GDPR in Ireland: Your Privacy Rights Explained (2026 Guide)
The General Data Protection Regulation (GDPR) gives people in Ireland some of the strongest privacy rights in the world. Whether you're an Irish citizen, a resident, or simply someone whose data is processed by an Irish-based company, GDPR shapes how organisations must handle your personal information. Ireland holds a particularly important position in the EU's data protection landscape because the Data Protection Commission (DPC) acts as the lead supervisory authority for many of the world's largest tech firms, including Meta, Google, TikTok, and Apple.
This guide explains your GDPR privacy rights in Ireland, how to exercise them, what to do if a company refuses, and how to file a complaint with the DPC. By the end, you'll know exactly what you can ask for, who to contact, and what remedies are available when your data is mishandled.
What Is GDPR and How Does It Apply in Ireland?
GDPR is an EU regulation that came into force on 25 May 2018, governing how personal data is collected, stored, processed, and shared. In Ireland, GDPR is supplemented by the Data Protection Act 2018, which enacts the regulation into Irish law and establishes the Data Protection Commission as the national supervisory authority.
GDPR applies to:
- Any organisation established in Ireland that processes personal data, regardless of where the processing happens.
- Any organisation outside the EU that offers goods or services to people in Ireland or monitors their behaviour (such as through tracking cookies or targeted advertising).
- Public bodies, private companies, charities, and even sole traders who process personal data.
"Personal data" is defined broadly. It includes obvious identifiers such as your name, address, PPS number, or email, but also IP addresses, location data, biometric information, online identifiers, health records, and behavioural data.
Why Ireland Matters for Global Privacy
Because so many multinational tech companies have their European headquarters in Dublin, the Irish DPC frequently leads investigations that affect hundreds of millions of users across the EU. Major fines issued from Ireland in recent years include €1.2 billion against Meta, €345 million against TikTok, and significant penalties against WhatsApp and Instagram. This means that exercising your rights in Ireland can have ripple effects far beyond the country's borders.
Your Eight Core GDPR Rights in Ireland
GDPR grants every individual (called a "data subject") eight fundamental rights. Below is a breakdown of each, with practical guidance on how to use them in Ireland.
1. The Right to Be Informed
Organisations must tell you, in clear and plain language, what data they collect, why, how long they keep it, who they share it with, and what your rights are. This is usually delivered through a privacy notice or privacy policy. If a company's privacy policy is missing, vague, or buried, that's already a potential GDPR violation.
2. The Right of Access (Subject Access Request)
You can ask any organisation to give you a copy of all the personal data they hold about you. This is known as a Subject Access Request (SAR). The organisation must respond within one calendar month and provide the information free of charge in most cases.
A SAR can include emails mentioning you, CCTV footage, employment records, customer service notes, marketing profiles, and more.
3. The Right to Rectification
If data held about you is inaccurate or incomplete, you have the right to have it corrected. The organisation must act without undue delay, typically within one month.
4. The Right to Erasure ("Right to Be Forgotten")
You can ask for your personal data to be deleted in certain circumstances, such as when the data is no longer necessary, when you withdraw consent, or when the data has been processed unlawfully. This right isn't absolute — companies can refuse if they have legal obligations to retain the data (for example, tax or employment records).
5. The Right to Restrict Processing
You can ask an organisation to pause processing your data while a dispute is being resolved, for example, while you're contesting the accuracy of the data.
6. The Right to Data Portability
You can request your personal data in a structured, commonly used, machine-readable format (such as CSV or JSON), and have it transferred to another service provider where technically feasible.
7. The Right to Object
You have the right to object to processing based on legitimate interests or for direct marketing purposes. For direct marketing, the objection is absolute — the company must stop immediately.
8. Rights Related to Automated Decision-Making and Profiling
You have the right not to be subject to decisions made solely by automated means (including profiling) that have legal or similarly significant effects on you, unless specific conditions are met.
Quick Reference: Your Rights at a Glance
| Right | What It Lets You Do | Response Deadline |
|---|---|---|
| Be Informed | Know what data is collected and why | At point of collection |
| Access | Get a copy of your data | 1 month |
| Rectification | Correct inaccurate data | 1 month |
| Erasure | Have data deleted | 1 month |
| Restrict Processing | Pause data use during disputes | 1 month |
| Data Portability | Move data to another provider | 1 month |
| Object | Stop certain types of processing | Immediate for marketing |
| Automated Decisions | Demand human review | Case-dependent |
How to Make a GDPR Request in Ireland
Exercising your rights is straightforward, but following the right steps strengthens your position if a dispute arises. Here's a step-by-step process:
- Identify the data controller. This is the organisation that decides how and why your data is processed. Their contact details should appear in the privacy policy.
- Find the Data Protection Officer (DPO). Many organisations are required to appoint a DPO. Their contact details are usually listed in the privacy notice.
- Submit your request in writing. Email is fine. State clearly which right you're exercising (for example, "I am making a Subject Access Request under Article 15 GDPR").
- Provide proof of identity. Organisations may reasonably ask for ID to confirm you are who you say you are, but they cannot demand excessive documentation.
- Keep records. Save copies of every email, response, and timestamp. You'll need these if you complain to the DPC.
- Wait one month. The organisation has 30 days to respond. They can extend this by two further months for complex requests, but they must tell you why.
Sample SAR Email Template
"Dear [Company Data Protection Officer], I am writing to make a Subject Access Request under Article 15 of the General Data Protection Regulation. Please provide me with a copy of all personal data you hold about me, including the purposes of processing, recipients of the data, retention periods, and the source of the data if it was not collected from me directly. My details for identification are: [name, email, account ID]. I look forward to your response within one month. Kind regards, [Your Name]."
The Role of the Data Protection Commission (DPC)
The Data Protection Commission, headquartered in Dublin and Portarlington, is Ireland's independent regulator for data protection. It has three main functions:
- Supervision — Monitoring how organisations comply with GDPR.
- Enforcement — Investigating complaints, conducting audits, and issuing fines (up to €20 million or 4% of global annual turnover, whichever is higher).
- Guidance — Publishing advice for both individuals and organisations.
If an organisation refuses your request, ignores you, or you believe they've mishandled your data, you can lodge a complaint with the DPC free of charge.
How to File a Complaint with the DPC
- Try to resolve the issue with the organisation first. Document this contact.
- Visit dataprotection.ie and use the online complaint form, or write to: Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28.
- Include copies of your original request, the organisation's response (or lack thereof), and a clear description of the issue.
- The DPC will assess and may attempt amicable resolution, formal investigation, or refer the matter for cross-border cooperation if it involves a multinational.
GDPR and Online Tools: What to Watch For
Every website, app, or service you use in Ireland should respect GDPR — but compliance varies hugely. When choosing tools (such as analytics platforms, marketing services, or even URL shorteners), look for:
- A clear privacy policy that names a controller and DPO.
- Lawful basis for processing stated for each data type.
- EU-based or adequate-country data storage.
- Cookie banners that allow genuine choice (not dark patterns).
- Easy mechanisms to download or delete your data.
For example, when shortening links for marketing or sharing, privacy-aware platforms like Lunyb avoid intrusive third-party trackers and give users transparent control over their click data — a useful contrast to older shorteners that monetise through aggressive profiling. If you're comparing options, our 2026 buyer's guide to URL shorteners breaks down which providers handle GDPR responsibilities well and which fall short.
Common Misconceptions About GDPR in Ireland
"GDPR Only Applies to Big Companies"
False. A sole trader running an email list, a sports club holding member records, or a parish keeping a contact list all fall under GDPR. Size doesn't determine applicability — processing personal data does.
"I Need to Pay to Make a SAR"
False. SARs are free unless the request is "manifestly unfounded or excessive," in which case a reasonable fee may be charged. In practice, this is rare.
"Companies Can Refuse to Delete My Data"
Sometimes true. There are lawful exemptions — for example, financial records often must be retained for six years under Revenue rules. But companies must clearly explain their legal basis for refusal.
"GDPR Is Just About Cookies"
Cookies are a tiny part of it. GDPR covers every form of personal data processing, from CCTV to HR files to medical records.
Penalties and Enforcement Trends
The DPC has become one of the most active enforcement bodies in Europe. Key recent enforcement themes include:
- Cross-border data transfers (especially EU–US transfers post-Schrems II).
- Children's privacy on social platforms.
- Lawful basis for advertising and behavioural profiling.
- Transparency in privacy notices.
- Data breach notification failures.
For organisations, the message is clear: privacy must be embedded by design, not added as an afterthought.
Frequently Asked Questions
How long does a company have to respond to my GDPR request in Ireland?
One calendar month from the date the request is received. This can be extended by an additional two months for complex or numerous requests, but the organisation must inform you of the extension and the reason within the original month.
Can I make a GDPR request to a company outside Ireland?
Yes. GDPR applies to any organisation that offers goods or services to people in the EU or monitors their behaviour, regardless of where the company is based. You can also lodge a complaint with the Irish DPC if the company has its EU headquarters in Ireland or if you are based in Ireland.
What happens if a company ignores my GDPR request?
If a company fails to respond within the one-month deadline or refuses without valid justification, you can complain to the Data Protection Commission. The DPC can investigate, order the company to comply, and impose administrative fines of up to €20 million or 4% of global annual turnover.
Do I need a solicitor to file a GDPR complaint?
No. The DPC's complaint process is free and designed to be accessible to individuals without legal representation. However, for complex cases involving significant harm or compensation claims, professional legal advice can be helpful.
Are there any exceptions where GDPR doesn't apply?
Yes. GDPR does not apply to purely personal or household activities (for example, a personal address book), to anonymised data that cannot be linked back to an individual, or to data processed for national security purposes (which is governed by separate rules). Journalistic, academic, and artistic processing also benefits from certain exemptions under the Irish Data Protection Act 2018.
Final Thoughts
GDPR has fundamentally changed the balance of power between individuals and organisations that process personal data. In Ireland, with the DPC's leading role across the EU, residents enjoy strong protection — but those rights only matter if you actually use them. Submit a Subject Access Request to companies you no longer trust. Object to direct marketing. Ask for deletion when relationships end. Each request reinforces the culture of accountability GDPR was designed to create.
For more on building privacy-respecting digital habits, see our review of privacy-focused link tools and our analysis of major link management platforms to understand how the services you rely on stack up against GDPR's standards.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
Singapore PDPA: Your Personal Data Protection Rights Explained
Singapore's PDPA gives you enforceable rights over how organisations handle your personal data. This guide explains each right, how to exercise it, and how to file a complaint with the PDPC if your data is mishandled.
Australian Data Breach Notification Scheme: A Complete 2026 Guide
A complete 2026 guide to Australia's Notifiable Data Breaches scheme. Learn who it covers, what counts as an eligible breach, notification timeframes, penalties up to AUD $50 million, and how to build a compliance programme that actually works.
ICO Fines 2026: Biggest Data Protection Penalties in the UK
The ICO has issued record-breaking fines in 2026, with UK organisations facing penalties for data breaches, AI misuse, and PECR violations. We break down the biggest cases, key enforcement trends, and how to avoid joining the list.
PIPEDA vs GDPR: Canadian Privacy Law Explained (2026 Guide)
PIPEDA and GDPR both protect personal data, but they differ significantly in consent rules, enforcement, and penalties. This guide breaks down the key differences and shows Canadian businesses how to stay compliant with both.