specifically adopted by the European Commission for international transfers of data;
  2. the transfer is to an entity that is subject to the US–EU Privacy Shield Program operated by the US Department of Commerce; or
  3. the transfer is pursuant to binding corporate rules put in place within the employer's group and approved by the Data Protection Commission (or another relevant lead supervisory authority).
iii Special categories of personal data

The GDPR defines special categories of personal data to include data concerning racial or ethnic origin, political opinion, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data for the purpose of uniquely identifying an individual, or data concerning health, or sexual life or sexual orientation. Special categories of personal data may not be processed by an employer except in very limited circumstances (e.g., where processing of health data is required to assess the working capacity of the employee). The processing of data relating to criminal convictions and offences may only be carried out under the control of official authority and subject to other conditions set out in the Data Protection Act 2018.

iv Background checks

Employers can carry out a number of background checks on applicants for employment. These can include reference checks, credit-history checks, education verification, verification of entitlement to work in Ireland and also pre-employment medical assessment. Before carrying out any background checks, the resulting data must be relevant to the individual's role and the employer will need to have established a lawful basis under the GDPR to obtain and process the data. In respect of any method used by the employer to verify a prospective employee's background, it should be ensured that this method is applied consistently to all applicants, and is not discriminating on any one of the nine grounds protected by the Employment Equality Acts (see Section VIII). The ability to process criminal data is greatly restricted by the GDPR and the Data Protection Act 2018. As noted in subsection iii, the processing of data relating to criminal convictions and offences may only be carried out under the control of official authority and subject to other conditions set out in the Data Protection Act 2018.