Search
Industry Updates

Spotlight on the Irish Data Protection Commission’s Annual Report: Practical Takeaways for Employers in Ireland

Related Services

What You Need to Know

On 30 June 2026, the Irish Data Protection Commission (“DPC”) published its annual case studies booklet (“Booklet”) alongside its 2025 annual report (“Report”).1

The Booklet contains 39 case studies illustrating how the DPC approaches common data protection issues in practice. A significant number of these case studies arise in an employment context and offer important practical guidance for employers on their data protection obligations.
This article is the second in our Spotlight on the Irish DPC Annual Report series, in which we examine key themes, developments and case studies from the Report. In our first article, we examined the main Report highlights while in this article, we summarise the key employment-related case studies and key takeaways for employers.

Data Subject Access Requests in the Workplace

Several of the case studies illustrate the challenges employers face when responding to data subject access requests (“DSARs”) from current or former employees.

Case Study 1 – Applying legal privilege and third-party restrictions

In Case Study 1, a former employee of a national school sought additional documents beyond what the school had released in response to a DSAR. The school had redacted third-party data under Article 15(4) of the GDPR and withheld records on the basis of legal advice privilege and litigation privilege under Section 162 of the Data Protection Act 2018. The DPC reviewed the unredacted records and was satisfied that the restrictions had been applied appropriately.

Key Takeaway: Employers must undertake and document a balancing test when relying on restrictions and be prepared to provide evidence of this to the DPC.

Case Study 2 – Withholding records in their entirety

In Case Study 2, a pastoral centre withheld an entire record from a former employee on the basis that it contained third-party personal data. Drawing on the CJEU’s judgment in Case C-487/21, the DPC advised that withholding an entire record is rarely appropriate – instead, the employer should provide a faithful and intelligible reproduction of the employee’s personal data with appropriate redactions.

Key Takeaway: The DPC emphasised that an employer’s obligation to protect the rights and freedoms of others does not permit a blanket refusal of an individual’s right of access; the response should not simply be a refusal, but an endeavour to comply with the access request insofar as possible, whilst ensuring adequate protection for third-party rights. The organisation subsequently provided an appropriately redacted version.

Case Study 4 – Opinions given in confidence in the workplace

Case Study 4 concerned an Education and Training Board which relied on Article 15(4) of the GDPR and Section 60(3)(b) of the Data Protection Act 2018 (opinions given in confidence) to redact and withhold documents from a former employee. The employer stated that certain data had been submitted to it in confidence and therefore should not be released.

While the DPC found that the redactions under Article 15(4) had been applied correctly to protect third-party rights, it took a different view on Section 60(3)(b). The opinion in question had been given in a managerial capacity concerning the employee’s performance. The DPC highlighted that Section 60(3)(b) has a high threshold: supervisors and managers will not normally be able to rely on this provision, as providing opinions on staff performance is an expected part of their role, and they should be in a position to stand over the opinions provided. The DPC recommended release of the data.

Key Takeaway: The DPC’s key highlighted point is that where an employer restricts release of personal data in response to a DSAR, it must be able to demonstrate its reliance on the specific restriction or exemption under the GDPR and/or the Data Protection Act 2018, articulate its reasoning for any restrictions applied, and carefully consider the relevant thresholds – particularly the high bar for confidentiality under Section 60(3)(b).

Case Study 8 – Redactions in a DSAR response

In Case Study 8, an employer provided a DSAR response with significant redactions, leaving only limited personal data visible. The DPC confirmed that this was consistent with GDPR requirements – a DSAR entitles an individual only to their own personal data, and redaction of third-party data, commercially sensitive information, or non-personal data is both permissible and often required. Where an individual is concerned about the level of redaction, they may contact the organisation and request the basis on which the redactions were carried out.

Key Takeaway: A DSAR entitles an individual only to their own personal data, and redaction of third-party data, commercially sensitive information, or non-personal data is both permissible and often required.

Retention of Unsuccessful Candidates’ Information (Case Study 14)

An unsuccessful job applicant submitted an erasure request under Article 17 of the GDPR seeking the deletion of their application data. The employer refused, advising that recruitment records were retained for 12 months in line with its retention policy, citing the need to defend potential claims before the Workplace Relations Commission under the Employment Equality Acts (where the limitation period is six months, extendable to twelve in certain circumstances).

The DPC found that while the 12-month retention period was justifiable, the employer had failed to properly cite Article 17(3)(e) of the GDPR – which exempts processing necessary for the establishment, exercise or defence of legal claims – when responding to the request.

The DPC highlighted that while the GDPR does not mandate specific retention periods, data controllers must be able to justify their chosen retention periods and, where relevant, identify any valid legal basis for continuing to process personal data after the relationship with the data subject has ended.

Key Takeaway: Employers should have a clear, documented retention policy for recruitment data. When refusing an erasure request the specific GDPR exemption relied upon must be clearly identified and the employer must respond to the request in full and in line with Article 12 of the GDPR, including communicating the reasons for the refusal to the individual.

Employee Health Data and Sick Leave Policies (Case Study 15)

An employee complained that their employer required more health information than necessary when taking sick leave, and that sick certificates had to be emailed to HR with a finance team member copied. The employer, a charity working with vulnerable individuals, explained that detailed medical information was only required where an infectious illness could pose a risk to clients, and should be shared directly with the line manager rather than HR.

However, the DPC found that the employer’s sick leave policy was ambiguously worded, suggesting that detailed health information should always be provided on sick certificates. This ambiguity had resulted in the processing of unnecessary special category personal data.

The DPC also found that the finance team’s access to sick certificates was not justified when it only required absence dates for payroll purposes. Following the DPC’s engagement, the employer conducted a data protection impact assessment and revised its procedures to limit access to health information to those with a genuine, role-specific need.

Key Takeaway: Employers should ensure that sick leave policies are clear about what health information is required, when, and by whom. Access to sick certificates should be restricted on a need-to-know basis, and consider carrying out a data protection impact assessment where special category data such as employee health information is processed.

Disclosure of Employee Data to Third Parties (Case Study 18)

A former employee of a residential centre, who had been dismissed following a disciplinary process, complained that the employer had disclosed their personal data – including the circumstances of their termination – to residents of the centre without a lawful basis. The employer acknowledged that it could not identify a lawful basis under Article 6 of the GDPR for the disclosure, and accepted that the letter circulated to residents was poorly drafted and disclosed unnecessary information about the termination.

The DPC reminded the employer of its obligation to identify a lawful basis before any processing of personal data, and of the principle of data minimisation under Article 5(1)(c) of the GDPR. The DPC also referred to Recital 74 of the GDPR, reminding the organisation that it must be able to demonstrate the compliance of its processing activities with the GDPR, taking into account the nature, scope, context, and purposes of the processing, and the risk to the rights and freedoms of natural persons. The employer accepted responsibility and implemented appropriate organisational measures, including data protection training, to prevent similar incidents.

Key Takeaway: Employers should exercise particular care when communicating about an employee’s departure. Any notification to colleagues, clients, or service users should be limited to what is necessary – typically the fact of the departure and relevant handover information – without reference to the circumstances of the termination or any disciplinary proceedings. A lawful basis under Article 6 of the GDPR must be identified before any such disclosure is made.

Data Minimisation and Staff Rotas (Case Study 25)

A public health facility notified the DPC of a personal data breach involving the unauthorised disclosure of staff members’ sensitive personal data. The HR unit maintained a staff attendance rota to which employees could add details of medical-related issues when requesting rota changes. Medical information is considered sensitive personal data. The rota was not password protected and also contained the personal email addresses of some staff.

The DPC found that the organisation was processing more personal data than was necessary, giving rise to the risk of unauthorised disclosure. The DPC highlighted that the processing of personal data must be limited to what is necessary pursuant to Article 5(1)(c) of the GDPR, and that organisations must implement appropriate security measures for the protection of personal data pursuant to Article 5(1)(f). Importantly, even though the sensitive personal data was being submitted and added by staff members themselves, the organisation remained responsible as data controller for the rota’s overall contents.

Key Takeaway: Employers should regularly audit shared HR systems – including rotas, absence trackers, and scheduling tools – to ensure they do not inadvertently capture or expose sensitive personal data, and that appropriate access controls and security measures are in place.

Employee Use of AI Tools (Case Study 28)

A financial services organisation reported a personal data breach after its data loss prevention tool detected that an employee had uploaded 32 CVs containing personal data – including names, contact details, addresses, employment history, references, passport and visa details, and photographs – to a free external AI tool using their work computer. There was no data processing agreement in place with the AI tool provider, and the personal data was no longer under the organisation’s control. The employee had used the tool to carry out their role more efficiently. Critically, the organisation had no policies governing the use of free external tools, including AI.

Key Takeaway: This case study is a clear warning of the data protection risks associated with employees’ ad hoc use of AI tools. Employers should implement clear, enforceable policies governing the use of external AI tools, specifying which tools (if any) are approved and what types of data may be processed. Training should address the risks of uploading personal data to third-party AI platforms, and technical controls such as data loss prevention tools should be considered to detect and prevent unauthorised uploads.

Cybersecurity and Remote Working (Case Study 29)

A third-level educational institution reported a breach after an employee, working from home, received a scam phone call to their personal phone from a caller claiming to be from a national cybersecurity organisation. The employee was convinced their bank account had been compromised and, on the caller’s instructions, downloaded remote viewing software onto their corporate laptop. The bad actors gained access to the college network, which went undetected because the organisation had no security monitoring system, alert notifications, or detection software in place.

Key Takeaway: While no personal data was found to have been exfiltrated, the case highlights the cybersecurity risks of remote and hybrid working. Employers should ensure staff receive regular training on recognising social engineering attacks and scam calls, and should implement monitoring and alert systems on corporate devices to detect unauthorised access promptly.

CCTV in the Workplace

Case Study 35 – Transparency and Access Controls

An employee complained to the DPC about their employer’s CCTV system, raising concerns that it was being used to monitor employees, that a monitor displaying the footage was positioned in a public area visible to all staff, and that the managing director had remote access. The employer stated that the CCTV was installed for security purposes, that a robust policy was in place, and that the system had not been used for employee monitoring or disciplinary purposes.

While the employer had since installed visible CCTV signage, the DPC found that it had not adequately considered the security implications of the monitor’s positioning, and the circumstances under which remote access could occur were not clearly defined.

Key Takeaway: The DPC emphasised that workplace CCTV in must be necessary, proportionate, and transparent. Employers should have a clear CCTV policy that is readily available to employees, setting out the system’s purposes, who has access (including remote access), retention periods, and how employees can exercise their data protection rights. Monitors displaying CCTV footage should be positioned carefully to avoid unnecessary surveillance of staff, and visible signage should be in place throughout monitored areas.

Report Case Study – Repurposing CCTV Data

A related case from the Report illustrates the consequences of repurposing CCTV data. An employee of the Irish Prison Service complained about the use of workplace CCTV to monitor attendance during a disciplinary investigation. While the employee accepted that CCTV was justified given the high-risk prison environment, they objected to its use for purposes beyond security.

The DPC found that the Irish Prison Service could not demonstrate that monitoring the individual’s movements via CCTV was necessary and proportionate, particularly where the individual had already admitted to the matter under investigation. The organisation could not show compliance with its own CCTV Policy or identify an appropriate lawful basis under Article 6 GDPR. The DPC concluded that the Irish Prison Service infringed Article 5(1)(a) GDPR and issued a reprimand under Section 109(5)(da) of the Data Protection Act 2018.

Key Takeaway: Organisations deploying CCTV must define its purpose from the outset and avoid repurposing data without a separate lawful basis. Processing must be necessary and proportionate, and compliance must be demonstrable before processing occurs, not after the fact.

Recommended Actions for Employers

The DPC’s 2025 case studies send a clear message: employment-related data protection compliance is firmly in the regulator’s sights. Across the case studies summarised above, several consistent themes emerge – the importance of transparency, data minimisation, documented decision-making, and proactive governance.

In light of these developments, we strongly recommend employers to take the following steps:

  • Review and update DSAR procedures to ensure that any reliance on restrictions or exemptions is clearly documented, that a balancing test is carried out and recorded, and that responses are provided within the statutory timeframe and in compliance with Article 12 of the GDPR.
  • Audit data retention policies, particularly in relation to recruitment data and employee records, to ensure that retention periods are clearly defined, justifiable, and consistently applied — and that the correct GDPR exemptions are cited when refusing erasure requests.
  • Reassess sick leave and absence management policies to ensure that only the minimum necessary health information is collected, that access is restricted on a need-to-know basis, and that a data protection impact assessment has been carried out where special category data is processed.
  • Implement or strengthen AI and external tools policies, setting out clearly which tools are approved for workplace use, what data may be processed, and the consequences of non-compliance. This should be supported by regular staff training and, where appropriate, technical controls such as data loss prevention software.
  • Review CCTV arrangements and shared HR systems – including rotas, absence trackers, and scheduling tools – to ensure compliance with the principles of necessity, proportionality, and data minimisation, and that appropriate access controls and security measures are in place.
  • Ensure that cybersecurity measures are fit for purpose in a remote and hybrid working environment, including regular staff awareness training on social engineering threats and appropriate monitoring and detection systems on corporate devices and networks.

Further Information

Our Employment and Data Protection teams are available to assist employers in reviewing and strengthening their compliance frameworks. We would encourage employers to act now to address any gaps, rather than waiting for a complaint.

For more on the DPC’s 2025 annual report please see our Spotlight on the Irish Data Protection Commission’s Annual Report: Key Findings article 2 and/or visit our knowledge page. 3


1 https://www.dataprotection.ie/en/data-protection-commission-publishes-2025-annual-report
2 https://maples.com/knowledge/spotlight-on-the-irish-data-protection-commissions-annual-report-key-findings
3 https://maples.com/knowledge

Menu