A Guide to Data, Privacy and GDPR in the Workplace
GDPR in the Workplace
The General Data Protection Regulation (GDPR) places significant obligations on Irish employers in relation to how they collect, use and protect employee data.
Employer Data Obligations
Irish employers need to have adequate data protection training, policies, procedures and protocols in place, to secure employee data rights.
Employee Data Protection Rights
Irish employees have a right to access their work-related data, as well as a right to be informed as to who and how that data is collected and processed.
Employee Data Access Requests
Irish employers must have protocols in place to respond to employee data access requests within 1 month, or 3 months if the request is complex.
Privacy in the Workplace
Employer Monitoring of Employee Emails
The monitoring of employee emails, internet use or phone calls constitutes 'processing' of data. Therefore, employers need to balance their legitimate interests with the right to privacy of their employees.
Workplace Data & Privacy Policy
Irish employers need to have adequate data protection training, policies, procedures and protocols in place, to ensure who, how and when, employee emails, internet use and phone calls will be reviewed or recorded.
Monitoring Employee Data Use
Irish employees must ensure that the monitoring of employee emails, internet use or phone calls, goes no more than is necessary, under the professional circumstances, and is carried out in the least intrusive manner possible.
Employee Data & Privacy Rights
Irish employees may be entitled to bring a complaint to the Data Protection Commission if they feel their employer has undertaken excessive or disproportionate monitoring of emails, internet use or phone calls.
GDPR in the Workplace
Data Protection Principles
Employer processing of employee data must be lawful, fair and transparent, minimal, accurate, stored for no longer than necessary, confidential, and exercised with accountability.
Employee Consent to Data Processing
Irish employees must ensure that they have a legal basis or the consent of their employees to process their data. That consent must be ‘freely given, specific, informed and unambiguous’.
Employee GDPR Complaints
Irish employees may be entitled to bring a complaint to the Data Protection Commission if they feel their employer has breached the provisions of the General Data Protection Regulation.
Employer Data Obligations
Employer Data Obligations
Irish employers must be transparent as to how they are using their employees data, safeguard that data and ensue such data is being processed in accordance with the GDPR principles.
Data Protection Principles
Employer processing of employee data must be lawful, fair and transparent, minimal, accurate, stored for no longer than necessary, confidential, and exercised with accountability.
Employee Data Training
Irish employees should ensure their employees receive adequate training on what employee data will be collected, and how and why that data will be processed.
Employee Data Rights
Employee Training & Information
Irish employers need to ensure all employees have adequate data protection training and are aware of company data & GDPR policies and procedures.
Employee Data Access Requests
Irish employers must have protocols in place to respond to employee data access requests within 1 month, or 3 months if the request is complex.
Employee Data Breach Compensation
Irish employees have a right to compensation for non-material damage caused by the unlawful processing of their data by their employer.
Data in the Workplace - Liability and Compensation
Right to Receive Compensation
Any employee who has suffered material or non-material damage as a result of an infringement of their data rights may have the right to receive compensation from their employer for the damage suffered.
Employer Data & GDPR Liability
Any Irish employer involved in processing employee data shall be liable for the damage caused by processing which infringes employee GDPR rights, unless it can prove it was not responsible for the damage.
Data Protection Action
An employee may, where they consider that their rights under GDPR have been infringed, bring an action against their employer in the civil courts. A data protection action shall be deemed to be an action founded on tort.
Compensation & Remedies
If successful in pursuing an action, an employee may be granted a injunction or compensation for damage (including material and non-material damage) suffered, as a result of the infringement of their rights by their employer.
Share


