Data protection

01 December 2014

Updated December 2014

Gives introductory guidance on how data protection impacts on Irish employment law. Covers the law, general principles, retention of documents, rights of employees, outsourcing of data processing, transfer of data outside of the EEA, employment references, new provisions of the Data Protection Acts, the Data Protection Commissioner's guidance notes and the draft EU Data Protection Regulation.

The Data Protection Acts 1988 and 2003 (the Acts) govern how data protection impacts on Irish employment law.

General principles

Data protection law controls how personal data is processed. Personal data is any data relating to a living individual held either electronically or in paper files. The general principle is that the consent of the person concerned is required for the processing of their personal data. Explicit consent is required before sensitive personal data can be processed, unless certain exceptions set out in the Acts apply. 

Sensitive personal data includes data relating to trade union membership, ethnic origin, health, political or religious beliefs, criminal convictions or the alleged commission of any offence. 

Processing may include obtaining, recording, collecting, storing, altering or adapting data, retrieving data, consulting data, using data, disclosing data, or blocking, erasing or destroying data.

The processing of non-sensitive personal data is justified without consent having been obtained if the Data Protection Principles are complied with and one of the non-sensitive personal data legitimate processing conditions is satisfied. These include:

  • The processing is necessary to carry out a contract with a customer, employee, etc.
  • The processing is necessary to engage in pre-contract activities with a customer, employee, etc.
  • The processing is carried out in order to comply with a legal obligation.
  • The processing is necessary to prevent injury or damage to an individual or property.
  • The processing is necessary for your legitimate business needs and there is no prejudice to the rights of the individual.

In the case of sensitive personal data, the processing must further satisfy one of the sensitive personal data legitimate processing conditions. Employees must be made fully aware of the use to which their personal information will be put and the persons to whom their data will be disclosed.

While the legislation does not set out the specific periods for which categories of documents containing personal data should be retained by employers, it does impose obligations on employers to keep data for no longer than is ‘necessary’ for the purpose for which it is obtained. While it may not be necessary to hold on to all personal data after it has become irrelevant or obsolete, it should be retained if there is a chance that it could form part of the subject matter of a claim.

Employees have a right to:

  • be informed of the data being kept
  • access their personal information
  • block and erase data
  • prevent data being used for the purposes of direct marketing
  • prevent the processing of that data where it might cause damage or distress

With regard to consent, it must be clear, unambiguous, freely given and specific. It can also be withdrawn at any time. Employers, therefore, need to exercise caution and not rely on consent as a 'first port of call'.

Businesses often outsource certain functions such as payroll processing. Also, an employer may engage a private investigator to collect personal information about an employee where, for example, they are suspected of double jobbing.

In such situations, the private investigator and the payroll processor are 'data processors'. The employer remains the data controller and retains responsibility for the personal information or for ensuring appropriate security measures are in place. The employer should ensure that it has a written contract with the data processor which should set out the measures taken to protect the personal information.

Many businesses send personal data overseas. The transfer of personal data to other EU countries or within the EEA is generally not problematic. Special rules however apply in relation to transfer of data outside the EEA, for example, to the US. An employer can only transfer personal data outside the EEA in the following circumstances:

  • The destination country has been approved by the EU for transfer.
  • The transfer is allowed by an exemption under the Acts.
  • The individual has consented to the transfer.
  • The company importing the information enters into a contract in a form prescribed by the EU.
  • The specific transfer is approved by the Data Protection Commissioner. 

The Acts provide that personal data containing expressions of opinion may be given to the person concerned without the permission of the person who expressed that opinion. In the case of a job reference, the person who expressed the opinion would be the referee. This does not, however, include opinions ‘given in confidence or on the understanding that they would be treated as confidential’.

The Data Protection Commissioner has taken the view that simply placing the word ‘confidential’ at the top of a reference will not automatically render the reference confidential. The Commissioner will look at the reference and its context and will need to be satisfied that the reference would not have been given but for this understanding of confidentiality which was a mutual understanding between the parties.

Supervisors and managers of an employee about whom a reference is being given, will not normally be able to rely on the confidentiality provision as it is an expected part of their role to give opinions on staff which they should be capable of standing over. On the other hand, a colleague who reports to a supervisor in confidence a matter relating to an individual could expect to be protected by the confidentiality provision.

The assumption is that most employment references are to be disclosed under the Data Protection Acts. This is subject to the proviso that disclosure can be refused if it can be shown that the reference would not have been given but for the understanding that it was to remain confidential and that the understanding was mutual between the parties.

The remaining provisions of the Acts, including sections 4(13), 6(2) (b), and 10(7) (b), were commenced on 18 July 2014 by Statutory Instruments 337 and 338 of 2014.

Data Protection Act 1988 (Commencement) Order 2014 (SI 337 of 2014)

This Regulation commences sections 6(2)(b) and 10(7)(b) of the Acts. These provisions provide data controllers with an obligation to notify third parties when personal data has been rectified or erased.

Section 6 already provides that a data controller must notify a data subject when the controller rectifies, blocks or erases personal data that are collected, processed or otherwise dealt with in contravention of the Data Protection Acts. Section 6(2)(b) now requires the data controller to also notify any person to whom personal data were disclosed during the preceding 12 months, unless such notification proves impossible or involves disproportionate effort.

Section 10 already provides that a data controller must notify the data subject, where the controller rectifies, blocks, erases, destroys, or adds a statement to personal data, in compliance with an enforcement notice issued by the Data Protection Commissioner. Section 10(7)(b) now requires the data controller to also notify any person to whom the personal data were disclosed during the preceding 12 months, unless such notification provides impossible or involves a disproportionate effort.

Data Protection (Amendment) Act 2003 (Commencement) Order 2014 (SI 338 of 2014)

This Regulation commences section 4(13) of the Acts, concerning enforced subject access. It makes it a criminal offence for an employer to attempt to require an employee, prospective employee, or independent contractor, to make an access request or to reveal the result of such an access request.

Employers should review their recruitment policies and procedures so as to ensure that their application and screening process does not provide for any enforced data access requests.

The Data Protection Commissioner has prepared guidance notes in relation to:

  • Access requests and HR

  • Staff monitoring

  • Considerations when vetting prospective employees

  • Biometrics in the workplace

  • Whistleblowing

  • Transfer of ownership of a business

On 12 March 2014, the European Parliament voted in favour of the revised draft EU Data Protection Regulation. To become law the proposed Regulation must be adopted by the EU Council using the 'ordinary legislative procedure'.


The proposed Regulation was originally presented by the European Commission on 25 January 2012. It has been the subject of voracious debate both in Brussels and across the EU, and has been subject to much redrafting.

Key changes

  • A single, pan-European law for data protection. The Regulation will replace the 1995 Data Protection Directive (95/46/EC) which has been inconsistently implemented in the 28 Member States of the EU. This means companies will deal with one law, rather than 28.
  • A 'one-stop-shop' for businesses and individuals. Companies and individuals will only have to deal with one supervisory authority, not 28. This should make it easier and cheaper for companies to do business in the EU.
  • Creation of a level playing field between non-European and European businesses. Non-European companies, when offering services to Europeans, will have to apply European rules, and adhere to the same levels of protection of personal data.
  • Stronger enforcement powers. Companies who do not comply with the EU rules will be liable to fines of up to €100 million or up to 5% of annual worldwide turnover, whichever is greater.
  • The right to be forgotten. Individuals may request their data to be deleted when there are no legitimate grounds for it to be retained.
  • The right to data portability. This right will make it easier for individuals to transfer their personal data between service providers.
  • Explicit consent. Consent to process data must be explicitly given. It cannot be assumed.
  • Data breach notification. There will be a mandatory obligation for businesses across all sectors of the economy to inform the supervisory authority and any individuals adversely affected, without undue delay, of any data breaches.
  • Reduction in costs and red tape for SMEs. In a number of cases, the obligations of data controllers and data processors are calibrated according to the size of the business. For example, SMEs will be exempt from the obligation to appoint a data protection officer insofar as data processing is not their core activity, nor will they be fined for a first and non-intentional breach of the rules.

Next steps

The European Parliament now stands ready to negotiate the final text of the Regulation with the EU Council as soon as the Council defines its position.

This factsheet was written by A&L Goodbody, Solicitors, IFSC, North Wall Quay, Dublin 1.

© A&L Goodbody Solicitors. The material is not intended to provide, and does not constitute, legal or any other advice on any particular matter, and is provided for general information purposes only.