Data Protection and Privacy Policy

Purpose

Treibh is committed to protecting the privacy and security of personal data. This policy outlines how we collect, use, store, share and protect the personal data of employees and job applicants, in accordance with Irelands General Data Protection Regulation (GDPR) 2018.
We are a data controller for the purposes of employment-related personal data, meaning we determine the purposes and means of processing.

Scope

This policy applies to:

All current, former, and prospective employees, workers, and contractors of Treibh.
All personal data processed in the context of employment.
It covers data collected during recruitment, onboarding, employment, and offboarding.

Our Data Protection Principles

Treibh complies with the GDPR by ensuring that personal data is:

Lawfully, fairly and transparently processed
Collected for specified, explicit and legitimate purposes
Adequate, relevant and limited to what is necessary
Accurate and kept up to date
Kept only for as long as necessary
Processed securely and protected against unauthorised or unlawful processing, loss, destruction or damage
Handled with accountability

What Data We Collect

We may collect, store and process the following types of personal data:

Identification data (name, date of birth, NI number, contact details)
Employment details (job title, salary, working hours, start date)
Recruitment information (CVs, interview notes, application forms)
Right to work documentation (passport, visa)
Payroll data (bank details, tax codes)
Absence and sickness records (including special category health data)
Performance data (appraisals, training records, disciplinary notes)
IT usage and communications data (email, systems access, activity logs)
Monitoring data (CCTV footage, internet use, access logs)

Special Category Data

We may also collect and process “special category” personal data where necessary, including:

Health or disability data for occupational health, reasonable adjustments, or sickness absence
Equal opportunities data (e.g. ethnicity, gender, religion), used for anonymised reporting
Processing of special category data is only carried out where we have a lawful basis under the GDPR, such as explicit consent or for employment obligations.

Lawful Bases for Processing

We will only process personal data when the law allows us to. The main lawful bases we rely on are:

To fulfil our contract with you
To comply with a legal obligation (e.g. payroll, Revenue reporting)
Our legitimate interests (e.g. business operations, workforce planning)
Your consent (e.g. when signing up for optional wellbeing schemes)
To protect vital interests (e.g. medical emergencies)

How We Use Your Data
We process personal data to:

Manage your employment relationship
Process payroll, pensions, and benefits
Maintain records of absence, conduct, and performance
Support health, safety and wellbeing
Comply with legal obligations (e.g. right to work, HMRC)
Conduct training and development
Investigate complaints or grievances
Monitor use of systems for security and fair use
Conduct offboarding, exit interviews and references

Data Sharing

Data is only shared, when necessary, under appropriate data sharing or processing agreements, and never sold.

International Data Transfers

Where personal data is transferred outside the UK or EEA, we ensure appropriate safeguards are in place, such as:

UK adequacy regulations
Standard Contractual Clauses (SCCs)
Binding corporate rules (where applicable)

Data Retention

We only keep personal data for as long as necessary. For example:

Employee records: 6 years after employment ends
Recruitment data: 12 months post-process
Payroll data: 6 years for financial compliance

Security of Data

We use appropriate technical and organisational measures to protect data, including:

Secure cloud platforms
Passwords, multi-factor authentication
Access controls and user permissions
Staff training on data protection
Regular audits and reviews

Your Rights

As a data subject, you have the following rights:

Right to access your data
Right to rectification of inaccurate data
Right to erasure (where applicable)
Right to restrict or object to processing
Right to data portability
Right to withdraw consent (if processing is based on consent)
Right to lodge a complaint with the Data Protection Commission (DPC)
Requests should be submitted to HR. We will respond within one calendar month.

Data Protection and Privacy Policy

All current, former, and prospective employees, workers, and contractors of Treibh.

All personal data processed in the context of employment.

It covers data collected during recruitment, onboarding, employment, and offboarding.

Our Data Protection Principles Treibh complies with the GDPR by ensuring that personal data is:

Lawfully, fairly and transparently processed

Collected for specified, explicit and legitimate purposes

Adequate, relevant and limited to what is necessary

Accurate and kept up to date

Kept only for as long as necessary

Processed securely and protected against unauthorised or unlawful processing, loss, destruction or damage

Handled with accountability

What Data We Collect We may collect, store and process the following types of personal data:

Identification data (name, date of birth, NI number, contact details)

Employment details (job title, salary, working hours, start date)

Recruitment information (CVs, interview notes, application forms)

Right to work documentation (passport, visa)

Payroll data (bank details, tax codes)

Absence and sickness records (including special category health data)

Performance data (appraisals, training records, disciplinary notes)

IT usage and communications data (email, systems access, activity logs)

Monitoring data (CCTV footage, internet use, access logs)

Special Category Data We may also collect and process “special category” personal data where necessary, including:

Health or disability data for occupational health, reasonable adjustments, or sickness absence

Equal opportunities data (e.g. ethnicity, gender, religion), used for anonymised reporting

Processing of special category data is only carried out where we have a lawful basis under the GDPR, such as explicit consent or for employment obligations.

Lawful Bases for Processing We will only process personal data when the law allows us to. The main lawful bases we rely on are:

To fulfil our contract with you

To comply with a legal obligation (e.g. payroll, Revenue reporting)

Our legitimate interests (e.g. business operations, workforce planning)

Your consent (e.g. when signing up for optional wellbeing schemes)

To protect vital interests (e.g. medical emergencies)

How We Use Your Data We process personal data to:

Manage your employment relationship

Process payroll, pensions, and benefits

Maintain records of absence, conduct, and performance

Support health, safety and wellbeing

Comply with legal obligations (e.g. right to work, HMRC)

Conduct training and development

Investigate complaints or grievances

Monitor use of systems for security and fair use

Conduct offboarding, exit interviews and references

Data Sharing Data is only shared, when necessary, under appropriate data sharing or processing agreements, and never sold. International Data Transfers Where personal data is transferred outside the UK or EEA, we ensure appropriate safeguards are in place, such as:

UK adequacy regulations

Standard Contractual Clauses (SCCs)

Binding corporate rules (where applicable)

Data Retention We only keep personal data for as long as necessary. For example:

Employee records: 6 years after employment ends

Recruitment data: 12 months post-process

Payroll data: 6 years for financial compliance

Security of Data We use appropriate technical and organisational measures to protect data, including:

Secure cloud platforms

Passwords, multi-factor authentication

Access controls and user permissions

Staff training on data protection

Regular audits and reviews

Your Rights As a data subject, you have the following rights:

Right to access your data

Right to rectification of inaccurate data

Right to erasure (where applicable)

Right to restrict or object to processing

Right to data portability

Right to withdraw consent (if processing is based on consent)

Right to lodge a complaint with the Data Protection Commission (DPC)

Requests should be submitted to HR. We will respond within one calendar month.

Review and Updates This policy is reviewed annually or when required due to legal or operational changes.

Our Data Protection Principles

Treibh complies with the GDPR by ensuring that personal data is:

What Data We Collect

We may collect, store and process the following types of personal data:

Special Category Data

We may also collect and process “special category” personal data where necessary, including:

Lawful Bases for Processing

We will only process personal data when the law allows us to. The main lawful bases we rely on are:

How We Use Your Data
We process personal data to:

Data Sharing

Data is only shared, when necessary, under appropriate data sharing or processing agreements, and never sold.

International Data Transfers

Where personal data is transferred outside the UK or EEA, we ensure appropriate safeguards are in place, such as:

Data Retention

We only keep personal data for as long as necessary. For example:

Security of Data

We use appropriate technical and organisational measures to protect data, including:

Your Rights

As a data subject, you have the following rights:

Review and Updates

This policy is reviewed annually or when required due to legal or operational changes.