Serving all 26 counties across Ireland
+353 (47) 37427Get a Quote
GDPR data protection for cleaning companies

GDPR and Data Protection for Cleaning Companies in Ireland

Why GDPR matters for cleaning contractors, what obligations apply, and practical steps to ensure compliance when your staff access client premises, hold keys, and work around sensitive data.

Home/Guides/GDPR for Cleaning Companies

Why GDPR Matters for Cleaning Companies

Cleaning companies are not the first businesses that come to mind when people think about data protection. But cleaning contractors have unique and significant data protection exposure that many overlook until a problem occurs.

Consider what a typical cleaning operative encounters during a shift: they enter premises using keys or access codes entrusted to them by the client. They work in offices where confidential documents may be left on desks, screens may display sensitive information, and filing cabinets may be unlocked. They clean areas covered by CCTV, meaning their movements are recorded. They may empty shredding bins, handle post, and access server rooms, boardrooms, and executive offices. In healthcare settings, they work around patient records. In legal and financial offices, they work around client files subject to legal professional privilege or financial confidentiality.

This level of access creates data protection obligations for both the cleaning company and its clients. The General Data Protection Regulation (GDPR), as applied in Ireland through the Data Protection Act 2018 and enforced by the Data Protection Commission (DPC), imposes specific requirements on organisations that process personal data — and cleaning companies process more personal data than most realise.

Personal Data That Cleaning Companies Process

Cleaning companies process personal data in two categories: data about their own employees and data they encounter or are entrusted with during service delivery.

Employee Data

  • Recruitment data — CVs, application forms, interview notes, references
  • Employment records — Contracts, emergency contacts, next of kin, bank details for payroll
  • Garda vetting results — Special category data (criminal records) processed under National Vetting Bureau Act 2012
  • Health data — Occupational health assessments, absence records, COVID-19 declarations (if retained)
  • Timekeeping data — Clock-in/clock-out records, GPS tracking (if using mobile apps), site attendance logs
  • Training records — COSHH training, manual handling, fire safety, GDPR awareness

Client-Related Data

  • Key holding records — Which staff hold keys to which premises, alarm codes, access PINs
  • Client contact details — Names, phone numbers, email addresses of client contacts
  • Site access logs — Records of when cleaning staff entered and exited client premises
  • CCTV awareness — Cleaning staff are data subjects captured on client CCTV systems
  • Incidental exposure — Documents, screens, conversations witnessed during cleaning

DPC Registration and Records of Processing

Under GDPR, there is no formal “registration” requirement with the Data Protection Commission in the way the old Data Protection Acts required. However, GDPR imposes obligations that are more substantive than simple registration:

  • Article 30: Records of Processing Activities (ROPA) — Every cleaning company must maintain a written record of all processing activities. This includes the categories of data processed, the purposes, the legal basis, retention periods, and any transfers to third parties. The DPC can request this record at any time.
  • Data Protection Officer (DPO) — A DPO is required if the company’s core activities involve large-scale processing of special category data (e.g., Garda vetting results for hundreds of employees) or large-scale systematic monitoring of individuals. Most mid-to-large cleaning companies should at minimum designate a data protection lead, even if a formal DPO is not legally required.
  • Privacy notices — The company must provide privacy notices to employees (explaining how their data is processed) and should make its privacy policy available to clients and website visitors.

Data Processing Agreements with Clients

When a cleaning company accesses personal data on behalf of a client, a Data Processing Agreement (DPA) is required under GDPR Article 28. This is increasingly standard in commercial cleaning contracts, particularly for healthcare, legal, financial, and public sector clients.

A DPA for cleaning services should cover:

  • Scope of processing — What personal data the cleaning company may encounter (key holder details, alarm codes, incidental access to documents)
  • Security measures — How the cleaning company protects data (key management, staff vetting, confidentiality training, clean desk compliance)
  • Confidentiality obligations — Staff confidentiality clauses, prohibition on photographing documents or screens
  • Sub-processor rules — If the cleaning company uses sub-contractors, the client must approve them and equivalent protections must apply
  • Breach notification — The cleaning company must notify the client without undue delay of any data incident
  • Data return/deletion — At contract end, all client data (key records, access codes, site plans) must be returned or securely destroyed
  • Audit rights — The client may audit the cleaning company’s data protection compliance

Many facilities managers now include a DPA as a schedule to the cleaning contract. Cleaning companies that cannot provide or sign a DPA will increasingly lose contracts to competitors who can.

Key Holding and Access Security

Key holding is one of the highest-risk data processing activities for cleaning companies. Keys provide physical access to premises where personal and commercial data is stored. A lost or stolen key is both a security incident and potentially a data breach if it enables unauthorised access to personal data.

Best practice for key holding:

  • Maintain a key register documenting every key issued: site (by code, never by address on the key), person issued to, date issued, date returned
  • Use coded key tags — never label keys with client names or addresses
  • Store keys in a secure key safe when not in use, with access limited to authorised supervisors
  • Change alarm codes immediately when a staff member leaves or is reassigned
  • Report lost keys immediately to the client and your insurer — treat this as a security incident
  • Use digital access systems where available (proximity cards, mobile access) as these provide audit trails and can be remotely deactivated
  • Include key holding procedures in the Data Processing Agreement

CCTV and Cleaning Staff

Most commercial premises now operate CCTV systems. Cleaning staff working on these premises are data subjects whose images are captured and stored. This creates obligations for both the client (as the CCTV data controller) and the cleaning company.

The client should inform the cleaning company that CCTV is in operation and provide access to their CCTV privacy notice. The cleaning company should inform staff that CCTV operates on client sites (as part of employment documentation). Cleaning staff have the right to request CCTV footage of themselves under GDPR Subject Access Request (SAR) rights. CCTV footage must not be used for purposes beyond those stated in the CCTV policy (e.g., security footage should not be used for performance management of cleaning staff unless this is explicitly stated and lawful).

Staff Data Obligations

Cleaning companies process significant volumes of employee personal data. GDPR requires:

  • Lawful basis for processing — Employment contract (Article 6(1)(b)) for most HR data; legal obligation (Article 6(1)(c)) for tax, PRSI, and health and safety data; legitimate interests (Article 6(1)(f)) for operational management; explicit consent (Article 9(2)(a)) or legal obligation for Garda vetting (special category data)
  • Data minimisation — Only collect data that is necessary. Do not retain CVs of unsuccessful candidates beyond 12 months. Do not collect data “just in case.”
  • Retention limits — Define and enforce retention periods. Employment records: 7 years after leaving (aligning with Revenue requirements). Garda vetting: re-vet every 3 years, destroy old results. Payroll: 6 years (Taxes Consolidation Act). Timekeeping: 3 years (Organisation of Working Time Act).
  • Employee privacy notice — Provide every employee with a clear privacy notice explaining what data is collected, why, how long it is retained, and their rights.
  • Subject Access Requests (SARs) — Employees can request copies of all personal data held about them. The company must respond within one month.

Breach Procedures

Data breaches in a cleaning company context include:

  • Lost or stolen keys to client premises
  • Disclosed alarm codes or access credentials
  • Staff member reading, photographing, or removing confidential documents
  • Lost mobile phone containing client contact details or site information
  • Email sent to wrong recipient containing employee or client data
  • Unauthorised access to HR files or payroll records
  • Laptop or USB drive containing data lost or stolen

The breach response procedure should follow these steps:

  1. Contain — Immediately contain the breach (change locks, deactivate access, isolate systems)
  2. Assess — Determine what data was affected, how many individuals, and the severity
  3. Notify the client — If client data is involved, notify the client immediately (as required by the DPA)
  4. Notify the DPC — If the breach poses a risk to individuals’ rights and freedoms, notify the DPC within 72 hours
  5. Notify affected individuals — If the breach poses a high risk, notify the individuals directly
  6. Record — Document the breach in the breach register, regardless of whether notification was required
  7. Review — Conduct a root cause analysis and implement preventive measures

Practical Steps for Cleaning Companies

Achieving GDPR compliance does not require a legal team. These practical steps will bring most cleaning companies into compliance:

  1. Appoint a data protection lead — One person responsible for data protection (can be a director in a small company)
  2. Create your Records of Processing Activities — A spreadsheet listing all personal data you process, why, the legal basis, and retention periods
  3. Write an employee privacy notice — Give it to every employee at induction
  4. Write a website privacy policy — Published on your website, covering cookies, contact form data, and marketing
  5. Implement a key management procedure — Coded tags, secure storage, change management, loss reporting
  6. Add confidentiality clauses to employment contracts — Covering client premises access and information encountered during cleaning
  7. Train all staff on GDPR awareness — Annual refresher covering: do not read/photograph documents, report incidents, understand confidentiality
  8. Prepare a Data Processing Agreement template — Ready to provide or sign when clients request one
  9. Create a breach response procedure — Documented, tested, and known to all supervisors
  10. Review data retention — Delete data you no longer need. Set calendar reminders for retention review dates.

Frequently Asked Questions: GDPR for Cleaning Companies

Do cleaning companies need to register with the DPC?

GDPR does not require formal registration, but cleaning companies must maintain Records of Processing Activities (Article 30), provide privacy notices to employees and website visitors, and comply with all GDPR obligations. The DPC can request evidence of compliance at any time.

Why does GDPR matter for cleaning companies?

Cleaning staff access premises outside business hours, hold keys and alarm codes, encounter confidential documents, and work in CCTV-monitored areas. This creates significant data protection exposure for both the cleaning company and its clients.

What is a data processing agreement?

A DPA is a legally required contract (GDPR Article 28) between client and cleaning company setting out how personal data encountered during service delivery is protected. It covers security measures, confidentiality, breach notification, and data deletion at contract end.

How should cleaning companies handle keys and alarm codes?

Use coded key tags (never labelled with addresses), store in secure key safes, maintain a key register, change alarm codes when staff leave, report losses immediately, and include key holding in the Data Processing Agreement.

What counts as a data breach for a cleaning company?

Lost keys, disclosed alarm codes, staff reading or photographing confidential documents, lost mobile phones with client data, email sent to wrong recipients, and unauthorised access to HR or payroll records are all data breaches that must be documented and may require DPC notification within 72 hours.

Do cleaning staff need GDPR training?

Yes. All staff should receive annual GDPR awareness training covering: not reading or photographing documents, not accessing computers, reporting any data incidents immediately, understanding their confidentiality obligations, and proper handling of keys and access codes.

GDPR-Compliant Cleaning Services

Optus Glean operates with full GDPR compliance, documented data processing agreements, Garda vetted staff, and secure key management procedures. Request a quote and receive our data protection credentials with every proposal.

Request a Free Quote

Need a Cleaning Quote?

Site survey, fixed pricing, 48-hour turnaround. Serving all 26 counties across Ireland.

Request a Quote+353 (47) 37427