Here you will find introductory guidance on how data protection impacts on Irish employment law. It covers the law, general principles, retention of documents, rights of employees, outsourcing of data processing, transfer of data outside of the EEA, employment references, commencement of the remaining provisions of the Data Protection Acts, the Data Protection Commissioner's guidance notes, the General Data Protection Regulation (GDPR) and the Data Protection Bill 2017.

The Data Protection Acts 1988 and 2003 (the Acts) govern how data protection impacts on Irish employment law.

General principles

Data protection law controls how personal data is processed. Personal data is any data relating to a living individual held either electronically or in paper files. The general principle is that the consent of the person concerned is required for the processing of their personal data. Explicit consent is required before sensitive personal data can be processed, unless certain exceptions set out in the Acts apply.

Sensitive personal data includes data relating to trade union membership, ethnic origin, health, political or religious beliefs, criminal convictions or the alleged commission of any offence.

Processing may include obtaining, recording, collecting, storing, altering or adapting data, retrieving data, consulting data, using data, disclosing data, or blocking, erasing or destroying data.

The processing of non-sensitive personal data is justified without consent having been obtained if the Data Protection Principles are complied with and one of the non-sensitive personal data legitimate processing conditions is satisfied. These include:

  • The processing is necessary to carry out a contract with a customer, employee, etc.
  • The processing is necessary to engage in pre-contract activities with a customer, employee, etc.
  • The processing is carried out in order to comply with a legal obligation.
  • The processing is necessary to prevent injury or damage to an individual or property.
  • The processing is necessary for your legitimate business needs and there is no prejudice to the rights of the individual.

In the case of sensitive personal data, the processing must further satisfy one of the sensitive personal data legitimate processing conditions. Employees must be made fully aware of the use to which their personal information will be put and the persons to whom their data will be disclosed.

Explore our related content


Are you getting ready for the GDPR?

The General Data Protection Regulation (GDPR) significantly changes data protection law in Europe, strengthening the rights of individuals and increasing the obligations on organisations. Are you getting ready? Do you understand the implications for your organisation’s people data?

Read more

Bring your own device (BYOD)

Gives introductory guidance on the legal implications of bring your own device (BYOD), where employees use their own mobile devices for work, for employers

Read more