Our privacy policy

Our privacy policy


This Privacy Policy documents how we at Eolas Recruitment Ltd (“us”, “we”, or “our”) meet our obligations under data protection legislation (the Data Protection Act 2018 and the General Data Protection Regulation 2016/679 “GDPR”).



This policy covers our processing activities as a controller of Personal Data. In instances where we act as a Data Processor we will always do so under contract with a Data Controller and will ensure to comply with our obligations as defined in Article 28 GDPR.


Roles and Responsibilities

Board of Directors:

The Board of Directors has overall responsibility for ensuring compliance with the Data Protection legislation. The Board of Directors will approve, review and update the Data Protection Policy at least annually.


The Management will ensure that the Privacy Policy is implemented and ensure controls are in place to facilitate compliance in line with the guidance of the Data Protection Officer (DPO).


All employees of Eolas who collect and / or control the contents and use of personal data are responsible for compliance with data protection legislation.

The Data Protection Officer (DPO):

Eolas has appointed a DPO with the relevant professional qualities and, in particular, expert knowledge of data protection law and practices as is required under data protection legislation. The DPO will undertake a number of tasks that will include, but not necessarily be limited to the following:

  • Inform, advise and issue recommendations to the organisation regarding compliance with data protection requirements.
  • Asist in fostering a data protection culture within the organisation and help to implement essential elements of all relevant data protection and privacy regulations and legislation.
  • Create and implement policies and procedures in relation to data processing, data subjects’ rights, data protection by design and by default, records of processing activities, security of processing, and notification and communication of data breaches.
  • Advise the controller / processor regarding:
    • Whether or not to carry out a data protection impact assessment
    • What methodology to follow and appropriate resource when carrying out a DPIA.
    • Whether or not the DPIA has been correctly carried out and whether its conclusions (whether or not to go ahead with the processing and what safeguards to apply) are in compliance with data protection and privacy requirements.
    • What safeguards (including technical and organisational measures) to apply to mitigate any risks to the rights and interests of the data subjects.
  • Provide oversight the record of processing operations under the responsibility of the controller as one of the tools enabling compliance monitoring, informing, and advising the controller or the processor.
  • Document all decisions taken consistent with and contrary to advice given; and
  • Offer consultation once a data breach or other incident has occurred.


Privacy Essentials

Principles of Data Processing

Article (5)(1) of the GDPR covers the principles of data processing. We are mindful of these principles at all times, both when processing data as a Data Controller and a Data Processor. We ensure that Personal Data is:

  • processed lawfully and fairly and that we are transparent about how and why we process data
  • only collected when there is a specific purpose to do so and that we do not further process data in a manner that is incompatible with the original purpose
  • accurate and, where necessary, kept up to date
  • adequate, relevant and limited to what is necessary for the purpose for which it was collected
  • only kept for as long as it is necessary for the purpose for which it was collected
  • kept secure at all times and is protected against any unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures

As per Article (5)(2) of the GDPR we will ensure that we are able to demonstrate compliance with the above listed principles and be held accountable at all times.


Rights of Individuals

We are responsible for ensuring that processing does not infringe on the rights as laid down in data protection legislation. Please note that these are not absolute rights and certain exemptions, restrictions and limitations may apply. The following are the rights afforded to individuals:

Right to be informed: Individuals should always be informed about the use of their personal information; this is done by way of this Privacy Notice.

Right of access: Individuals have the right to access any information we hold about them by submitting an access request to us giving enough details so as we can process the request.

Right to rectification: Individuals have the right to have their information rectified if that information is inaccurate or incomplete.

Right to erasure: Individuals have the right to request that we erase their personal data.

Right to restrict processing: Individuals have the right to request that we restrict the processing of their personal information.

Right to data portability: Individuals have the right to be provided with a copy of the information we have on them in a structured, machine-readable and commonly used format.

Right not to be subject to automated decision making/profiling: In certain cases, individuals have the right not be subject to automated decision making or profiling.

Right to complain: Individuals have the right to complain to the Data Protection Commission (www.dataprotection.ie) about our collection and use of their Personal Data.

To exercise any of the above rights, individuals are asked to email us at jobs@eolas.ie, we may ask verification of their identity before responding to such requests.


Collection of Personal Data

How data is collected

Data is collected through the following channels:

  • when visiting our website, we collect certain information related to a device when personal
  • when individuals provide their details using any of the “Contact” pages on our website
  • data is emailed to us directly
  • through phone conversations or in person meetings
  • when provided by a third party, eg. a client
  • when individuals engage with us on social media


Types of data collected

We must collect certain information from individuals in order to provide our services. The table below relates solely to data that we process as a Data Controller. Details of data we process as a Data Processor will be documented in individual contracts with our clients.

Personal Data Type Description
Contact & Identity Name, address, email, phone number, occupation, job title
Communication & correspondence Email correspondence, phone communications, video conferencing calls
Financial data Invoicing and payment information
Web & social media Website: a device’s IP address, referring website, what pages a device visited, date and time of visit. Analytical information through Google Analytics

Social Media: photo, contact details, occupation, job title, qualifications

Recruitment Identity, contact details, date of birth, nationality, employment history, education and training details, salary expectations, work permit details, residency status, hobbies, references
Employee Data Details can be found in our internal policies


Use of Personal Data

We will use the collected data for the following purposes:

  • To deliver specific services
  • To process an application for a role
  • To facilitate the uploading of CVs and applications
  • To respond to a request for a job spec
  • To notify individuals about changes to our services.
  • To provide news, information on jobs available, and general information about our services
  • To fulfil our legal and contractual obligations and
  • To meet our obligations as an employer.


Lawfulness of Processing

As a Data Controller, we will determine the appropriate lawful basis for all processing of personal data. Here we provide further information about the legal grounds we have for processing Personal Data as a Data Controller:


Lawful Basis Details
Performance of a contract –      to contact clients in connection with our products/services under the contract

–      to contact clients regarding payments

–      to manage the products/services we provide, and

–      to process payments to and from our business

Consent –      to operate cookies on our website
Legitimate Interests When using this lawful basis, we will ensure that the legitimate interest pursed does not infringe on any privacy right. Our legitimate interests include:

–        providing the best services to our customers

–        running recruitment campaigns for our clients

–        facilitating individuals to apply for roles advertised

–        interacting with applicants

–        conducting analytics and research on our products and services so that we can continuously improve

–        protecting our intellectual property rights

–        promoting and growing our business

–        sourcing and recruiting the best staff possible

–        ensuring the security of our website and our products and services

Legal Obligation –        to meet our legislative and regulatory requirements

–        to maintain proper accounts

–        to fulfil our obligations as an employer

–        to report to law enforcement any actions we deem to be illegal


Data Sharing and Transfers

We do not sell any personal information, nor do we share it with unaffiliated third parties unless we are required to do so by law. We will ensure that any information passed to third parties conducting operational functions on our behalf will be done with respect for the security of personal data and will be protected in line with data protection law.

Ways in which we may share personal information include:

  • To engage professional services of third parties, such as IT providers, auditors, solicitors or any other such business advisers. Any such parties are bound by confidentiality
  • With our insurers or assessors when providing or reviewing information in the event of an incident occurring
  • With our clients where applicants have applied for specific roles advertised
  • With referees listed on an application when authorised by the applicant
  • With any relevant, authorised third parties as part of a business merger or acquisition, any such parties will be bound by a duty of confidentiality.

We do not transfer personal data outside the EEA (European Economic Area).


Security & Retention of Personal Data

We will always ensure the confidentiality, integrity, availability, and resilience of personal data we store.  We are obliged to protect the data from inadvertent destruction, amendment, loss, disclosure, corruption, or unlawful processing. We have appropriate technical and organisational measures in place to protect all data. However, please be aware that the transmission of data over the internet will never be fully without risk.

Personal Data will be retained securely by us for as long as it is relevant and necessary for the purpose for which it was collected.


Eolas as a Data Processor

In certain instances when providing our services, we will process personal data on behalf of our clients, and they will be the Data Controller.  If personal data is provided to us at any time or we have access to the data, we are obliged to comply with the current data protection laws.

Where we are acting as a Data Processor, we act solely on the instruction of the Data Controller, we do not change the purpose and the means in which the data is used. At the commencement of each engagement, we will determine whether personal data will be provided and, if so, what type and the purposes for which we may process that data.  We also have the right to object to receiving any personal data if we believe that such data has been collected or is being used in breach of the law.

As a Data Processor, we will:

  • Not engage another Processor without the Controller’s written consent
  • Process Personal Data only on written instructions from the Controller
  • Ensure that anyone who is authorised to process Personal Data is committed to confidentiality
  • Implement the “appropriate technical and organisational measures” required by Article 32 of the GDPR and provide sufficient guarantees to the Controller that we have done so. In addition, we will:
    • Help the Controller meet their obligations to fulfil Data Subjects’ rights
    • Help the Controller comply with the GDPR’s requirements relating to:
      • Security
      • Data breach notification
      • DPIAs (data protection impact assessments), and
      • Prior consultation.
    • Delete or return all Personal Data to the Controller after processing it, and delete any copies unless the law or contractual provisions require us to keep it; and
    • Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.


Data Subject Access Requests (DSARs)

An individual has the right to be informed whether we hold data/information about them and to be given a description of the data together with details of the purposes for which their data is being kept.  The individual must make this request to us in writing, and we will accede to the request within one month having first verified the identity of the requester to ensure the request is legitimate.

Where a subsequent or similar request is made soon after a request has just been dealt with, it is at the discretion of the controller whether or not it needs to comply with the second request. This will be determined on a case-by-case basis. In cases where we process a large quantity of information concerning the data subject, we may request that, before the information is delivered, the data subject specify the information or processing activities to which the request relates.

No personal data can be supplied relating to another individual unless that third party has consented to the disclosure of their data to the applicant.  Data will be carefully redacted to omit references to any other individual and only where it has not been possible to redact the data to ensure that the third party is not identifiable, we must refuse to furnish the data to the applicant.

Once we have verified the identity of the requester and the request is not deemed to be manifestly unfounded or excessive, we will comply with the request at no charge to the data subject and within one month.


Personal Data Breaches

Article 4(12) GDPR defines a ‘personal data breach’ as:

“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”

Staff at Eolas are trained to recognise a breach and are instructed to inform their management immediately if they suspect a breach has occurred or have evidence of a potential breach. It will then be escalated to senior management and the DPO as required.

Eolas has a Data Breach Response Plan in place which will be followed by the DPO and relevant staff members in the event of a breach being reported either internally or from a third-party.


Children’s Data

We do not knowingly collect Personal Data from children and none of our Services are targeted at children. If individuals are a parent or guardian and individuals are aware that their child has provided us with personal data, they must contact us and we will take steps to remove that information from our systems.



This Privacy Policy will be reviewed at least annually or in line with any legislative changes or updates to internal processes.

Upload your CV

  • Send us your CV and we'll be in touch with jobs relevant to you.

  • Accepted file types: pdf, doc, docx, Max. file size: 10 MB.
    Friendly advice to all candidates - ‘Keep it Simple’. We use an automatic scanner to capture your CV, and key details. We then transfer this info to our database. Automated scanners are not compatible with CV’s drafted on powerpoint or with images, or excessive in design. Please use where possible standard word documents for CV formatting and submission where possible. This will maximise your details being retrieved in searches for job roles that fit with your skills and experience. Thank you.
  • In order to submit this form you'll need to agree with our Privacy Policy
× Speak with our team