GDPR in Ireland: Your Privacy Rights Explained
Ireland plays an outsized role in European data protection. Because so many of the world's largest tech companies — Google, Meta, TikTok, Apple, LinkedIn, X and others — have their EU headquarters in Dublin, the Irish Data Protection Commission (DPC) is effectively the lead regulator for hundreds of millions of EU residents. For people living in Ireland, that proximity matters: the General Data Protection Regulation (GDPR) gives you strong, enforceable rights over your personal data, and the DPC is the body you turn to when those rights are ignored.
This guide explains what GDPR means in an Irish context, what your privacy rights are, how to exercise them, and the practical steps you can take to keep your personal information safe online in 2026.
What is GDPR and how does it apply in Ireland?
The General Data Protection Regulation (GDPR) is an EU-wide law that came into force on 25 May 2018. It sets out how organisations must collect, store, use and share personal data about individuals in the European Economic Area (EEA). In Ireland, GDPR is supplemented by the Data Protection Act 2018, which adapts certain provisions to Irish law and establishes the powers of the Data Protection Commission.
GDPR applies to any organisation — whether based in Ireland, elsewhere in the EU, or outside it — that processes the personal data of people in Ireland. That includes:
- Irish businesses of any size, from sole traders to multinationals.
- Public bodies such as the HSE, Revenue, local councils and An Garda Síochána.
- Foreign companies offering goods or services to Irish residents, or monitoring their behaviour (such as via cookies or tracking pixels).
What counts as "personal data"?
Personal data is any information that can identify a living person, directly or indirectly. In practice this is broader than many people expect, and includes:
- Name, address, Eircode and phone number.
- Email address and IP address.
- PPS number and bank details.
- Photographs, CCTV footage and voice recordings.
- Location data from a mobile phone.
- Online identifiers like cookies, device IDs and advertising IDs.
A separate category, special category data, receives extra protection. This covers health information, racial or ethnic origin, religious beliefs, political opinions, trade union membership, genetic and biometric data, and sexual orientation.
The seven core principles of GDPR
Every organisation handling your data in Ireland must follow seven principles. Understanding them helps you spot when something has gone wrong.
- Lawfulness, fairness and transparency — there must be a clear legal basis to process your data, and you must be told about it.
- Purpose limitation — data collected for one purpose cannot be reused for an unrelated purpose without a new basis.
- Data minimisation — only the data that is actually needed should be collected.
- Accuracy — data must be kept accurate and up to date.
- Storage limitation — data should not be kept longer than necessary.
- Integrity and confidentiality — data must be kept secure against loss, theft or unauthorised access.
- Accountability — the organisation must be able to demonstrate compliance.
Your eight privacy rights under GDPR in Ireland
GDPR gives every person in Ireland eight specific rights. You can exercise these directly with any company or public body that holds your data, free of charge in most cases.
1. The right to be informed
You have the right to know what data is being collected about you, why, how long it will be kept, who it is shared with, and what your other rights are. This is normally delivered through a privacy notice or privacy policy on a website.
2. The right of access
You can ask any organisation for a copy of all the personal data it holds about you. This is called a Subject Access Request (SAR). The organisation has one month to respond, and in most cases it cannot charge a fee.
3. The right to rectification
If data about you is wrong or incomplete, you can require it to be corrected.
4. The right to erasure ("right to be forgotten")
In certain circumstances — for example, if the data is no longer needed, or you withdraw consent — you can ask for your data to be deleted.
5. The right to restrict processing
You can ask an organisation to pause processing your data while a dispute (for example, about accuracy) is being resolved.
6. The right to data portability
You can request your data in a structured, commonly used, machine-readable format so you can move it to another provider — handy when switching banks, energy providers or social platforms.
7. The right to object
You can object to processing based on legitimate interests or public task, and you have an absolute right to object to direct marketing.
8. Rights related to automated decision-making and profiling
You have the right not to be subject to a decision based solely on automated processing — including profiling — that produces legal or similarly significant effects. This is increasingly relevant in the age of AI-driven credit scoring, insurance pricing and recruitment tools.
The role of the Data Protection Commission (DPC)
The Data Protection Commission, headquartered in Dublin, is Ireland's independent supervisory authority for GDPR. Its responsibilities include:
- Handling complaints from individuals about how their data is processed.
- Investigating organisations suspected of breaching GDPR.
- Issuing fines, reprimands and binding orders.
- Acting as the "lead supervisory authority" for many Big Tech firms with EU headquarters in Ireland.
- Providing guidance to businesses and the public.
The DPC has issued some of the largest GDPR fines in EU history, including multi-billion-euro penalties against major social media platforms for breaches involving international data transfers, behavioural advertising, and the protection of children's data.
How to make a GDPR complaint in Ireland
If you believe an organisation has mishandled your data, you have a clear escalation path.
- Contact the organisation first. Send a written request to the company's Data Protection Officer (DPO) or privacy contact. Be specific about what right you are exercising and what outcome you want.
- Wait for a response. They generally have one month to reply. They can extend this by two more months for complex requests, but must tell you why.
- Escalate to the DPC. If you do not receive a satisfactory response, you can lodge a complaint with the Data Protection Commission via their website at dataprotection.ie. There is no fee.
- Seek a judicial remedy. You also have the right to take a case to the Irish courts and to claim compensation for material or non-material damage caused by a GDPR breach.
GDPR fines: what organisations risk
GDPR penalties are significant, which is part of why companies take Irish enforcement so seriously.
| Tier | Maximum fine | Examples of breach |
|---|---|---|
| Lower tier | €10 million or 2% of global annual turnover (whichever is higher) | Failing to keep records, not appointing a DPO when required, not reporting a breach in time |
| Higher tier | €20 million or 4% of global annual turnover (whichever is higher) | Breaching core principles, ignoring data subject rights, illegal international transfers |
Cookies, tracking and ePrivacy in Ireland
Most Irish websites display a cookie banner — and that is not just for show. Cookies and similar tracking technologies are regulated by the ePrivacy Regulations 2011, which work alongside GDPR. Key points the DPC has emphasised:
- Non-essential cookies (analytics, advertising, social plugins) require prior, opt-in consent. Pre-ticked boxes and "continued browsing" are not valid consent.
- Rejecting cookies must be as easy as accepting them — a "Reject All" option should appear on the first layer of the banner.
- Consent must be specific, informed and freely given. Cookie walls that force consent in exchange for access are generally not acceptable.
If a website you use in Ireland is not respecting these rules, that itself can be the basis of a complaint to the DPC.
Children's data and special protections
Ireland has set the digital age of consent at 16. This means online services relying on consent to process personal data — such as social networks — generally need parental authorisation for users under 16. The DPC's Fundamentals for a Child-Oriented Approach to Data Processing sets out further expectations, including a high standard of transparency, data minimisation and a presumption against profiling children for marketing.
Practical steps to protect your privacy online in Ireland
Knowing your rights is essential, but day-to-day habits matter just as much. Here are practical actions you can take to reduce how much personal data is collected about you in the first place.
1. Audit the apps and accounts you use
Every few months, review which apps have access to your location, contacts, microphone and camera. Delete accounts you no longer use — many services allow account deletion under your right to erasure.
2. Be careful with links you share and click
Long URLs can leak information through tracking parameters (utm tags, click IDs, affiliate codes). When sharing links publicly — for example on social media or in newsletters — using a privacy-respecting URL shortener like Lunyb can help by stripping unnecessary trackers and giving you a clean, branded link without harvesting your audience's data for advertising. If you want a deeper look at how it compares to alternatives, see our 2026 buyer's guide to URL shorteners and our honest review of Lunyb.
3. Use strong, unique passwords and 2FA
A password manager combined with two-factor authentication massively reduces the impact of any single data breach.
4. Read privacy notices selectively
You do not need to read every word, but check three things: what data is collected, who it is shared with, and whether it is transferred outside the EEA.
5. Exercise your rights regularly
Submit a Subject Access Request to a service you use frequently. The amount of data many companies hold can be eye-opening — and the exercise alone is a useful reminder of how the digital economy works.
International data transfers: why Ireland matters
Because many global platforms are headquartered in Dublin, transfers of Irish (and wider EU) data to countries like the United States have been at the centre of landmark cases. The Schrems II judgment, brought by Austrian lawyer Max Schrems against Facebook Ireland, struck down the previous EU-US Privacy Shield in 2020. The current EU-US Data Privacy Framework, adopted in 2023, allows transfers to certified US companies, but its long-term durability remains under legal challenge.
For you as an individual in Ireland, the practical takeaway is that your data may travel further than you think — and you have the right to know where it goes and to object when the safeguards are inadequate.
GDPR in the workplace
Employers in Ireland are also "controllers" of their staff's personal data, and GDPR applies fully to the employment relationship. Common workplace issues include:
- CCTV and monitoring — must be proportionate, transparent and based on a clear policy.
- Email and internet monitoring — employees must be informed in advance; covert monitoring is rarely lawful.
- Reference checks and recruitment — candidates have the same SAR rights as anyone else.
- Biometric clock-in systems — require careful justification as biometrics are special category data.
Frequently Asked Questions
Does GDPR still apply in Ireland after Brexit?
Yes. Ireland remains an EU member state, so GDPR applies in full. Brexit affected the United Kingdom, which now has its own "UK GDPR", but Irish residents continue to enjoy the protections of EU GDPR enforced by the Data Protection Commission.
How long does an organisation have to respond to a Subject Access Request?
One calendar month from receipt of the request. This can be extended by a further two months for complex or numerous requests, but the organisation must inform you of the extension and the reasons within the first month.
Can I be charged a fee to access my data?
Generally no. Subject Access Requests are free. A "reasonable fee" can only be charged where requests are manifestly unfounded or excessive, or where you request additional copies. The organisation has to justify any fee.
What is the difference between the DPC and the European Data Protection Board?
The DPC is Ireland's national regulator. The European Data Protection Board (EDPB) is an EU-level body that brings together all national regulators to ensure consistent application of GDPR across the EEA and resolve cross-border disputes. In major cases involving Dublin-headquartered tech firms, the DPC often acts as the lead authority and coordinates with the EDPB.
Can I claim compensation for a GDPR breach?
Yes. Article 82 GDPR and the Irish Data Protection Act 2018 give you the right to claim compensation for both material damage (such as financial loss) and non-material damage (such as distress) caused by a breach. Claims can be brought in the Circuit Court in Ireland.
Final thoughts
GDPR has fundamentally changed the balance of power between individuals and organisations in Ireland. You are no longer a passive subject of data collection — you are a rights-holder with concrete, enforceable controls over how your information is used. Combine that legal foundation with sensible everyday habits — minimising what you share, choosing privacy-respecting tools, and exercising your rights when something feels off — and you have a strong basis for protecting your digital life in 2026 and beyond.
If you want to go deeper on practical privacy tools, our team regularly publishes guides and product reviews on the Lunyb blog, including comparisons of major link management platforms.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
ePrivacy Regulations Ireland: Latest Updates and Compliance Guide 2026
Ireland's ePrivacy regulations continue to evolve in 2026, with the DPC tightening enforcement on cookies, marketing, and tracking. This guide covers the latest updates, compliance requirements, and practical steps for Irish businesses.
Singapore PDPA vs GDPR: Key Differences for Businesses in 2026
Singapore's PDPA and the EU's GDPR both protect personal data but differ in scope, consent rules, breach timelines, and penalties. This guide compares the two laws side-by-side and gives Singapore businesses a practical compliance checklist for 2026.
Singapore Online Safety Act 2026: Complete Guide for Businesses and Users
Singapore's Online Safety Act 2026 expands IMDA's powers, introduces a statutory duty of care, and strengthens protections against scams, deepfakes, and harm to minors. This complete guide explains scope, obligations, penalties, and practical compliance steps for businesses and users.
ICO Fines 2026: Biggest Data Protection Penalties in the UK
From multi-million-pound retail breaches to PECR crackdowns on nuisance marketing, the ICO has had a busy 2026. This guide breaks down the biggest UK data protection fines of the year, why they happened, and the practical steps your organisation should take to avoid joining the list.