In the fifth of the series by Crowley Solicitors on data processing in the workplace, Eimear Boyle examines and clarifies a number of specific recurring themes in employee-related data protection matters.

What are the enforcement options open to the Data Protection Commission (“DPC”) for a breach of the GDPR and the Irish Data Protection Acts 1988 to 2018?

Article 58 of the GDPR categorises the powers that the DPC has at their disposal into two types:

1. Investigative powers; and
2. Corrective powers.

Investigative powers include the extensive authority held by the DPC to conduct data protection audits, to access premises and command information from controllers and processors wherever necessary or required for the performance of its tasks.

Corrective action includes the power to ban data processing, to impose administrative fines to issue compliance warnings, reprimands and orders, to issue information and enforcement notices, to require a controller to communicate a personal data breach to data subject(s), to order rectification or erasure of personal data and to suspend ex-EEA data transfers.

In light of the headline-grabbing power to impose administrative fines up to €20 million or 4% of the total worldwide annual turnover of the preceding financial year, it may be of comfort to know that administrative fines imposed by the DPC must be confirmed (and may be varied) by the civil courts under the Irish Data Protection Acts 1988 to 2018. Also, a controller or processor on which an information or enforcement notice is served has the right of appeal to the civil courts against a requirement specified in such a notice.

What are the retention periods for employee personal data based on specific statutory provisions?

A recurring challenge for HR professionals responsible for employee data is the balancing act of observing data minimisation under data protection laws and complying with specific retention periods laid out in a number of statutory provisions.

The following is an introductory guide to some appropriate retention periods for employee data:

1. Wages (including payslips): three years

1. Employment of minors (under-18s): three years

1. Hours worked: three years 
   
   
2. Collective redundancies: three years
   
3. Records of parental/paternity/force majeure/maternity/adoptive/carer’s leave: eight years 
   
   
4. Tax records (not in respect of an open Revenue case): six years 
   
   
5. Health and safety records: ten years from the date of the incident

1. Contracts of employment: seven years post termination of the contract

1. Personal injuries: three years from the date of the injury (subject to H&S instances, which may necessitate a ten-year retention period (see above at 7.))

1. Records of invoked and expunged disciplinary records: in accordance with the employee handbook/disciplinary policy, such retention period to be appropriate and fit for purpose

How can an employer (data controller) manage (a) a sweeping, all-encompassing data subject access request (“DSAR”) from an employee (data subject) requesting a copy of all personal data; and (b) a complicated or repetitive DSAR?

(a)  If you process a large quantity of information about an employee, Recital 63 of the GDPR suggests that employers should be able to request specifics about the information sought by the employee in order to clarify their DSAR. The key here is reasonableness; recommended best practice is to request such information that is reasonably required in order to locate the personal data and to communicate this to the employee as soon as possible after receiving the DSAR. In practice, preliminary searches will have to be carried out by the employer in order to substantiate a reasonable request for more information. Where an employee declines to co-operate in providing the additional information, the employer is still obliged to comply with the DSAR insofar as is reasonably possible.

(b)  If the employee’s DSAR is complex or the employer has received a number of requests from the employee such that the employer is of the opinion that they require additional time to consider the DSAR, the Irish Data Protection Acts 1988 to 2018 permit an employer to extend the one-month time period by a maximum of two months. This extension (together with reason(s) for the extension) must be explained to the employee in writing and within one month of the date of the receipt of the DSAR. Again, it is key for the employer to be reasonable and to engage with the data subject in a co-operative manner.

DSARs (and the enforcement of other data subject rights) are fast becoming part of many HR professionals’ weekly, if not daily, tasks and, where appropriate, putting parameters on the scope and extending the timeframe to respond can present opportunities for the effective and fair management of DSARs.

Processing of personal data for the purpose of obtaining legal advice

Under Section 41 of the Irish Data Protection Acts 1988 to 2018, there is a provision for the data processing of personal data and special categories of personal data for a purpose other than that for which it was collected where it is necessary and proportionate in certain circumstances, including under paragraph (a) or (b) of Section 47 of the DP Acts, namely, where the processing:

a)  is necessary for the purposes of providing or obtaining legal advice or for the purposes of, or in connection with, legal claims, prospective legal claims, legal proceedings or prospective legal proceedings, or

b)  is otherwise necessary for the purposes of establishing, exercising or defending legal rights.

In our experience, the sharing (processing) of another individual’s personal data with legal counsel is legitimate in circumstances where the individual or entity has done so in order to seek necessary legal advice.