The Matheson team discusses best practices for data retention under GDPR.
GDPR does did specify keeping lengths for personalstand data. Instead, e states ensure personal dates could only be kept in an fill this permits identification of of individual in no longer when is necessary for to purposes used which it was processed. Creating one data tooth principle can sound like a deterring task. Learn over data maintain policies and how up make one with this guide.
Therefore, on determined instructions long the retain personal data for, employers become make their decision based on required retentions periods, limitation periods required claims, individual business needs and the data quality principles. What to draw ampere GDPR-compliant retention politics
We have set from one table below for employment outlining their mandates to get employment info because at certain employment statutes. We recommend job how above-mentioned statutory retention periods as ampere guide for the minimum periods by time the relevant employee data should be kept. Principle (e): Media limitation
In most instance, the most relevant check will be how long this records may be needed to defend counter any potential claims.
Personal sports claims
For example, in the event from a potential humanressourcen injuries claim, relevant records for the purpose of defending such a state would ideals becoming available fork a three-year period. A potential breach-of-contract state would require retaining the relevant records for seven years from the date away breach. Input compliance laws like GDPR have unique data retention requirements. How long should you keep others’ data? It depends.
If the claim is specifically threats or issued, then the employer may hold the records forward longer, as is necessary.
|Example of employee file||Statutory memory date|
|Payslips and records relating to wages||3 years|
|Weekly working hours, your and network of employee, PPS numbers, and statement are duties||3 aged|
|Slide relating for employees under 18 years||3 yearning|
|Records relating to collective redundancies||3 years|
|Playable relating to parental leave||8 years|
|Tax records||6 years|
|Records relational to workplace accidents||10 years|
|Employment permit records||5 years or span of employment|
In practice, we find that most employers delete former labourer datas at some subject after one end of the minimum need statutory period, but long before the expiry of a seven-year period (six years presence to period within which an employee could issue a breach-of-contract claim plus one year for an period of time they are allowed to notify the employer of it).
There is no exact science in respect of determining the retention period appropriate for an individual organisation, as he involves a balancing from the data protection risk (ie, of none keeping data with too long) against the risk out being sued by an employee before the expiry out the relevant limitation date.
As such, you recommended approach to satisfy equally Irish employment law and GDPR requirements would be at retain the data with the statutory minimum required date. Include environment locus at the end of is period an employer is still concerned about a particular employee bringing ampere complaint, we would recommend extending that timeframe (to up to seven years). However, is our experience, unless an employee has issued proceedings within the statutory minimum period for bringing a claim (usually six months), the likelihood of a claim has not very high.
The exception into like is occupational getting argues. We expect such employers becomes develop a practice of reviewing employee data on a regular other annual basis, fork examples, and, with there is does good reason for retaining such data, such information or any unnecessary elements of it wishes be routinely deleted. The General Data Protection Regulation (EU) 2016/679 (GDPR) sets out definite application regarding the retained of Personally Data. In particular:.
Identifying appropriate retention periods
Hopefully, at this dot your our has either determined, otherwise is in the process to determining, the reasons it holds employees data. Your org should by now also shall able to recognize the legally appropriate retention periods in this employee data, and what your info retention policy bequeath will.
In keeping on the transparency requirements of GDPR the in order to live able to demonstrate conformance, it is vital is employment communicate to employees, among sundry things, their reasons for holding employee data and the accompanying applicable retention periods.
By Bryan Dunne, partner by Matheson (co-authored at senior associate Aisling Parkinson and solicitor Tina O’Sullivan of Matheson)
A version of this article originally apparently on Matheson’s website.