Longford based, nationwide supporthello@purpletree.ie+353 1 800 787 333
Get in touch

Employee data, handled properly

GDPR compliance that works for Irish employers

Navigating GDPR and data protection laws can feel complex, especially when handling sensitive employee data. Getting it wrong can lead to significant fines and reputational damage. We provide expert, practical guidance to help your business understand its GDPR obligations, ensuring your practices are fully compliant, secure, and responsible.

Get GDPR supportSee how we price HR support
GDPR for Irish Employers

Know exactly what the law asks of you.

Your GDPR Obligations as an Irish Employer

GDPR and Ireland's Data Protection Act 2018 place real responsibilities on every business that employs people, regardless of size. The moment you take on your first employee you are processing personal data, and the rules on how you collect, use, store, and share it apply from that point on.

This is not only an IT matter; it is a core HR and compliance issue that runs through recruitment, the employment relationship, and the records you keep after someone leaves.

We give Irish employers clear, practical advice on what GDPR actually requires of them, and we draft the GDPR-compliant HR policies that go with it, such as Employee Privacy Notices and Data Protection Policies. For the wider picture, see the biggest HR challenges facing Irish SMEs.

DPC enforcement

Administrative fines and corrective orders from the Data Protection Commission.

Reputational damage

Lost trust with employees, customers, and the people you are trying to hire.

Employee claims

Individual actions for compensation where data is mishandled or a breach causes harm.

Wider scrutiny

Extra regulator attention that often surfaces alongside a WRC inspection or claim.

Practical GDPR Support for Your Business

We close the gaps that turn into complaints.

Practical Support, Built Around Your Business

We offer practical, hands-on support to make sure your HR practices stand up to scrutiny, built around how Irish SMEs actually operate rather than a generic checklist. We start by understanding the data you hold and why, then close the gaps that turn into complaints. Where a fuller review is needed, our HR audit examines your data handling alongside the rest of your HR compliance.

  • GDPR HR AuditsReviewing your current employee data handling processes, identifying gaps, and providing a clear action plan.
  • Policy DevelopmentDrafting essential GDPR-compliant documents like Employee Privacy Notices, Data Protection Policies, and Data Breach Response Plans.
  • Lawful Basis AdviceIdentifying and documenting the correct legal basis for each type of HR processing, since consent is rarely the right basis in employment.
  • Secure Data ManagementAdvising on secure and lawful management of all employee personal data, including storage, access, retention, and deletion.
Get Started

Every record handled the way the law expects.

The Employee Data You Are Responsible For

GDPR covers far more than a name and an email address. Across the employment lifecycle you hold sensitive information that has to be handled lawfully at every stage, and some of it carries extra obligations. This is the data that sits inside your employment contracts, your payroll, and your HR records. Holding it in a secure, GDPR-ready system such as the HR:Duo platform makes demonstrating compliance far easier than chasing spreadsheets and paper files.

Recruitment data

CVs, application forms, interview notes, and references, including candidates you did not hire.

Contracts and payroll

Employment contracts, PPS and bank details, salary, PRSI, and pension records.

Health and sick leave

Medical certificates and absence records, which are special category data needing extra protection.

Working time records

Hours, rest breaks, and attendance data, which must be kept for three years under working time law.

Monitoring and CCTV

Email, internet, and CCTV footage, lawful only where proportionate and disclosed to staff in advance.

Leavers and retention

Records of former employees kept only as long as a lawful purpose requires, then securely deleted.

Key GDPR Principles Your Business Must Follow

Compliance built into how you work.

Key GDPR Principles Your Business Must Follow

GDPR is built on several core data protection principles that your business must uphold whenever you process employee data. We make sure your day-to-day HR practices and your written policies align with each one, so compliance is built into how you operate rather than bolted on after a complaint.

  • Lawfulness, Fairness, and TransparencyProcessing employee data lawfully, fairly, and in a way staff can see and understand.
  • Purpose LimitationCollecting employee data only for specified, explicit, and legitimate HR purposes.
  • Data MinimisationHolding only the data that is adequate, relevant, and necessary for the purpose.
  • Accuracy and Storage LimitationKeeping employee data accurate and up to date, and retaining it no longer than needed.
Learn More
Employee Rights and Managing Subject Access Requests

Ready to respond before the clock starts.

Employee Rights and Managing Subject Access Requests

GDPR gives employees a set of rights over their personal data, and you must have procedures ready to handle them. The most common in practice is the Subject Access Request, where an employee asks for a copy of the data you hold about them.

You have one month to respond, extendable by a further two months where the request is complex, and the response involves identifying, retrieving, reviewing, and lawfully redacting records across HR files, email, and payroll.

Requests frequently arrive during a dispute or a workplace investigation, so a tested procedure matters. Our guide to conducting a fair and compliant HR investigation shows how data handling and process sit together.

  • The right of access through Subject Access Requests to personal data your business holds.
  • The right to rectification of inaccurate personal data.
  • The right to erasure, the so-called right to be forgotten, in certain circumstances.
  • The right to restrict processing or object to certain data uses.
  • The right to data portability.
  • A clear SAR procedure with staff training and realistic response timelines.
Talk to Us
Data Breach Management: Preparing for the Unexpected

A controlled response, not a panicked scramble.

Data Breach Management: Preparing for the Unexpected

Even with good security, breaches happen, from a misdirected email to a lost laptop or unauthorised access to a file.

If a breach involving employee data is likely to pose a risk to the people affected, you must notify the Data Protection Commission within 72 hours of becoming aware of it, and where the risk is high you must tell the affected individuals directly.

We help your business build a Data Breach Response Plan that sets out how to contain, assess, document, and notify, so a breach becomes a controlled process rather than a scramble. The same discipline applies to handling sensitive protected disclosures, where confidentiality and data handling carry their own legal risks.

  • Creating a Data Breach Response Plan tailored to your business.
  • Training staff on identifying and reporting potential breaches.
  • Understanding DPC notification requirements and the 72-hour window.
Learn More
Ongoing GDPR Support From a Longford-Based Team

Guidance that keeps pace as you grow.

Ongoing Support From a Longford-Based Team

GDPR compliance is not a one-off project. It needs attention as your headcount changes, as you adopt new systems, and as guidance from the Data Protection Commission develops.

Modern HR software built with data protection at its core gives you a secure, central place for employee records, contracts, and policy acknowledgements, with permission-based access, encryption, and audit trails that help you demonstrate compliance.

PurpleTree is a Longford-based HR consultancy serving employers across Ireland, advising on Irish law and DPC practice rather than an adapted UK approach. Through outsourced HR or a retained consulting arrangement, we provide continuous GDPR guidance, periodic reviews, and staff training, all backed by the HR:Duo platform.

  • Secure, cloud-based storage with role-based access controls.
  • Audit trails for data processing accountability.
  • Periodic reviews of your GDPR compliance.
  • Updates to Employee Privacy Notices and Data Protection Policies.
  • Refresher GDPR training for staff and managers.
Explore Our Services

Get Compliant Today

Worried about GDPR and employee data? See how we price HR support, then contact us for practical guidance on your compliance obligations. Whether you need a full HR audit, policy development, or ongoing support through outsourced HR, our team will help you protect your business and your employees' data with confidence.

Contact Us

Free 5-minute HR Health Check

See where your business stands before the WRC does

Answer 40 straightforward questions on contracts, working time, pay, leave and policies, and get a clear read on where your compliance gaps sit and what to fix first.

Take the free HR Health Check

More in Essential Services

Employee Handbook

A compliant staff handbook turns Irish employment law into clear, consistent policies your managers can actually follow, and it is your fir…

Learn more

HR Audit

Ensuring your business complies with Irish employment law and HR best practice is fundamental. An HR audit is a detailed, practical review…

Learn more

Common questions from employers

Yes. GDPR and Ireland's Data Protection Act 2018 apply to every employer that processes personal data, with no small-business exemption. A five-person company in Longford carries the same core obligations as a multinational: handle employee data lawfully, tell staff what you collect and why, keep it secure, and respond to requests about it. The difference is scale, not whether the rules apply. We help Irish SMEs meet these obligations without building a corporate compliance function. See how we price HR support.
One month from the date you receive the request. Where the request is genuinely complex, or you are dealing with several at once, you can extend that by a further two months, but you must tell the employee within the first month that you are doing so and why. The clock does not stop while you gather records, so a tested procedure matters. Talk to us if a subject access request has just landed and you are unsure how to respond.
Largely, yes. A Subject Access Request entitles an employee to a copy of the personal data you hold about them, which can include their HR file, performance records, and emails or notes that identify them. Some material can be withheld or redacted, for example information that would reveal another person's personal data, legally privileged advice, or certain management-planning records. Knowing what to release and what to lawfully redact is where most employers need guidance, because getting it wrong is itself a breach.
There is no single retention period under GDPR. You keep each category of data only for as long as you have a lawful reason to hold it, then delete or anonymise it. Some periods are fixed by other Irish law: working time records must be kept for three years under the Organisation of Working Time Act, and payroll and tax records are generally kept for six years for Revenue. We help you build a retention schedule that matches each record to the right period rather than holding everything indefinitely.
Usually not, and relying on consent is often the wrong choice. Because of the imbalance of power between employer and employee, the Data Protection Commission treats consent as rarely freely given in the workplace. For most HR processing you rely on other lawful bases instead, such as performing the employment contract, meeting a legal obligation like Revenue or Workplace Relations Commission record-keeping, or a legitimate interest. We help you identify and document the correct basis for each type of processing so your privacy notices stand up.
You can, but workplace monitoring is one of the areas the Data Protection Commission scrutinises most closely. Any monitoring must be necessary and proportionate, staff must be told about it in advance through a clear policy, and more intrusive measures usually require a Data Protection Impact Assessment first. Biometric data such as fingerprints is special category data, so it needs an additional lawful condition and is rarely justified where a less intrusive option exists. We advise on doing this lawfully and draft the policies that go with it.
Act quickly. If a breach is likely to pose a risk to the people affected, you must notify the Data Protection Commission within 72 hours of becoming aware of it, and where the risk is high you must also tell the affected individuals. Contain the breach, assess what data and people are involved, document everything, and decide on notification. A Data Breach Response Plan prepared in advance is what turns a panicked scramble into a controlled process, and we help you put one in place. Contact us if a breach has just occurred.
The Data Protection Commission can impose administrative fines of up to €20 million or 4% of global annual turnover, whichever is higher, for the most serious breaches. Beyond fines, employees can bring claims for compensation for material or non-material damage, and a mishandled data issue often surfaces alongside a wider Workplace Relations Commission complaint. A practical compliance programme costs a fraction of any of those outcomes. See how we price HR support, or read about the biggest HR challenges facing Irish SMEs.

Need support with this?

Book a free consultation and we will scope exactly what your business needs, then put it on a fixed monthly fee with no surprises.

Book a free consultationSee pricing