ESRI Job Applicant Privacy Notice

Under Data Protection legislation, individuals have a number of rights in relation to the personal data an organisation holds about them.

The purpose of this notice is to inform you of the type of personal data that the ESRI keeps about job applicants, the purpose for which we keep it and your rights relating to personal data processed about you. Should an employment offer be made to you, a further privacy notice will be provided detailing how such data are used for the purposes of managing the employment relationship.

Who we are and how to contact us?

The ESRI is a research institute that undertakes economic and social research that aims to advance evidence-based policymaking in these areas.  It is a company limited by guarantee and is registered as a charity. Its sources of income are multi-annual programmes of research funded by a number of government departments and agencies, commissioned research projects, competitive research grants and a government grant-in-aid.

Our contact details are as follows: Economic & Social Research Institute, Whitaker Square, Sir John Rogerson’s Quay, D02 K138, Ireland.

Tel: +353 1 863 2000


The ESRI’s Data Protection Officer is Ms Claire Buckley. Any queries relating to your personal data can be sent to

What personal data do we process about you?

From the point at which we receive your application for employment, the ESRI will need to maintain and process data about you for the purposes of assessing and communicating a recruitment decision. Such data is normally retained for 18 months following completion of a recruitment competition.

At the recruitment stage, applicants are requested to submit a cover letter, CV and application form. Data obtained includes the following:


  • Name and contact details including email address, phone number
  • Candidate’s work history
  • Candidate’s education history
  • Qualifications and experience relevant to the role
  • Eligibility to work in the EEA
  • Contact details for referees: previous employer(s) and personal or educational referees
  • Garda vetting request (only where relevant to role)

The Institute has prescribed data fields in its application form requesting specific information. We also request a cover letter and CV. The information provided in the latter is at the applicant’s discretion and not to a prescribed format requested by the Institute.

Selection Process – Short-listing stage:

The information provided by the applicant will be used to assess the suitability of the candidate to be interviewed for the advertised role. This will be done through a process of reviewing the information provided in the application documents against the requirements of the role. The most suitable candidates are selected for the interview stage.

Selection Process – Interview stage:

Applicants may be invited to interview(s) for a role following the short-listing process. The data generated at this stage of the process will be as follows:

  • Interview details including notes and assessment of the interview board, dates and times
  • A record of candidates’ arrival to and departure from the building for Health and Safety purposes
  • References provided by previous employers and personal or educational referees
  • Communication of the recruitment decision

What is our lawful basis for processing your personal data and how long will we retain it for?

Under data protection law, there are six available lawful bases under which an organisation may process personal data. They are consent, contractual purposes, legal obligations, vital interests, public task, and legitimate interests.

We process and retain your recruitment data on the basis of our legitimate interest to make recruitment decisions and our legal obligations. In order for the Institute to be able to demonstrate the legal integrity of our selection process we retain the data for 18 months. Under Irish equality legislation, an applicant may raise a claim of discrimination for up to 12 months following an alleged incident. In order to defend against any such claim, the Institute retains records pertaining to the selection process for 18 months. We retain them for 6 months beyond the statute period should any claim arise towards the end of the 12 month period.

Consequences of failing to provide information?

The Institute requests the same information of all intending applicants. If you do not provide the information as requested, we may not be able to process your job application.

Do we share personal data with any third parties?

ESRI interview boards may include an external board member, in which case we will provide the applications of short-listed applicants for the purposes of conducting the interview and evaluating interview candidates. A data protection notice is issued to all interviewers and they are required to return to the ESRI HR representative on the board all hardcopy interview documentation and to confirm deletion of any copies and any electronic applicant data provided.

The Institute’s internal and external auditors may request sight of recruitment decision supporting documentation to verify that recruitment decisions are made in line with Institute policy and legal requirements. Such documentation may contain personal data relating to candidates. If so, the HR representative providing the documentation for review will ensure that it is done securely and in accordance with data protection principles.

We may contact referees following interviews. This is on the basis of the referee information you have provided. We will ask you on your application form whether you consent to us contacting referees.

Information on eRecruitment software in use

The ESRI uses a cloud-based online eRecruitment solution, Talent Manager (product of HRM Talent Solutions) to process online applications. The Institute has a formal data protection agreement in place with the providers to ensure that specific data protection guarantees are in place with this service provider including EEA hosting location and certified security credentials.

What rights do you as the data subject have?

Data protection legislation confers the following rights on individuals:

i. The right to be informed

An individual has a right to know whether an organisation processes personal information relating to them and certain additional information in relation to the processing, such as its purposes, the categories of data, the recipients of the data, and the existence of additional rights such as the rights to erasure and objection (where applicable).

ii. The right of access

Individuals have the right to access their personal data, be aware of and verify the lawful basis on which it is processed.

iii. The right to rectification

Individuals have a right to have inaccurate personal data rectified, or completed if it is incomplete.

iv. The right to erasure

Individuals have a right to have their personal data erased in certain circumstances. This right applies where personal data is processed on the basis of consent or when the personal data is no longer necessary for the purpose which it was originally collected or processed it for; it doesn’t apply where personal data is being processed or retained in order for the organisation to comply with a legal obligation.

v. The right to restrict processing

Individuals have the right to request the restriction or suppression of their personal data in certain circumstances. When processing is restricted, an organisation may store the personal data, but not use it. This right applies where

  • an individual contests the accuracy of their personal data and this is being verified
  • the data has been unlawfully processed (ie in breach of the lawfulness basis on which it is processed) and the individual opposes erasure and requests restriction instead
  • an organisation no longer needs the personal data but the individual needs it to be kept in order to establish, exercise or defend a legal claim
  • the individual has objected to the processing of their data where it is being processed on the basis of public interest task or legitimate interests and the organisation is considering whether their legitimate grounds override those of the individual.

vi. The right to data portability

This right allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability. This right only applies where the lawful basis for processing this information is consent or for the performance of a contract, and the processing is being carried out by automated means.

vii. The right to object

An individuals have the right to object to the processing of their personal data where

  • processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
  • direct marketing (including profiling); and
  • processing for purposes of scientific/historical research and statistics.

viii. Rights in relation to automated decision making and profiling

Automated decision making and profiling is defined as:

  • automated individual decision-making (making a decision solely by automated means without any human involvement); and
  • profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process.

An organisation can only process personal data in this way when it’s:

  • necessary for the entry into or performance of a contract; or
  • authorised by Union or Member state law applicable to the controller; or
  • based on the individual’s explicit consent.

How can I submit a Subject Access Request?

Subject Access Requests can be submitted to the Institute’s Data Protection Officer, ESRI, Whitaker Square, Sir John Rogerson’s Quay, D02 K138 or

How will the information be provided?

Where the data subject makes the request by electronic form means, where possible, the information must be provided by electronic means, unless otherwise requested by you. When requested by you, the information may be provided orally, provided that identity is verified.

What are the timeframes for dealing with personal data access requests?

  • Within 1 month of receipt of the request
  • The 1-month period may be extended by a 2 further months, where necessary, taking into account the complexity and number of requests, where necessary. In this case, we will inform you of any extension within 1 month of receipt of the request and the reasons for the delay. If we do not take action on foot of your request, we will inform you without delay and, at the latest, within 1 month of receipt of your request, of:
  • The reasons for not taking action
  • The possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

What are the charges?

Requests are dealt with free of charge.

However, where requests from a data subject are considered ‘manifestly unfounded or excessive’ (for example where an individual continues to make unnecessary repeat requests or the problems associated with identifying one individual from a collection of data are too great) the data controller may:

  1. Charge a reasonable fee, taking into account the administrative costs of providing the information/ taking the action requested; or
  2. Refuse to act on your request.

Right to lodge a complaint to the Supervisory Authority

Under data protection legislation an individual has a right to lodge a complaint with the Data Protection Commission if they consider that processing of their personal data is contrary to the GDPR.

The contact details of the Commission are 


The Data Protection Commissioner, Canal House, Station Road, Portarlington, Co. Laois. The Data Protection Commissioner also operates a helpdesk function, which is contactable at 0761 104 800 or LoCall 1890 252231.

ESRI Subject Access Request Procedures

Making and submitting a Subject Access Request

If you wish to make a Subject Access Request, please do so in writing to the Data Protection Officer, ESRI, Sir John Rogerson’s Quay, Dublin 2 or

To order to facilitate processing of your request and timely retrieval of your personal data, we ask that individuals provide the following details:

  • Name of Requester
  • Details of the personal data that you are requesting e.g., application form, emails of a specific subject matter, letters or
  • Data Subject Right you wish to exercise (where applicable) e.g., right to rectification, erasure
  • Any other relevant information
  • The form you wish data to be provided to you


In order to ensure that personal data is not disclosed to the wrong person, proof of identity will be required with your data access request.

If a request is being made on your behalf by a third party such as a solicitor, authority and verification will be sought.

Data pertaining to your information only

You are entitled to your own data only. If data from additional parties to the request are required by you, it is necessary for each party to consent to the release of their personal data in writing to the Data Protection Officer. Data pertaining to individuals not party to the request will not be released to you.

Response Times

We will respond to your request without undue delay and your request will be concluded no later than 1 month from when it is received.

The timeline may be extended by up to 2 months taking into account the complexity and whether it is a repeat request.


Your data will be provided to you free of charge.

However, a reasonable fee may apply when a request is manifestly unfounded or excessive.

 Right to complain to Data Protection Commissioner

If you are unhappy with the outcome of your request, you may make a complaint to the Data Protection Commissioner (Canal House, Station Road, Portarlington, Co. Laois), who will investigate the matter for you. Further details on your rights under the Data Protection Acts are available on the Data Protection Commissioner’s website