GDPR in Ireland: Your Privacy Rights Explained
The General Data Protection Regulation (GDPR) gives people in Ireland some of the strongest privacy protections in the world. Combined with the Irish Data Protection Act 2018, it sets clear rules on how organisations can collect, store, and use your personal data — and gives you legal rights to take control of your information.
This guide explains exactly what GDPR means for Irish residents in 2026, what your rights are, how to enforce them through the Data Protection Commission (DPC), and what every business operating in Ireland needs to know about compliance.
What Is GDPR and How Does It Apply in Ireland?
The General Data Protection Regulation (GDPR) is an EU-wide law that came into force on 25 May 2018. It governs how personal data of EU residents — including everyone living in Ireland — must be collected, processed, stored, and shared by any organisation, regardless of where that organisation is based.
In Ireland, GDPR is supplemented by the Data Protection Act 2018, which transposes and extends the regulation under Irish law. The Irish Data Protection Commission (DPC), headquartered in Dublin, is the supervisory authority responsible for enforcing GDPR. Because so many global tech companies (Meta, Google, TikTok, Apple, X) have their European headquarters in Ireland, the DPC plays an outsized role in EU-wide enforcement.
Who Does Irish GDPR Apply To?
GDPR applies to two main categories of organisation:
- Data controllers — entities that decide why and how personal data is processed (e.g. a retailer collecting customer details).
- Data processors — entities that process data on behalf of a controller (e.g. a cloud hosting provider).
It applies whether the organisation is established in Ireland or simply offers goods or services to Irish residents, including websites that track Irish users via cookies or analytics.
What Counts as Personal Data Under GDPR?
Personal data is any information relating to an identified or identifiable living individual. This is broader than many people realise.
Examples of personal data include:
- Name, address, Eircode, and phone number
- Email addresses and online usernames
- PPS number and identity documents
- IP addresses, cookie identifiers, and device IDs
- Location data from a mobile phone
- Photographs and CCTV footage
- Biometric data (fingerprints, facial recognition)
GDPR also defines special category data — sensitive information that requires extra protection, such as health records, racial or ethnic origin, religious beliefs, political opinions, trade union membership, sexual orientation, and genetic data.
Your 8 Key Privacy Rights Under GDPR in Ireland
GDPR grants every Irish resident eight enforceable rights over their personal data. You can exercise these rights free of charge in most cases, and organisations must respond within one month.
1. The Right to Be Informed
You have the right to know what data is being collected about you, why, how long it will be kept, and who it will be shared with. This is usually delivered through a privacy notice on a website or app.
2. The Right of Access (Subject Access Request)
You can ask any organisation to give you a copy of all the personal data they hold about you. This is known as a Subject Access Request (SAR). They must respond within 30 days and provide the data in a clear, accessible format.
3. The Right to Rectification
If data held about you is inaccurate or incomplete, you can demand it be corrected or updated.
4. The Right to Erasure (Right to Be Forgotten)
You can request deletion of your personal data when it is no longer needed, you withdraw consent, or the data has been unlawfully processed. Some exceptions apply — for example, where data is needed for legal compliance or freedom of expression.
5. The Right to Restrict Processing
You can ask an organisation to pause processing of your data while a dispute, such as a rectification request, is resolved.
6. The Right to Data Portability
You can receive your personal data in a structured, machine-readable format (such as CSV or JSON) and transfer it to another service provider.
7. The Right to Object
You can object to your data being processed for purposes like direct marketing, profiling, or research. For direct marketing, the objection is absolute — the organisation must stop immediately.
8. Rights Related to Automated Decision-Making
You have the right not to be subject to decisions based solely on automated processing — including profiling — that produce legal or similarly significant effects, such as automated loan refusals or job screening.
The Six Lawful Bases for Processing Data
Under GDPR, organisations must have a valid legal reason — a "lawful basis" — for processing your personal data. There are six in total.
| Lawful Basis | When It Applies | Example |
|---|---|---|
| Consent | You have given clear, freely-given permission | Signing up to a marketing newsletter |
| Contract | Processing is needed to fulfil a contract | Shipping an item you ordered online |
| Legal Obligation | Required by Irish or EU law | Revenue tax reporting by your employer |
| Vital Interests | To protect someone's life | Sharing medical data in an emergency |
| Public Task | Carried out by public authority | HSE delivering public health services |
| Legitimate Interests | Reasonable business need, balanced against your rights | Fraud prevention by a bank |
How to Make a Subject Access Request in Ireland
A Subject Access Request (SAR) is the most powerful tool an Irish resident has under GDPR. Here is the step-by-step process:
- Identify the data controller. Find the privacy notice on the company's website and look for their Data Protection Officer (DPO) or privacy contact.
- Write your request in clear language. State that you are making a Subject Access Request under Article 15 of the GDPR.
- Provide proof of identity. The organisation may ask for verification to ensure they are not releasing data to the wrong person.
- Specify the data you want. You can ask for everything or limit your request (e.g. "all emails between 2023 and 2025").
- Send the request. Email is acceptable, and there is no fee unless the request is excessive.
- Wait up to 30 days. The organisation must respond within one calendar month, though complex requests may be extended to three months with notice.
Filing a Complaint with the Data Protection Commission
If an organisation refuses your request, mishandles your data, or fails to respond, you can lodge a complaint with the Irish Data Protection Commission (DPC).
How to File a DPC Complaint
- Visit dataprotection.ie and locate the online complaint form.
- Provide details: who you complained to, when, what happened, and the response received.
- Upload supporting evidence (emails, screenshots, correspondence).
- The DPC will assess whether the complaint is admissible and may attempt amicable resolution before launching a formal investigation.
The DPC has the power to issue warnings, reprimands, fines of up to €20 million or 4% of annual global turnover (whichever is higher), and order organisations to change their practices. In recent years, the DPC has issued record fines against Meta, TikTok, and other major platforms.
Cookies, Tracking and ePrivacy in Ireland
Alongside GDPR, the Irish ePrivacy Regulations 2011 govern how websites use cookies and similar tracking technologies. Websites must:
- Obtain clear, opt-in consent before placing non-essential cookies
- Provide an equally prominent "Reject All" option alongside "Accept All"
- Explain what each cookie does and how long it persists
- Allow users to change their preferences easily at any time
The DPC has been particularly active in enforcing cookie consent rules and has audited dozens of Irish websites for non-compliance.
Protecting Your Privacy in Everyday Online Life
GDPR gives you legal rights, but you can also take practical steps to reduce how much personal data is collected about you in the first place.
Use Privacy-Respecting Tools
- Privacy-focused browsers like Brave or Firefox with tracking protection enabled
- Encrypted DNS services (DNS-over-HTTPS) to prevent your internet provider from logging every website you visit
- End-to-end encrypted messaging apps such as Signal
- Privacy-respecting URL shorteners that don't profile users — for example, Lunyb offers link shortening without invasive tracking, which is useful when sharing links publicly. You can read our honest review of Lunyb or compare it with alternatives in our 2026 buyer's guide to URL shorteners.
Audit Your Digital Footprint
- Search your name on Google to see what is public.
- Review privacy settings on social media (Facebook, Instagram, LinkedIn, TikTok).
- Delete dormant accounts using sites like JustDeleteMe.
- Use a password manager and enable two-factor authentication everywhere.
- Send Subject Access Requests once a year to companies you suspect hold a lot of data.
GDPR Compliance for Irish Businesses
If you run a business in Ireland — even a small sole trader — GDPR applies as soon as you process personal data. Here is a compliance checklist.
Key Compliance Requirements
| Requirement | What to Do |
|---|---|
| Privacy Notice | Publish a clear notice explaining what data you collect and why |
| Lawful Basis | Document the legal basis for each processing activity |
| Records of Processing | Maintain an internal log (Article 30 record) |
| Data Protection Impact Assessment | Required for high-risk processing |
| Data Breach Procedure | Report serious breaches to the DPC within 72 hours |
| Subject Rights Process | Train staff to handle SARs and other rights requests |
| Data Processor Contracts | Sign Article 28 agreements with all third-party processors |
| DPO Appointment | Required for public authorities and large-scale monitoring |
Pros and Cons of GDPR Compliance for Businesses
Pros:
- Builds customer trust and reputation
- Reduces risk of data breaches
- Improves data quality and operational efficiency
- Provides a competitive advantage when selling B2B
Cons:
- Initial compliance cost (legal, technical, training)
- Ongoing administrative overhead
- Complexity for cross-border data transfers
- Significant penalties for non-compliance
Data Transfers Outside the EU
Transferring personal data of Irish residents to countries outside the European Economic Area (EEA) is restricted. After the Schrems II ruling and the introduction of the EU–US Data Privacy Framework in 2023, transfers to the United States are once again permitted under certain conditions — but only to certified US organisations.
For transfers to other countries without an adequacy decision (such as India or much of Africa), businesses must use Standard Contractual Clauses (SCCs) and conduct a Transfer Impact Assessment.
Recent DPC Enforcement Highlights
The Irish DPC has issued some of the largest GDPR fines in Europe:
- Meta (2023): €1.2 billion fine for unlawful US data transfers
- TikTok (2023): €345 million fine for children's data violations
- WhatsApp (2021): €225 million for transparency failures
- Instagram (2022): €405 million over teen account privacy settings
These cases show that GDPR is being actively enforced and that even the largest global companies are not immune.
Frequently Asked Questions
How long do organisations have to respond to a Subject Access Request in Ireland?
Organisations must respond within one calendar month of receiving your request. They can extend this by a further two months for complex or numerous requests, but must inform you of the extension within the first month and explain the reason.
Can I be charged a fee for making a Subject Access Request?
No — SARs are free of charge in almost all cases. An organisation may only charge a reasonable fee if your request is clearly excessive or repetitive, or if you are asking for additional copies of data already provided.
What is the maximum fine the Irish DPC can issue?
The DPC can issue administrative fines of up to €20 million or 4% of the company's total worldwide annual turnover, whichever is higher. For less serious infringements, the maximum is €10 million or 2% of turnover.
Does GDPR protect me when I use foreign websites?
Yes. GDPR applies to any organisation worldwide that offers goods or services to people in the EU or monitors their behaviour. So if a US, UK, or Asian website targets Irish customers, it must comply with GDPR — and you can still file a complaint with the Irish DPC.
What should I do if I think my data has been breached?
First, contact the organisation directly and ask what data was affected and what steps they are taking. Change any passwords linked to the service. If you are not satisfied with the response, file a complaint with the DPC at dataprotection.ie. You may also be entitled to compensation if the breach caused you material or non-material damage.
Final Thoughts
GDPR has given Irish residents real, enforceable control over their personal data — and the Irish Data Protection Commission has shown it is willing to use its powers against even the largest tech companies. Understanding your eight key rights, knowing how to make a Subject Access Request, and choosing privacy-respecting tools for everyday online activity will go a long way toward keeping your data safe.
Whether you are an individual protecting your digital footprint or a business working toward compliance, treating personal data with care is no longer optional in Ireland — it is the law, and it is good practice.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
ePrivacy Regulations Ireland: Latest Updates for 2026
Ireland's ePrivacy regulations govern cookies, electronic marketing, and communications confidentiality alongside GDPR. This 2026 guide covers the latest DPC enforcement trends, cookie consent standards, direct marketing rules, and a practical compliance roadmap for Irish businesses.
Singapore PDPA vs GDPR: Key Differences for Businesses in 2026
Singapore's PDPA and the EU's GDPR both protect personal data, but they differ in scope, consent rules, penalties, and individual rights. This guide compares the two frameworks and helps businesses build a strategy that works across both jurisdictions.
Singapore Online Safety Act 2026: Complete Guide for Businesses and Users
A complete 2026 guide to the Singapore Online Safety Act: what changed, who must comply, IMDA's powers, penalties, and practical steps for platforms and users. Includes comparisons with UK and EU frameworks plus a compliance checklist.
ICO Fines 2026: Biggest Data Protection Penalties in the UK
From a £12.4 million retail ransomware penalty to ad-tech and dark-pattern fines, 2026 has been a record year for ICO enforcement. We break down the biggest UK data protection penalties, the trends behind them, and what your business must do to avoid joining the list.