What is the duration for retaining employee data under GDPR?

On May 25, 2018, the General Data Protection Regulation (GDPR) came into effect, bringing with it new guidelines on how to process and safeguard personal data. Employee personal data may include details such as name, address, phone number, email address, emergency contact information, PPS number, and bank account details. In order to retain and process this data, there must be a lawful basis for doing so. Employers are likely to rely on lawful reasons such as fulfilling contractual obligations, legal obligations, or legitimate interests. It's important to note that employee data should not be kept for longer than necessary and should be guided by employment legislation. 

So how long should I retain employee data? 

Written Terms of Employment – 1 year 

According to employment legislation, employers are required to keep a record of the written terms of employment for the duration of an employee's tenure and for a minimum of one year after termination. 

Payroll details and payslips – 6 years 

It's crucial for employers to keep records, calculations, and documents related to employee benefits for a minimum of 6 years to be prepared for potential audits by Revenue or inspections by the WRC. Payslips are also subject to scrutiny, and employers must ensure that employees are provided with them as evidence. 

Hours of Work – 3 years

To comply with GDPR regulations, employers must keep records of employee hours worked, annual leave and public holidays taken, and payment received for the same. It's also important to maintain records of rest breaks and notification of employees' entitlement to such breaks, as well as procedures if they are unable to take them. These records should be kept for a minimum of three years. 

Maternity and Adoptive Leave records – no timeframe

Although there is no specific timeframe for retaining data related to maternity and adoptive leave, it's important to note that claims can be made within 6 months of an employer being informed of a dispute and may be extended up to 12 months in exceptional circumstances. It's always best to err on the side of caution and keep records for a reasonable period of time to ensure compliance with GDPR guidelines. 

Parental Leave – 8 years 

Employers are required to keep records of Parental Leave for a period of 8 years, which should include details such as the employee's period of employment, the dates and times of leave taken, and any other relevant information. 

A more detailed list of Employee Record Keeping Requirements can be viewed here. 

As experts, we understand that there may be situations where there is no clear guidance on how long to retain employee data. That's why we strongly advise employers to plan ahead and include in their privacy notices the duration and reason for holding on to sensitive information. For instance, a company may choose to keep all performance review records for the entire duration of an employee's tenure to track their growth and development.  

Regardless of the purpose behind retaining employee data, whether it is for legal or business reasons, it's essential for employers to maintain a clear policy that explains the rationale, is easily accessible to staff, and is consistently applied.