This article is for general informational purposes and does not constitute legal advice. Employers with specific concerns should consult a qualified data protection professional or the Data Protection Commission (DPC).
Personal data in an HR context covers far more than most employers initially assume — not just names and PPS numbers, but performance reviews, disciplinary records, absence patterns, training records, CCTV footage, and even a work email address, which the DPC has confirmed can itself constitute personal data. Handling all of this correctly means navigating two sets of rules that sit side by side rather than one replacing the other: GDPR, and a patchwork of older Irish employment statutes that set their own specific retention periods.
Did GDPR Shorten How Long Employers Can Keep Records?
No — and this is one of the more common misunderstandings. The WRC has stated directly that the statutory obligations requiring employers to keep certain employment records, and the specific retention periods those statutes set, remain fully in force and are unaffected by GDPR. GDPR's storage limitation principle — don't keep data longer than necessary — operates alongside these older obligations, not instead of them. If a specific Irish statute requires a record to be kept for three years, GDPR doesn't override that; it just means you shouldn't keep it for ten years if three is what the law actually requires.
What Are the Actual Retention Periods?
Irish employment law sets a number of specific periods, and they don't all match:
- Working time records (hours worked, breaks, annual leave): 3 years, under the Organisation of Working Time Act 1997
- Payslips: 3 years, under the National Minimum Wage Act
- Parental leave and force majeure leave records: 8 years, under the Parental Leave Act 1998
- Workplace accident records: 10 years from the date of the incident, under the Safety, Health and Welfare at Work (General Application) Regulations 1993
- Written terms of employment: for the duration of employment plus at least 1 year after termination, under the Terms of Employment (Information) Act 1994 — though many employers retain contracts for 6 years post-termination in practice, aligning with the general limitation period under the Statute of Limitations Act 1957
- Unsuccessful job applicant records: the DPC considers 1 full year appropriate, long enough to cover the 6-month time limit for an Employment Equality Acts discrimination claim plus some margin
The common thread: a record's retention period should be tied to a specific legal reason for keeping it — a named statute, or the realistic window during which a claim could still be brought — not a single blanket policy applied to everything in the HR file.
Why Is Consent Usually the Wrong Legal Basis?
Many employers default to asking employees to sign a consent form when introducing new HR processing — a new system, new monitoring software, a staff survey. The DPC has been clear that this is generally the wrong legal basis to rely on. Consent under GDPR must be "freely given," and the DPC's view is that consent in the workplace rarely meets that bar, precisely because of the same power imbalance that makes employees a vulnerable category of data subject in DPIA terms. An employee who feels they can't really say no isn't giving free consent, whatever they signed.
In practice, employers should usually be relying on one of: performance of the employment contract (paying wages, for example), compliance with a legal obligation, or legitimate interests — with a genuine balancing exercise carried out and documented, weighing the business reason against the employee's privacy.
What Counts as a Real-World Mistake Here?
DPC case studies are a useful guide to where employers actually go wrong. In one case, an employer used car park and building access data to verify employee time and attendance — reasonable enough on its face, but the DPC found this incompatible processing, because employees hadn't been told their access data would be used that way. The employer was told to consider an alternative way to verify attendance and to update its retention policy and staff training to reflect the actual use of that data. The lesson generalises well beyond car parks: data collected for one stated purpose (security, in that case) being quietly repurposed for another (attendance monitoring) is one of the most common ways employers run into trouble, even with good intentions.
What Should an Employer Actually Have in Place?
- a written retention policy that ties each category of HR data to a specific reason and time limit, not a single blanket rule
- a clear, accurate statement to employees of which legal basis is being relied on for each kind of processing — not blanket consent forms
- a way for employees to see what data is held on them, ideally through accessible self-service HR systems rather than only on formal request
- a documented process for what happens to an employee's data when their employment ends
- written agreements with any third party — payroll providers, recruitment agencies — confirming they meet GDPR requirements too, since the employer remains responsible for data handed to a processor