GDPR in Ireland: Your Privacy Rights Explained (2026 Guide)
Ireland sits at the heart of European data protection. With most major US tech companies — Google, Meta, Apple, Microsoft, TikTok, and LinkedIn — running their EU headquarters from Dublin, the Irish Data Protection Commission (DPC) acts as the lead regulator for hundreds of millions of users across the European Economic Area. That makes understanding your GDPR Ireland privacy rights not just useful, but essential.
This guide explains exactly what rights the General Data Protection Regulation (GDPR) gives you as a resident of Ireland, how those rights are enforced under the Data Protection Act 2018, and what practical steps you can take when a company misuses your personal information.
What Is GDPR and How Does It Apply in Ireland?
The General Data Protection Regulation (GDPR) is an EU-wide law that came into force on 25 May 2018. It governs how organisations collect, store, use, and share the personal data of individuals in the European Union. In Ireland, GDPR is implemented and supplemented by the Data Protection Act 2018, with enforcement carried out by the Data Protection Commission (DPC), based in Dublin.
GDPR applies whenever an organisation processes the personal data of someone in Ireland — regardless of where that organisation is based. A US-based app, an Australian retailer, or a British SaaS company all must comply with GDPR if they handle Irish residents' data.
What Counts as "Personal Data"?
Personal data is any information that can identify a living person, directly or indirectly. This includes:
- Name, address, phone number, and email address
- PPS number, passport number, and driving licence details
- IP addresses, cookies, and device identifiers
- Location data and browsing history
- Photos, voice recordings, and CCTV footage
- Health, biometric, and genetic data (special category)
- Political opinions, religious beliefs, and trade union membership (special category)
Your Eight Core GDPR Rights in Ireland
GDPR gives every person in Ireland eight legally enforceable rights over their personal data. Any organisation — public or private — that holds your information must respect these rights, usually free of charge and within one month of your request.
1. The Right to Be Informed
Organisations must clearly tell you what data they collect, why they collect it, how long they keep it, and who they share it with. This is typically delivered through a privacy notice or policy on a website.
2. The Right of Access (Subject Access Request)
You can ask any organisation for a copy of all personal data they hold about you. This is called a Subject Access Request (SAR). The organisation has 30 days to respond and cannot charge a fee unless the request is "manifestly unfounded or excessive."
3. The Right to Rectification
If data held about you is inaccurate or incomplete, you can demand correction. For example, you can require your bank, employer, or insurer to update incorrect personal details.
4. The Right to Erasure ("Right to Be Forgotten")
You can ask an organisation to delete your personal data when it is no longer necessary, when you withdraw consent, or when it has been processed unlawfully. This right is not absolute — exemptions exist for legal obligations, public interest, and freedom of expression.
5. The Right to Restrict Processing
You can require an organisation to pause processing your data while a dispute is being resolved — for example, while you contest the accuracy of the information held.
6. The Right to Data Portability
You can request your personal data in a structured, commonly used, machine-readable format (such as CSV or JSON) and transfer it to another service provider. This is particularly useful when switching banks, energy suppliers, or social media platforms.
7. The Right to Object
You can object to your data being used for direct marketing, profiling, or processing based on "legitimate interests." Once you object to direct marketing, the organisation must stop immediately.
8. Rights in Relation to Automated Decision-Making
You have the right not to be subject to a decision based solely on automated processing — including profiling — that produces legal or similarly significant effects. Examples include automated credit scoring or automated CV filtering.
The Six Lawful Bases for Processing Your Data
No organisation can process your personal data without a valid legal reason. Under GDPR, there are exactly six lawful bases, and the controller must choose one before collecting any information.
| Lawful Basis | When It Applies | Common Examples |
|---|---|---|
| Consent | You have given clear, specific permission | Email newsletter sign-ups, optional cookies |
| Contract | Necessary to fulfil a contract with you | Delivering an online order, processing payroll |
| Legal Obligation | Required by Irish or EU law | Revenue tax records, AML checks by banks |
| Vital Interests | To protect someone's life | Emergency medical treatment |
| Public Task | Carried out in the public interest | HSE, local councils, An Garda Síochána |
| Legitimate Interests | Necessary for the organisation's legitimate aims, balanced against your rights | Fraud prevention, internal IT security |
The Role of the Irish Data Protection Commission (DPC)
The Data Protection Commission is Ireland's independent supervisory authority for GDPR. Because so many global tech firms have their European HQ in Ireland, the DPC also acts as the "lead supervisory authority" for cross-border cases under GDPR's one-stop-shop mechanism.
What the DPC Does
- Investigates complaints from individuals
- Audits organisations and issues compliance guidance
- Imposes administrative fines up to €20 million or 4% of global turnover
- Cooperates with other EU regulators through the European Data Protection Board (EDPB)
- Provides resources, templates, and guidance at dataprotection.ie
Major DPC Enforcement Actions
The DPC has issued some of the largest GDPR fines in Europe, including:
- Meta (Facebook/Instagram): €1.2 billion fine in 2023 for unlawful EU–US data transfers
- TikTok: €345 million fine in 2023 for breaches affecting children's data
- WhatsApp: €225 million fine in 2021 for transparency failures
How to Make a Subject Access Request in Ireland
A Subject Access Request (SAR) is one of the most powerful tools at your disposal. Here is the step-by-step process recommended by the DPC.
- Identify the data controller. Check the organisation's privacy policy for a Data Protection Officer (DPO) or dedicated email address (often dpo@company.ie or privacy@company.com).
- Write a clear request. State your full name, contact details, and that you are making a request under Article 15 of GDPR. Specify the data or time period if helpful.
- Verify your identity. The organisation may ask for proof of identity to prevent fraud, but cannot demand excessive documentation.
- Wait up to one month. The controller must respond within 30 calendar days. Complex requests can be extended by a further two months with notice.
- Review the response. Check it includes all categories of data, recipients, retention periods, and the source of the information.
- Escalate if needed. If unsatisfied, complain to the DPC at dataprotection.ie/en/contact/how-make-complaint.
GDPR and Online Privacy: Cookies, Tracking, and URL Shorteners
One area where Irish users encounter GDPR most often is online tracking. The ePrivacy Regulations 2011 (currently being updated to align with GDPR) require websites to obtain consent before storing non-essential cookies on your device.
What a Compliant Cookie Banner Looks Like
- Clear, plain language explaining what cookies do
- Equal prominence for "Accept" and "Reject" buttons
- Granular control over categories (analytics, advertising, functional)
- No pre-ticked boxes
- Easy way to withdraw consent later
Link Tracking and Privacy
Every time you click a shortened link, the service provider can potentially record your IP address, device type, location, and referrer. Some shorteners insert advertising trackers or monetise click data. When choosing a URL shortener, look for one that minimises data collection, encrypts links over HTTPS, and clearly states its retention policy.
Privacy-focused tools like Lunyb are built around GDPR-friendly principles: minimal data collection, transparent analytics, and no third-party ad trackers attached to short links. If you are evaluating options, our 2026 buyer's guide to URL shorteners compares the main players on privacy as well as features. You can also read our independent review of Lunyb or compare it with Rebrandly's 2026 offering.
Data Breaches: Your Rights and Company Obligations
A personal data breach is any security incident that leads to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. Under GDPR, organisations operating in Ireland have strict reporting duties.
The 72-Hour Rule
Controllers must notify the DPC of a breach within 72 hours of becoming aware, unless the breach is unlikely to result in risk to individuals. If the breach poses a high risk to your rights and freedoms, the company must also notify you directly without undue delay.
What You Can Do After a Breach
- Change any compromised passwords immediately and enable two-factor authentication.
- Monitor bank statements and credit reports (the Central Credit Register is free to check).
- Be alert to phishing emails referencing the breached service.
- Lodge a complaint with the DPC if the organisation handled the breach poorly.
- Consider a civil claim for material or non-material damage under Article 82.
GDPR Fines and Penalties
| Tier | Maximum Fine | Types of Breach |
|---|---|---|
| Lower Tier | €10 million or 2% of global annual turnover | Administrative failures: poor record-keeping, missed breach notifications, failure to appoint a DPO |
| Upper Tier | €20 million or 4% of global annual turnover | Serious violations: unlawful processing, ignoring data subject rights, illegal international transfers |
Individuals can also seek compensation through the Irish courts under Section 117 of the Data Protection Act 2018, even where no financial loss occurred — distress and anxiety can themselves attract damages.
Special Protections for Children
Ireland set the digital age of consent at 16 years, which is higher than many EU countries. This means that for online services relying on consent, parental authorisation is required for anyone under 16. The DPC publishes a dedicated "Fundamentals for a Child-Oriented Approach to Data Processing," which platforms targeting Irish minors must follow.
Practical Steps to Protect Your Privacy in Ireland
- Review app permissions monthly on your phone — revoke any unused location, microphone, or contacts access.
- Use a reputable password manager and enable multi-factor authentication on banking, email, and government services like MyGovID.
- Reject non-essential cookies and consider a privacy-focused browser such as Firefox or Brave.
- Send periodic SARs to companies you suspect over-collect, especially data brokers and loyalty programmes.
- Use GDPR-friendly tools for everyday tasks like link sharing, file transfer, and email.
- Check the DPC website regularly for guidance updates and enforcement news.
Frequently Asked Questions
How do I file a GDPR complaint in Ireland?
You can complain to the Data Protection Commission via the online form at dataprotection.ie, by email to info@dataprotection.ie, or by post to 21 Fitzwilliam Square South, Dublin 2. The service is free, and you should first try to resolve the matter directly with the organisation involved.
How long does an organisation have to respond to my Subject Access Request?
Under Article 12 of GDPR, organisations must respond within one calendar month. For complex or numerous requests, they may extend this by a further two months but must notify you of the extension within the first month.
Can I be charged for a copy of my personal data?
Generally no. The first copy of your data must be provided free of charge. However, an organisation can charge a "reasonable fee" for additional copies or where requests are manifestly unfounded or excessive — though they must justify this position.
Does GDPR apply to small businesses and sole traders in Ireland?
Yes. GDPR applies to any organisation processing personal data, regardless of size. However, smaller businesses with fewer than 250 employees benefit from reduced record-keeping obligations, provided the processing is occasional and does not include special category data.
What is the difference between a data controller and a data processor?
A controller decides why and how personal data is processed (e.g. a hospital deciding to keep patient records). A processor handles data on the controller's behalf (e.g. a cloud hosting provider storing those records). Both have GDPR obligations, but controllers carry the greater share of responsibility for compliance.
Final Thoughts
GDPR has transformed Ireland into one of the most important data protection jurisdictions in the world. With the DPC issuing record-breaking fines and Irish residents enjoying some of the strongest digital rights anywhere, there has never been a better time to understand and exercise those rights.
Whether you are submitting your first Subject Access Request, choosing privacy-respecting tools, or pushing back against intrusive tracking, GDPR puts the power firmly in your hands. Stay informed, stay assertive — and remember that the Data Protection Commission is there to support you when companies fall short.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
Australia Privacy Act 2026: Your Rights Explained
The Australia Privacy Act 2026 transforms data protection across the country with new individual rights, a statutory tort for privacy invasions, and penalties up to $50 million. This guide explains what's changed, how to exercise your new rights, and what businesses must do to comply.
Data Protection Act 2018 Ireland: Complete Guide for Businesses
A complete, practical guide to Ireland's Data Protection Act 2018 — covering key provisions, business obligations, DPC enforcement, fines, and a compliance checklist. Essential reading for any organisation handling personal data in Ireland.
DPC Ireland: How to File a Privacy Complaint (Complete 2026 Guide)
A complete step-by-step guide to filing a privacy complaint with Ireland's Data Protection Commission (DPC). Learn what evidence to gather, how to use the DPC's online form, realistic timelines, and what outcomes to expect under GDPR.
Singapore Online Safety Act 2026: Complete Guide for Businesses and Users
Singapore's Online Safety Act 2026 introduces sweeping new obligations for online platforms, intermediaries, and advertisers. This complete guide explains who is in scope, the new rules on AI content and scam links, penalties of up to 10% of turnover, and a practical 10-step compliance checklist.