Effective Date: 1st July 2024
Last Updated: 2nd October 2025

1. Introduction
1.1 This Privacy Policy governs the collection, processing, storage, and use of personal data by Obsidian Homecare Services Ltd, trading as Obsidian Healthcare Recruitment (“Obsidian Healthcare”) in all aspects of its operations within the Republic of Ireland.
1.2 Obsidian Healthcare provides healthcare recruitment services, including temporary and permanent placement of healthcare professionals across hospitals, residential services, community care, and specialist care settings, along with in-house operations, payroll, compliance, and portal-based services.
1.3 This Policy applies to all individuals whose personal data is processed, including candidates, agency workers, employees, clients, suppliers, and portal users (collectively, “Data Subjects”).
1.4 Obsidian Healthcare is committed to full compliance with the General Data Protection Regulation (EU 2016/679), the Data Protection Acts 1988–2018, and all applicable Irish legislation relating to the processing of personal data.
1.5 This Policy should be read alongside any other relevant company policies, including the Candidate Portal Addendum and Data Retention Policy. Continued use of our services, website, or Portal constitutes acknowledgment and acceptance of this Privacy Policy.

2. Data Controller
2.1 Obsidian Homecare Services Ltd, trading as Obsidian Healthcare Recruitment, is the Data Controller responsible for personal data processing.

2.2 The Data Protection Officer (DPO) is responsible for overseeing compliance with data protection laws and can be contacted at:
Email: gdpr@obsidianhealthcare.ie
Postal Address: 3rd Floor, 40 Mespil Road, Dublin 4, Ireland, D04 C2N4

2.3 The DPO acts as the primary contact for all Data Subject rights requests, complaints, and inquiries regarding personal data processing.

3. Categories of Personal Data Collected
3.1 Identity and Contact Data: full name, date of birth, gender, personal email, phone number, postal address, emergency contacts, and identification documents (passport, driving licence).
3.2 Professional and Employment Data: CV, qualifications, employment history, professional registrations and licenses, professional references, training records, and clinical competency documentation.
3.3 Compliance and Vetting Data: Garda Vetting information, occupational health assessments, immunisation records, drug and alcohol testing results, fitness to practice certificates, and other statutory compliance documentation.
3.4 Financial Data: bank account details, tax information, payroll records, invoices, and remuneration data necessary for legal and operational purposes.
3.5 Special Category Data: health information, criminal conviction data, sensitive personal information necessary to comply with statutory or regulatory obligations, including occupational health requirements and Garda Vetting.
3.6 Portal and Online Usage Data: login credentials, IP addresses, device information, session logs, portal activity, preferences, and cookies used for authentication, security, and analytics.

4. Sources of Personal Data
4.1 Data collected directly from the Data Subject via Portal registration, online forms, email, phone, WhatsApp, or social media messaging.
4.2 Data obtained from third parties, including reference providers, occupational health practitioners, regulatory bodies (e.g., NMBI), Garda Vetting Bureau, training providers, and other legally permissible sources.
4.3 Automatic data collection through website and Portal analytics, including cookies, login sessions, and usage metrics, to improve functionality and security.

5. Purposes of Processing
5.1 Registration, authentication, and secure access to the Obsidian Healthcare Portal.
5.2 Recruitment and placement of healthcare professionals by matching candidates to client requirements and scheduling shifts.
5.3 Compliance with statutory and regulatory obligations, including Garda Vetting, occupational health, immunisation, and licensing verification.
5.4 Payroll processing, tax compliance, and remuneration management.
5.5 Communication with candidates, employees, clients, and suppliers regarding services, placements, shifts, compliance, or operational matters.
5.6 Quality assurance, auditing, internal record-keeping, and service performance monitoring.
5.7 Risk management, fraud prevention, safeguarding, and verification of candidate eligibility.
5.8 Statistical analysis, service improvement, and Portal performance optimisation.
5.9 Marketing and referral communications, where explicit consent has been obtained.

6. Lawful Basis for Processing
6.1 Contractual Necessity: processing required to perform employment or service contracts.
6.2 Legal Obligation: processing necessary to comply with statutory obligations under Irish law.
6.3 Legitimate Interests: operational efficiency, service quality, recruitment, and compliance, provided these do not override individual rights.
6.4 Consent: explicitly obtained for optional communications, cookies, or automated profiling.

7. Portal-Specific and Automated Processing
7.1 Portal matching algorithms automatically analyse candidate profiles to suggest roles and schedule shifts.
7.2 Automated processing is designed to support decision-making but does not replace human oversight in recruitment, compliance, or employment decisions.
7.3 Candidates have the right to object to automated processing that significantly affects them.

8. Data Retention
8.1 Candidate and agency worker data is retained for a minimum of two years following last activity, unless longer retention is required by law.
8.2 Compliance and vetting documentation is retained in accordance with statutory and regulatory requirements.
8.3 Payroll and financial records are retained in accordance with employment, tax, and statutory obligations.
8.4 Portal usage logs and analytics data are retained for security, operational monitoring, and legal compliance purposes.
8.5 Data is securely deleted or anonymised once retention periods expire, unless legal or operational obligations necessitate continued storage.

9. Data Sharing
9.1 Personal data is shared solely to fulfil operational, contractual, or statutory requirements.

9.2 Data may be shared with:
9.2.1 Clients for placement purposes, strictly with consent or contractual necessity.
9.2.2 Regulatory bodies, Garda Vetting Bureau, NMBI, occupational health providers, and other statutory authorities.
9.2.3 Third-party service providers supporting payroll, IT, Portal operations, or HR services under contractual agreements.
9.2.4 In the event of a sale, merger, or acquisition of business assets, personal data may be transferred as part of the transaction.
9.2.5 To protect legal rights, prevent fraud, or comply with legal obligations.

9.3 Personal data will never be sold or used for marketing without explicit consent.

10. Security Measures
10.1 Technical and organisational safeguards include encryption, two-factor authentication, access controls, audit logging, and monitoring.
10.2 Physical records are stored securely in access-controlled facilities.
10.3 All staff with access to personal data receive GDPR and security training, and contracts include confidentiality obligations.

11. Special Category Data
11.1 Health, criminal conviction, and vetting data are collected and processed to comply with statutory and regulatory obligations.
11.2 This data is only accessible to authorised personnel for recruitment, placement, and compliance verification.
11.3 Sensitive data is never used for purposes outside recruitment, compliance, or legal obligations without explicit consent.

12. Rights of Data Subjects
12.1 Access: request a copy of all personal data held.
12.2 Rectification: correct inaccuracies or incomplete information.
12.3 Erasure: deletion of personal data, subject to legal obligations.
12.4 Restriction: temporarily suspend processing under certain conditions.
12.5 Objection: object to processing on grounds of legitimate interests or direct marketing.
12.6 Data Portability: receive personal data in a machine-readable format to transfer to another service.
12.7 Withdrawal of Consent: revoke any previously given consent, without affecting prior processing legality.
12.8 Right to Complain: lodge a complaint with Obsidian Healthcare or the Irish Data Protection Commission.
12.9 Rights may be subject to statutory or contractual restrictions.

13. Cookies and Online Tracking
13.1 Cookies are used for authentication, security, Portal analytics, and website performance.
13.2 Non-essential cookies require explicit consent, which can be withdrawn via browser settings.
13.3 Data collected through cookies is anonymised whenever possible and used solely for functional and security purposes.

14. Transfers Outside the European Economic Area
14.1 Personal data may be transferred and stored outside the EEA, currently limited to the United Kingdom, under adequacy decisions or contractual safeguards ensuring GDPR compliance.

15. Retention and Deletion
15.1 Personal data is retained only as long as necessary to fulfil recruitment, employment, payroll, compliance, and statutory obligations.
15.2 Data exceeding retention periods is securely deleted or anonymised unless legal obligations require otherwise.

16. Updates to this Policy
16.1 Obsidian Healthcare may update this Privacy Policy periodically to reflect legislative changes, operational adjustments, or Portal enhancements.
16.2 Users will be notified of material changes via the Portal or email.
16.3 Continued use of services constitutes acceptance of the revised Policy.

17. Contact Details
17.1 For data protection inquiries, exercise of rights, or complaints:

Data Protection Officer
Obsidian Homecare Services Ltd
Trading as Obsidian Healthcare Recruitment
3rd Floor, 40 Mespil Road, Dublin 4, Ireland, D04 C2N4
Email: gdpr@obsidianhealthcare.ie
Telephone: +353 (0)1 902 6767

Obsidian Homecare Services Ltd, trading as Obsidian Healthcare Recruitment. Registered in the Republic of Ireland CRO Number: 768132. Registered Office: 3rd Floor, 40 Mespil Road, Dublin 4, D04 C2N4, Ireland.