GDPR in Ireland: Your Privacy Rights Explained (2026 Guide)
Ireland sits at the heart of European data protection. As the EU headquarters for tech giants like Meta, Google, Apple, and TikTok, the Irish Data Protection Commission (DPC) plays an outsized role in enforcing the General Data Protection Regulation (GDPR) across all of Europe. If you live in Ireland, this means you have some of the strongest digital privacy rights in the world—but understanding how to use them is another matter entirely.
This guide explains exactly what GDPR means for Irish residents, what rights you can exercise today, and how to take action if your personal data has been mishandled.
What Is GDPR and How Does It Apply in Ireland?
The General Data Protection Regulation (GDPR) is an EU law that came into force on 25 May 2018, granting individuals strong rights over their personal data. In Ireland, GDPR is implemented through the Data Protection Act 2018, which works alongside the regulation to provide a complete legal framework for privacy protection.
The law applies to any organisation—Irish or foreign—that processes the personal data of people in Ireland. This includes everything from your local GP surgery to multinational social media platforms. Personal data covers a broad range: names, email addresses, IP addresses, location data, biometric information, health records, and even online identifiers like cookies.
Why Ireland Matters for Global Privacy
Because so many US tech companies have their EU headquarters in Dublin, the Irish DPC is the lead supervisory authority for cross-border investigations under the GDPR's "one-stop-shop" mechanism. Major fines issued from Ireland have included €1.2 billion against Meta (2023) and €345 million against TikTok for children's data violations.
Your 8 Core Privacy Rights Under GDPR
GDPR grants every Irish resident eight specific rights when it comes to personal data. Understanding each one is the first step to taking control of your digital life.
1. The Right to Be Informed
You have the right to know what data is being collected, why, how long it will be stored, and who it will be shared with. This is typically delivered through privacy notices and cookie banners. If a notice is unclear, vague, or hidden, the controller may be in breach.
2. The Right of Access (Subject Access Request)
You can ask any organisation for a copy of all personal data they hold about you. They must respond within one month, free of charge in most cases. This is one of the most powerful tools in the GDPR toolkit.
3. The Right to Rectification
If data held about you is inaccurate or incomplete, you can demand it be corrected without undue delay.
4. The Right to Erasure ("Right to Be Forgotten")
You can request deletion of your personal data when it's no longer necessary, when you withdraw consent, or when it's been processed unlawfully. There are exceptions for legal obligations and public interest.
5. The Right to Restrict Processing
You can ask an organisation to pause the use of your data while a dispute is resolved—for example, while accuracy is being verified.
6. The Right to Data Portability
You can receive your data in a structured, commonly used, machine-readable format and transfer it to another service. This applies to data you've provided based on consent or contract.
7. The Right to Object
You can object to processing for direct marketing at any time, and the organisation must stop immediately. You can also object to processing based on legitimate interests.
8. Rights Related to Automated Decision-Making
You have the right not to be subject to decisions made solely by automated processing—including profiling—where they produce legal or similarly significant effects on you.
GDPR Rights at a Glance
| Right | Response Time | Cost | Common Use Case |
|---|---|---|---|
| Access | 1 month | Free (usually) | See what Facebook knows about you |
| Erasure | 1 month | Free | Delete an old online account |
| Rectification | 1 month | Free | Fix incorrect bank records |
| Portability | 1 month | Free | Move data between services |
| Object (Marketing) | Immediate | Free | Stop spam emails |
| Restriction | 1 month | Free | Pause processing during dispute |
How to Make a Subject Access Request in Ireland
A Subject Access Request (SAR) is your most practical privacy tool. Here's exactly how to file one in 2026:
- Identify the data controller. Find the company's privacy policy and look for a "Data Protection Officer" or privacy contact email.
- Write your request. State clearly that you are making a Subject Access Request under Article 15 of the GDPR. Include your full name and any account identifiers.
- Verify your identity. The controller may ask for proof—provide only what's strictly necessary.
- Specify what you want. You can request all data, or narrow it to specific categories (emails, location history, purchase records).
- Wait up to one month. If the request is complex, they can extend by two more months but must notify you.
- Review the response. Check for completeness. If something is missing or refused, you can escalate.
How to File a Complaint with the Irish DPC
If an organisation fails to respond to your request, mishandles your data, or you suspect a breach, you can lodge a complaint with the Data Protection Commission free of charge.
Step-by-Step Complaint Process
- Try direct resolution first. Contact the organisation's DPO and give them a reasonable chance to fix the issue.
- Gather evidence. Save emails, screenshots, dates, and copies of any requests you made.
- Visit dataprotection.ie. Use the online complaint form, or post a written complaint to the DPC offices in Dublin or Portarlington.
- Describe the issue clearly. Explain what happened, what right was violated, and what outcome you want.
- Cooperate with the investigation. The DPC may ask follow-up questions or request additional documentation.
The DPC has the power to issue reprimands, order data deletion, ban processing activities, and impose fines of up to €20 million or 4% of global annual turnover—whichever is higher.
Special Categories: Sensitive Data Protections
Certain types of data receive enhanced protection under Article 9 of GDPR. These "special category" data require explicit consent or another specific legal basis to process:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic and biometric data
- Health data
- Data concerning sex life or sexual orientation
If a company collects any of this without a clear lawful basis, they're likely in breach of GDPR.
Children's Data Under Irish GDPR
Ireland set the digital age of consent at 16 years old—one of the highest in the EU. Below this age, parental consent is required for online services that rely on consent as their legal basis. The DPC's "Fundamentals for a Child-Oriented Approach to Data Processing" set strict expectations on platforms aimed at minors.
For parents wanting to take additional steps, our Children's Online Privacy Guide covers practical safeguards beyond what the law provides.
Cookies and ePrivacy in Ireland
Cookie consent in Ireland is governed by both GDPR and the ePrivacy Regulations 2011 (S.I. 336/2011). Websites must:
- Obtain prior consent before setting non-essential cookies
- Make it as easy to reject as to accept (no pre-ticked boxes)
- Provide clear information about each cookie's purpose
- Allow users to withdraw consent at any time
The DPC issued updated cookie guidance in 2020 and has begun active enforcement. Sites that use "dark patterns" to nudge users into accepting tracking can face penalties.
Data Breaches: What You're Entitled To
Under Article 33 of GDPR, organisations must report serious breaches to the DPC within 72 hours of becoming aware. If the breach poses a high risk to your rights and freedoms, they must also notify you directly without undue delay.
You're entitled to know:
- What categories of data were affected
- The likely consequences of the breach
- What measures the organisation is taking
- Contact details for further information
If you suffer material or non-material damage (including distress) due to a breach, you can claim compensation through the Irish courts under Section 117 of the Data Protection Act 2018.
Practical Privacy Tools to Complement Your Rights
Knowing your rights is essential, but proactive tools help reduce the data you expose in the first place. A privacy-first toolkit might include:
- A trusted URL shortener that doesn't track clicks across the web. Services like Lunyb let you share short links without exposing recipients to invasive ad-tech tracking.
- An encrypted email provider based in the EU (such as Proton Mail or Tuta).
- A reliable VPN with a strict no-logs policy.
- Privacy-focused browsers like Firefox or Brave with tracker blocking enabled.
For mobile users, our roundup of the Top 7 Privacy Tools for iPhone 2026 highlights apps that pair well with GDPR rights.
How Irish GDPR Compares to Other Frameworks
If you operate internationally or have family abroad, it's worth knowing how GDPR stacks up against other privacy laws. For example, Singapore's framework offers similar but distinct protections—we've covered this in detail in our Singapore PDPA guide.
| Feature | GDPR (Ireland) | UK GDPR | CCPA (California) |
|---|---|---|---|
| Max fine | €20M or 4% turnover | £17.5M or 4% turnover | $7,500 per violation |
| Right to erasure | Yes | Yes | Limited |
| Data portability | Yes | Yes | Yes |
| Age of consent | 16 | 13 | 13 (with parental for under) |
| Breach notification | 72 hours | 72 hours | Without unreasonable delay |
Common Mistakes That Weaken Your GDPR Rights
Even well-informed users undermine their own privacy by:
- Clicking "Accept All" on every cookie banner—giving consent you don't need to give
- Ignoring privacy policies when signing up for new services
- Reusing passwords across data controllers, amplifying breach impact
- Not following up when a SAR response is incomplete
- Assuming "free" services are free—you're often paying with data
FAQ: GDPR in Ireland
How long does a company have to respond to my GDPR request in Ireland?
Organisations have one calendar month from receipt of your request to respond. They can extend this by up to two further months for complex requests, but must inform you of the extension and the reasons within the original month.
Can I be charged a fee for a Subject Access Request?
No, in almost all cases SARs are free. A controller can only charge a "reasonable fee" for manifestly unfounded, excessive, or repetitive requests, or for additional copies. They must justify any fee they impose.
What's the difference between the DPC and the European Data Protection Board?
The Data Protection Commission (DPC) is Ireland's national supervisory authority. The European Data Protection Board (EDPB) is the EU-wide body that ensures consistent application of GDPR and resolves disputes between national authorities. The DPC is a member of the EDPB.
Can I sue a company directly under GDPR in Ireland?
Yes. Section 117 of the Data Protection Act 2018 gives you the right to take a data protection action in the Circuit Court or High Court for damages, including compensation for non-material damage like distress. You don't have to go through the DPC first.
Does GDPR apply to small Irish businesses?
Yes—GDPR applies regardless of company size. However, certain obligations (like appointing a Data Protection Officer or maintaining detailed records of processing activities) only apply to organisations that meet specific thresholds, such as those processing data on a large scale or handling special category data.
Final Thoughts
GDPR has transformed Ireland into one of the most privacy-empowered jurisdictions on Earth. The rights are robust, the enforcement is real, and the DPC continues to issue landmark decisions that ripple across the global tech industry. But these rights only matter if you use them. File that subject access request. Object to that marketing. Demand erasure when you close an account. Every action reinforces the principle that personal data belongs to the person, not the platform.
Privacy is not a one-time setting—it's an ongoing practice. Combine your legal rights with smart tools and good habits, and you'll be in a far stronger position than the average internet user in 2026.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
Singapore PDPA: Your Personal Data Protection Rights Explained
Singapore's PDPA grants individuals strong rights over their personal data, including access, correction, consent withdrawal, and data portability. This guide explains each right in detail and shows you how to exercise them effectively in 2026.
Australian Data Breach Notification Scheme: Complete 2026 Guide
A complete 2026 guide to Australia's Notifiable Data Breaches scheme, covering who must comply, the 30-day assessment rule, OAIC notification steps, and penalties up to $50 million. Learn how to build an NDB-ready response plan and reduce breach risk.
ICO Fines 2026: Biggest Data Protection Penalties in the UK
The ICO issued record-breaking fines in 2026, with penalties reaching £12.4m for data breaches, children's data misuse, and PECR violations. Here's a complete breakdown of the biggest UK data protection fines and how to avoid them.
OAIC Complaints: How to Report a Privacy Breach in Australia (2026 Guide)
The OAIC is Australia's national privacy regulator and the key body for lodging complaints about privacy breaches under the Privacy Act 1988. This guide explains exactly how to report a breach, what qualifies, the step-by-step complaints process, and what outcomes you can expect.