A Guide to Data, Privacy and GDPR in the Workplace

GDPR in the Workplace


The General Data Protection Regulation (GDPR) places significant obligations on Irish employers in relation to how they collect, use and protect employee data.


Employer Data Obligations


Irish employers need to have adequate data protection training, policies, procedures and protocols in place, to secure employee data rights.


Employee Data Protection Rights


Irish employees have a right to access their work-related data, as well as a right to be informed as to who and how that data is collected and processed. 


Employee Data Access Requests


Irish employers must have protocols in place to respond to employee data access requests within 1 month, or 3 months if the request is complex.


Privacy in the Workplace


Employer Monitoring of Employee Emails


The monitoring of employee emails, internet use or phone calls constitutes 'processing' of data. Therefore, employers need to balance their legitimate interests with the right to privacy of their employees.


Workplace Data & Privacy Policy


Irish employers need to have adequate data protection training, policies, procedures and protocols in place, to ensure who, how and when, employee emails, internet use and phone calls will be reviewed or recorded.


Monitoring Employee Data Use


Irish employees must ensure that the monitoring of employee emails, internet use or phone calls, goes no more than is necessary, under the professional circumstances, and is carried out in the least intrusive manner possible. 


Employee Data & Privacy Rights


Irish employees may be entitled to bring a complaint to the Data Protection Commission if they feel their employer has undertaken excessive or disproportionate monitoring of emails, internet use or phone calls. 


GDPR in the Workplace


Data Protection Principles


Employer processing of employee data must be lawful, fair and transparent, minimal, accurate, stored for no longer than necessary, confidential, and exercised with accountability.


Employee Consent to Data Processing


Irish employees must ensure that they have a legal basis or the consent of their employees to process their data. That consent must be ‘freely given, specific, informed and unambiguous’. 


Employee GDPR Complaints


Irish employees may be entitled to bring a complaint to the Data Protection Commission if they feel their employer has breached the provisions of the General Data Protection Regulation. 


Employer Data Obligations


Employer Data Obligations


Irish employers must be transparent as to how they are using their employees data, safeguard that data and ensue such data is being processed in accordance with the GDPR principles.


Data Protection Principles


Employer processing of employee data must be lawful, fair and transparent, minimal, accurate, stored for no longer than necessary, confidential, and exercised with accountability.


Employee Data Training


Irish employees should ensure their employees receive adequate training on what employee data will be collected, and how and why that data will be processed. 


Employee Data Rights


Employee Training & Information


Irish employers need to ensure all employees have adequate data protection training and are aware of company data & GDPR policies and procedures. 


Employee Data Access Requests


Irish employers must have protocols in place to respond to employee data access requests within 1 month, or 3 months if the request is complex.


Employee Data Breach Compensation


Irish employees have a right to compensation for non-material damage caused by the unlawful processing of their data by their employer.


Data in the Workplace - Liability and Compensation


Right to Receive Compensation


Any employee who has suffered material or non-material damage as a result of an infringement of their data rights may have the right to receive compensation from their employer for the damage suffered.


Employer Data & GDPR Liability


Any Irish employer involved in processing employee data shall be liable for the damage caused by processing which infringes employee GDPR rights, unless it can prove it was not responsible for the damage.


Data Protection Action 


An employee may, where they consider that their rights under GDPR have been infringed, bring an action against their employer in the civil courts. A data protection action shall be deemed to be an action founded on tort.


Compensation & Remedies


If successful in pursuing an action, an employee may be granted a injunction or compensation for damage (including material and non-material damage) suffered, as a result of the infringement of their rights by their employer.


Share

CCTV and Workplace Relations Commission Complaints

CCTV in the Disciplinary Process

by RG343171 16 February 2025
The case of Nkemka Patrick Okachi v Sodexo Ireland Limited ADJ-00045306 examines the circumstances under which an employer will be compelled to utilise CCTV footage as part of an investigation and disciplinary process.
Gross misconduct under Irish law.

Gross Misconduct, Position of Trust and Right to Appeal

23 January 2025
The case of Ioan Pop v City Break Apartments Limited (ADJ-00045335) examines the circumstances under which an employer will be deemed to have acted reasonably, when terminating the employment of an employee for gross misconduct.

Redundancy, Retirement or Resignation

by RG343171 22 January 2025
The case of Denis McCallig v Bord Iascaigh Mhara (BIM) (ADJ00052727) examines the circumstances under which an employee will be considered to have been made redundant, retired, or alternatively resigned.
Remote work laws in Ireland

Remote Work Complaints Before the Workplace Relations Commission

by RG343171 16 August 2024
The case of Aline Karabko v TikTok Technology Ltd (ADJ-00051600) examines the obligations employers have, under Irish law, when a request for remote work is made by an employee. As the law in Ireland currently stands, there is no right to remote work per se. This may be overcome when an individual has been guaranteed remote work in their contract of employment or remote work has been determined to constitute a reasonable accommodation in accordance with relevant employment legislation, where applicable. However, none of these exceptions applied in the present case.
Section 18 of the Parental Leave Act

Force Majeure Leave and Parental Leave Rights

9 August 2024
The case of Dean Hart v Komfort Kare (ADJ00051923) examines the circumstances under which a request for time off, by a parent, from their employer, must be given due consideration. Dean Hart (the Complainant) brought a complaint under Section 18 of the Parental Leave Act 1998 against Komfort Kare (the Respondent) to the Workplace Relations Commission (WRC), alleging that they denied him the right to take force majeure despite extenuating circumstances.
Constructive Dismissal and Sexual Harassment

Constructive Dismissal and Harassment in the Workplace

31 July 2024
The case of Care Worker v Costern Unlimited Company (ADJ00046268) examines the circumstances under which it will be deemed reasonable for an employee to resign and bring a claim of unfair dismissal by way of constructive dismissal on foot of a failure of their employer to properly investigate their complaints.
Show More