As mentioned in our previous GDPR update, this update will deal with the retention of employee records / data in the workplace under the GDPR.
The GDPR does not specify retention periods for personal data. Instead, it states that personal data may only be kept in a form which permits identification of the individual for no longer than is necessary for the purposes for which it was processed.
Therefore, in deciding how long to retain personal data for, employers will make their decision based on statutory retention periods, limitation periods for claims, individual business needs and, the data quality principles. We have set out below a table for employers outlining their obligations to retain employment data as per certain employment statutes. We recommend employers use these statutory retention periods as a guide for the minimum period of time the relevant employee data should be kept.
In most cases, the most relevant criteria will be how long the records may be needed to defend against any potential claims. For example, in the event of a potential personal injuries claim, relevant records for the purpose of defending such a claim would ideally be available for a three year period and a potential breach of contract claim would require retaining the relevant records for seven years from the date of breach. If the claim is specifically threatened or issued, then the employer may hold the records for longer, as is necessary.
In practice we find that most employers delete former employee data at some point after the end of the minimum required statutory periods but long before the expiry of a seven year period (six years being the period within which an employee could issue a breach of contract claim plus one year for the period of time they are allowed to notify the employer of it). There is no exact science in respect of determining the retention period appropriate for an individual organisation as it involves a balancing of the data protection risk (ie, of not keeping data for too long) against the risk of being sued by an employee before the expiry of the relevant limitation period. As such, our recommended approach to satisfy both Irish employment law and GDPR requirements would be to retain the data for the statutory minimum required...