GDPR in Ireland: Your Privacy Rights Explained (2026 Guide)
Ireland sits at the heart of European data protection. Because most of the world's largest tech firms — Google, Meta, TikTok, Microsoft, X, Apple — have their EU headquarters in Dublin, the Irish Data Protection Commission (DPC) is the lead supervisory authority for hundreds of millions of users across Europe. That makes understanding your GDPR privacy rights in Ireland not just useful, but genuinely powerful.
This guide explains, in plain English, what the General Data Protection Regulation (GDPR) means for people living in Ireland, what rights you can actually exercise, how to make a complaint to the DPC, and what to do if a company misuses your personal data.
What is GDPR and how does it apply in Ireland?
The General Data Protection Regulation (GDPR) is an EU law, in force since 25 May 2018, that governs how personal data of individuals in the EU and EEA is collected, stored, used, and shared. In Ireland, the GDPR is given effect through the Data Protection Act 2018, which sits alongside the EU regulation and fills in national details such as the age of digital consent (16 in Ireland) and the powers of the Data Protection Commission.
GDPR applies to any organisation — Irish or otherwise — that processes the personal data of people in Ireland. That includes:
- Irish businesses, charities, schools, and public bodies
- EU companies offering services to Irish residents
- Non-EU companies (US, UK, Asia) targeting Irish customers
- Employers handling staff records
- Websites and apps using cookies or tracking
Who enforces GDPR in Ireland?
The Data Protection Commission (DPC), headquartered in Dublin with offices in Portarlington, is the independent regulator responsible for upholding data protection rights in Ireland. The DPC investigates complaints, audits organisations, and can issue fines of up to €20 million or 4% of a company's global annual turnover — whichever is higher.
What counts as "personal data" under Irish GDPR?
Personal data is any information that can identify a living individual, directly or indirectly. In an Irish context this includes:
- Name, home address, Eircode, phone number, email
- PPS number, passport number, driver's licence
- IP address, device ID, cookies, location data
- Bank details, Revenue records, salary information
- Photos, CCTV footage, voice recordings
- Online identifiers and behavioural profiles
A special category of "sensitive personal data" — including health data, racial or ethnic origin, religious beliefs, trade union membership, sexual orientation, and biometric data — receives even stronger protection and generally requires explicit consent to process.
Your 8 GDPR rights as an Irish resident
GDPR grants every person in Ireland eight specific, enforceable rights. Any organisation holding your data must honour these, usually within one month and free of charge.
| Right | What it means in practice |
|---|---|
| 1. Right to be informed | Companies must tell you what data they collect and why, usually via a privacy notice. |
| 2. Right of access (SAR) | You can request a copy of all personal data an organisation holds about you. |
| 3. Right to rectification | You can have inaccurate or incomplete data corrected. |
| 4. Right to erasure ("right to be forgotten") | You can ask for your data to be deleted in certain circumstances. |
| 5. Right to restrict processing | You can limit how a company uses your data while a dispute is resolved. |
| 6. Right to data portability | You can get your data in a machine-readable format and move it to another provider. |
| 7. Right to object | You can object to direct marketing, profiling, or processing based on legitimate interest. |
| 8. Rights around automated decision-making | You can demand human review of decisions made purely by algorithms (e.g. credit scoring). |
The Subject Access Request (SAR) — your most powerful tool
A Subject Access Request is a written request asking an organisation for a copy of the personal data it holds about you. In Ireland, an SAR:
- Can be sent by email, letter, or even social media
- Must be answered within 30 calendar days (extendable by 2 months if complex)
- Is free unless the request is "manifestly unfounded or excessive"
- Does not need to cite GDPR — but doing so makes the request unambiguous
You can address it to any company's Data Protection Officer (DPO). Major tech companies based in Ireland (Meta, Google, TikTok, LinkedIn) all have dedicated SAR portals.
Legal bases: when can companies process your data?
Under GDPR, an organisation must have at least one of six lawful bases before processing your personal data:
- Consent — freely given, specific, informed, and revocable
- Contract — necessary to deliver a service you've signed up for
- Legal obligation — required by Irish or EU law (e.g. Revenue, AML rules)
- Vital interests — to protect someone's life
- Public task — used by public bodies like the HSE or local councils
- Legitimate interests — balanced against your privacy rights
If none of these apply, the processing is unlawful — and you can complain.
Cookies, tracking, and Ireland's ePrivacy Regulations
Alongside GDPR, the ePrivacy Regulations 2011 (S.I. 336/2011) govern cookies and electronic marketing in Ireland. The DPC's 2020 guidance made it clear that:
- Pre-ticked boxes and "implied consent" are not valid
- Refusing cookies must be as easy as accepting them
- "Cookie walls" that force consent in exchange for access are generally unlawful
- Strictly necessary cookies (e.g. shopping cart, login session) don't need consent
This is why Irish websites now show proper "Accept / Reject All" banners — the days of a single "OK" button are over.
Protecting your data when sharing links online
Every time you click a shortened link, data can be collected — IP address, device, location, referrer. If you're sharing links professionally or want to keep your audience's data minimal, choose a privacy-respecting URL shortener. Lunyb is built with GDPR-friendly defaults, doesn't sell click data, and is a strong option for Irish businesses that want analytics without invasive tracking. For a deeper look, see our honest review of Lunyb or our wider 2026 URL shortener comparison.
How to make a GDPR complaint to the Irish DPC
If a company in Ireland — or one of the many EU-headquartered tech giants based here — has mishandled your data, you have the right to lodge a complaint with the Data Protection Commission. The process is free.
- Contact the organisation first. Email their DPO and clearly state the issue. Keep a paper trail.
- Wait for a response. They have 30 days. If they refuse, ignore you, or you're unhappy with the outcome, proceed.
- Gather evidence. Save emails, screenshots, dates, and copies of any privacy notices.
- Submit a complaint to the DPC. Use the online form at dataprotection.ie, or email info@dataprotection.ie, or post to: Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28.
- Cooperate with the investigation. The DPC may mediate, investigate formally, or refer the case to another EU regulator under the one-stop-shop mechanism.
Can you claim compensation?
Yes. Under Article 82 of GDPR and Section 117 of the Data Protection Act 2018, individuals in Ireland can sue for both material damage (financial loss) and non-material damage (distress, anxiety, reputational harm). Cases are heard in the Circuit Court, with awards typically ranging from a few hundred to several thousand euro for non-material harm — though larger awards are possible for serious breaches.
Notable GDPR enforcement actions in Ireland
The DPC has issued some of the largest GDPR fines in Europe. A few notable examples include:
| Company | Year | Fine | Reason |
|---|---|---|---|
| Meta (Facebook) | 2023 | €1.2 billion | Unlawful EU–US data transfers |
| TikTok | 2023 | €345 million | Children's data processing failures |
| Meta (Instagram) | 2022 | €405 million | Exposing children's contact details |
| 2021 | €225 million | Transparency failures | |
| 2024 | €310 million | Behavioural advertising violations |
These cases show that GDPR enforcement in Ireland is real — and that ordinary complaints have triggered investigations leading to some of the world's largest privacy fines.
Practical tips to protect your data in Ireland
Knowing your rights is one thing; reducing exposure in the first place is another. Some practical steps:
- Use strong, unique passwords and enable two-factor authentication on Revenue, banking, and email accounts.
- Review app permissions regularly — does that game really need your contacts and location?
- Check Eircode-based marketing. Companies can't profile you by address without a lawful basis.
- Opt out of direct marketing. Register with the National Directory Database (NDD) opt-out for phone calls.
- Use privacy-focused tools — encrypted messaging (Signal), private browsers, and privacy-respecting link shorteners.
- Read privacy notices on any Irish site asking for sensitive info — especially health, employment, or financial data.
GDPR for Irish businesses: a quick checklist
If you run a small or medium business in Ireland, GDPR compliance is non-negotiable. A minimum baseline includes:
- Maintain a Record of Processing Activities (ROPA)
- Publish a clear, accessible privacy notice
- Identify a lawful basis for every type of processing
- Implement appropriate security (encryption, access control, backups)
- Have a documented data breach response plan — 72-hour reporting to the DPC is mandatory
- Train staff on data protection
- Sign Data Processing Agreements with any third-party processors (cloud, payroll, marketing)
- Appoint a Data Protection Officer if required (public bodies, large-scale monitoring, or sensitive data)
Brexit, the UK, and data transfers from Ireland
Because Ireland shares a land border and deep economic ties with the UK, data transfers between the two are common. Since Brexit, the UK is a "third country" under EU law, but the European Commission's adequacy decision (renewed in 2025) means Irish businesses can continue transferring personal data to the UK without additional safeguards — for now. Transfers to the US rely on the EU–US Data Privacy Framework, which remains under legal challenge.
Frequently Asked Questions
How long does a company have to respond to a GDPR request in Ireland?
Organisations must respond to Subject Access Requests and other GDPR rights requests within one month of receiving them. This can be extended by up to two additional months for complex or numerous requests, but they must inform you of the extension within the original 30 days.
Can I sue a company in Ireland for a GDPR breach?
Yes. Under Section 117 of the Data Protection Act 2018, you can bring a civil action in the Circuit Court for material and non-material damages — including distress and anxiety — caused by a breach of your data protection rights. You don't have to wait for a DPC decision first.
What is the age of digital consent in Ireland?
Ireland set the age of digital consent at 16 under the Data Protection Act 2018. This means children under 16 require parental consent before online services can lawfully process their personal data on the basis of consent.
Do small businesses in Ireland have to comply with GDPR?
Yes. GDPR applies regardless of company size. However, some obligations are scaled — for example, only certain organisations must appoint a Data Protection Officer or maintain detailed processing records. A sole trader collecting customer emails for newsletters still needs consent, a privacy notice, and reasonable security.
Does GDPR cover CCTV at home or in business in Ireland?
Domestic CCTV that only covers your own property is generally exempt under the "household exemption". However, if cameras capture public spaces, neighbours' property, or the street, GDPR applies. All business CCTV in Ireland is fully covered and requires signage, a clear purpose, retention limits, and a lawful basis.
Final thoughts
GDPR has fundamentally rebalanced the relationship between Irish citizens and the companies that collect their data. From the right to access your own information to the power to demand erasure, your privacy is now backed by some of the strongest legal protections in the world — and enforced by a regulator that has shown it isn't afraid to fine global giants billions of euro.
The most important step is simply knowing your rights exist. Whether you're requesting your Facebook data, objecting to marketing emails from an Irish retailer, or choosing privacy-respecting tools for your own work, GDPR is on your side. Use it.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
Singapore PDPA vs GDPR: Key Differences for Businesses in 2026
Singapore's PDPA and the EU's GDPR both protect personal data, but they differ significantly in scope, penalties, and individual rights. This guide compares the two laws side-by-side and offers practical compliance tips for businesses operating in both jurisdictions.
Singapore Online Safety Act 2026: Complete Guide for Businesses and Users
The Singapore Online Safety Act 2026 introduces significant new obligations for online platforms, stronger protections for users, and tougher penalties for non-compliance. This complete guide explains who is covered, what's required, and how businesses and individuals can prepare.
ICO Fines 2026: Biggest Data Protection Penalties in the UK
The ICO issued record-breaking fines in 2026, targeting cybersecurity failings, AI misuse, and unlawful marketing. Here's a full breakdown of the biggest UK data protection penalties of the year, why they happened, and how your business can avoid being next.
Singapore PDPA: Your Personal Data Protection Rights Explained
Singapore's PDPA gives individuals strong rights over how their personal data is collected, used, and disclosed. This guide explains each right in plain English, shows you how to exercise them, and outlines what to do when organisations fall short.