GDPR & AI Governance
Employee data handling and GDPR for Irish employers

This article is for general informational purposes and does not constitute legal advice. Employers with specific concerns should consult a qualified data protection professional or the Data Protection Commission (DPC).

Personal data in an HR context covers far more than most employers initially assume — not just names and PPS numbers, but performance reviews, disciplinary records, absence patterns, training records, CCTV footage, and even a work email address, which the DPC has confirmed can itself constitute personal data. Handling all of this correctly means navigating two sets of rules that sit side by side rather than one replacing the other: GDPR, and a patchwork of older Irish employment statutes that set their own specific retention periods.

Did GDPR Shorten How Long Employers Can Keep Records?

No — and this is one of the more common misunderstandings. The WRC has stated directly that the statutory obligations requiring employers to keep certain employment records, and the specific retention periods those statutes set, remain fully in force and are unaffected by GDPR. GDPR's storage limitation principle — don't keep data longer than necessary — operates alongside these older obligations, not instead of them. If a specific Irish statute requires a record to be kept for three years, GDPR doesn't override that; it just means you shouldn't keep it for ten years if three is what the law actually requires.

What Are the Actual Retention Periods?

Irish employment law sets a number of specific periods, and they don't all match:

The common thread: a record's retention period should be tied to a specific legal reason for keeping it — a named statute, or the realistic window during which a claim could still be brought — not a single blanket policy applied to everything in the HR file.

Why Is Consent Usually the Wrong Legal Basis?

Many employers default to asking employees to sign a consent form when introducing new HR processing — a new system, new monitoring software, a staff survey. The DPC has been clear that this is generally the wrong legal basis to rely on. Consent under GDPR must be "freely given," and the DPC's view is that consent in the workplace rarely meets that bar, precisely because of the same power imbalance that makes employees a vulnerable category of data subject in DPIA terms. An employee who feels they can't really say no isn't giving free consent, whatever they signed.

In practice, employers should usually be relying on one of: performance of the employment contract (paying wages, for example), compliance with a legal obligation, or legitimate interests — with a genuine balancing exercise carried out and documented, weighing the business reason against the employee's privacy.

What Counts as a Real-World Mistake Here?

DPC case studies are a useful guide to where employers actually go wrong. In one case, an employer used car park and building access data to verify employee time and attendance — reasonable enough on its face, but the DPC found this incompatible processing, because employees hadn't been told their access data would be used that way. The employer was told to consider an alternative way to verify attendance and to update its retention policy and staff training to reflect the actual use of that data. The lesson generalises well beyond car parks: data collected for one stated purpose (security, in that case) being quietly repurposed for another (attendance monitoring) is one of the most common ways employers run into trouble, even with good intentions.

What Should an Employer Actually Have in Place?

Further Reading

Share this: Twitter LinkedIn