GDPR in Ireland: Your Privacy Rights Explained
Ireland sits at the heart of Europe's data protection landscape. With most major tech companies — Meta, Google, TikTok, Microsoft, LinkedIn, and Apple — operating their European headquarters in Dublin, the Irish Data Protection Commission (DPC) plays an outsized role in enforcing the General Data Protection Regulation (GDPR) across the EU. For Irish residents, that means strong privacy rights, a powerful regulator on your doorstep, and clear legal routes to challenge how companies use your personal data.
This guide explains GDPR in Ireland in plain English: what rights you have, how to exercise them, how to file a complaint, and what practical steps you can take to protect your personal information online.
What Is GDPR and How Does It Apply in Ireland?
The General Data Protection Regulation (GDPR) is an EU-wide law that came into force on 25 May 2018. It governs how organisations collect, store, process, and share personal data about individuals in the European Union and European Economic Area. In Ireland, GDPR is implemented through the Data Protection Act 2018, which adapts the regulation to Irish law and establishes the Data Protection Commission as the national supervisory authority.
GDPR applies to any organisation — Irish, EU-based, or international — that processes the personal data of people in Ireland. "Personal data" is defined broadly: it includes your name, email address, phone number, IP address, location data, photos, biometric information, health records, and even online identifiers such as cookies that can be linked back to you.
Who Enforces GDPR in Ireland?
The Data Protection Commission (DPC), headquartered in Dublin and Portarlington, is Ireland's independent regulator. Because so many global tech companies are headquartered in Ireland, the DPC acts as the lead supervisory authority for cross-border investigations under the GDPR's "one-stop-shop" mechanism. The DPC has issued some of the largest GDPR fines on record, including penalties exceeding €1 billion against Meta.
Your Eight Core GDPR Privacy Rights in Ireland
GDPR gives every Irish resident eight enforceable rights over their personal data. These rights apply whether the data controller is a small Irish business, an Irish public body, or a multinational like Facebook or Google.
1. The Right to Be Informed
Organisations must tell you, in clear and plain language, what data they collect, why they collect it, how long they keep it, and who they share it with. This is usually delivered through a privacy notice or privacy policy on a website.
2. The Right of Access
You can request a copy of all personal data an organisation holds about you. This is called a Subject Access Request (SAR). The organisation must respond within one month, free of charge, and provide the data in a readable format.
3. The Right to Rectification
If your personal data is inaccurate or incomplete, you can ask the organisation to correct or update it. This is particularly important for financial records, employment files, and medical histories.
4. The Right to Erasure ("Right to Be Forgotten")
You can ask an organisation to delete your personal data in certain circumstances — for example, if the data is no longer needed for the original purpose, if you withdraw consent, or if it was processed unlawfully.
5. The Right to Restrict Processing
You can ask an organisation to pause processing your data while a dispute is being resolved, such as when you've challenged the accuracy of the data.
6. The Right to Data Portability
You can request your personal data in a structured, commonly used, machine-readable format (such as CSV or JSON) and transfer it to another service. This is especially useful when switching banks, energy providers, or social media platforms.
7. The Right to Object
You can object to your data being used for direct marketing, profiling, or processing based on legitimate interests. For direct marketing, your objection must be honoured immediately and unconditionally.
8. Rights Related to Automated Decision-Making
You have the right not to be subject to fully automated decisions that produce significant legal effects on you — for example, automated credit scoring or recruitment decisions — without a human review.
How to Exercise Your GDPR Rights in Ireland
Exercising your rights under GDPR is free and does not require a solicitor. Here's a step-by-step process for making a request to any organisation operating in Ireland:
- Identify the data controller. This is the organisation that decides how and why your data is processed. Check their privacy policy for contact details, including the Data Protection Officer (DPO) email if one is listed.
- Write your request clearly. State which right you are exercising (e.g. "I am making a Subject Access Request under Article 15 of the GDPR"). Include enough information to verify your identity.
- Send the request in writing. Email is acceptable. Keep a copy and a timestamp for your records.
- Wait for a response. The organisation has one calendar month to respond. They can extend this by two months for complex requests but must tell you why.
- Escalate if needed. If you don't receive a response, or if the response is inadequate, you can complain to the Data Protection Commission.
Filing a Complaint with the Irish Data Protection Commission
If an organisation fails to honour your rights, mishandles your data, or refuses to respond, you can lodge a formal complaint with the DPC. Complaints are free.
How to File a DPC Complaint
- Visit the official DPC website at dataprotection.ie.
- Complete the online complaint form or download the PDF version.
- Provide details: who the organisation is, what happened, what right was breached, and what steps you've already taken to resolve it directly.
- Attach supporting evidence — emails, screenshots, copies of your original request.
- Submit and await acknowledgement, usually within a few weeks.
The DPC will investigate, mediate where possible, and can issue binding decisions, reprimands, or significant fines under GDPR — up to €20 million or 4% of global annual turnover, whichever is higher.
GDPR Fines: The Irish DPC's Enforcement Record
The DPC has become one of the most active GDPR enforcers in Europe. Here is a summary of notable Irish-led decisions:
| Year | Company | Fine | Reason |
|---|---|---|---|
| 2023 | Meta (Facebook) | €1.2 billion | Unlawful EU–US data transfers |
| 2023 | TikTok | €345 million | Children's data protection failures |
| 2022 | Meta (Instagram) | €405 million | Children's privacy settings |
| 2022 | €225 million | Transparency violations | |
| 2024 | €310 million | Behavioural advertising consent issues |
These cases show that the DPC takes consent, transparency, and international data transfers seriously — and that even the largest global platforms can be held accountable.
Special Categories of Data Under Irish GDPR
Some types of personal data receive enhanced protection under Article 9 of the GDPR. Organisations need an explicit legal basis — usually your direct consent — to process them.
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic and biometric data (including facial recognition)
- Health data, including data from the HSE or private clinics
- Data concerning sex life or sexual orientation
If you believe a company has processed any of these without a clear legal basis — for instance, an employer asking unjustified health questions — that is a serious GDPR breach you can report directly to the DPC.
Cookies, Tracking, and the ePrivacy Regulations in Ireland
In addition to GDPR, Ireland's ePrivacy Regulations (S.I. No. 336 of 2011) govern cookies, electronic marketing, and online tracking. Websites operating in Ireland must:
- Obtain clear, opt-in consent before placing non-essential cookies.
- Provide an equally easy way to reject cookies as to accept them.
- Explain what each category of cookie does in plain language.
- Allow you to withdraw consent at any time.
Pre-ticked boxes, hidden "reject" buttons, and cookie walls that force consent are all non-compliant. The DPC has issued specific guidance on cookie banners and has taken enforcement action against Irish news publishers and online retailers that failed to meet these standards.
Protecting Your Privacy Online: Practical Steps
GDPR gives you strong legal rights, but enforcement takes time. You can also take proactive steps to reduce the personal data you expose in the first place.
1. Limit What You Share
Before signing up for a service, ask whether it really needs your phone number, date of birth, or address. Provide only what is strictly required.
2. Use Privacy-Respecting Tools
Switch to browsers and search engines that don't profile you, use encrypted DNS providers to prevent your internet service provider from logging every site you visit, and use end-to-end encrypted messaging apps like Signal.
3. Be Careful with Links You Share
Many shared links contain tracking parameters that reveal information about you and the people you send them to. Using a privacy-focused link shortener like Lunyb can strip tracking parameters and give you a clean, branded short URL — useful for both personal sharing and business marketing. You can read our honest review of Lunyb or compare it against alternatives in our 2026 buyer's guide to URL shorteners.
4. Review App Permissions Regularly
Both iOS and Android let you audit which apps access your location, microphone, camera, and contacts. Revoke any permission that isn't essential.
5. Exercise Your Right to Erasure
Periodically request deletion of accounts you no longer use. Old, forgotten accounts are a common source of data breaches.
GDPR and Brexit: What About Data Going to the UK?
Since Brexit, the UK is treated as a "third country" under EU law. However, the European Commission has issued an adequacy decision confirming that the UK provides essentially equivalent data protection standards. This means data can still flow freely between Ireland and the UK for now, but Irish organisations should monitor whether the adequacy decision is renewed when it next comes up for review.
Children's Data Protection in Ireland
Ireland sets the digital age of consent at 16 — one of the highest in the EU. This means children under 16 generally cannot consent to the processing of their personal data by online services; parental consent is required. The DPC has published the "Fundamentals for a Child-Oriented Approach to Data Processing," which sets 14 principles organisations must follow when designing products that children may access. This framework underpinned the record fines against TikTok and Instagram for failing children's privacy.
Frequently Asked Questions
How long does an organisation have to respond to my GDPR request in Ireland?
One calendar month from the date you submit the request. They can extend this by an additional two months for complex or numerous requests, but they must notify you of the extension and the reasons within the first month.
Can I be charged a fee for a Subject Access Request?
No. GDPR requests are free. An organisation can only charge a "reasonable fee" if your request is manifestly unfounded or excessive — for example, repeated identical requests — and even then they must justify the charge.
What can the Irish DPC actually do if a company breaches GDPR?
The DPC can issue warnings, reprimands, and binding compliance orders, ban data processing, and impose fines of up to €20 million or 4% of global annual turnover, whichever is higher. It can also order organisations to compensate affected individuals.
Does GDPR apply to small Irish businesses and sole traders?
Yes. GDPR applies regardless of organisation size. However, the obligations are proportionate — a small café processing only basic customer email addresses has lighter compliance requirements than a hospital or fintech company. The DPC provides free SME-focused guidance on its website.
Can I sue a company directly for a GDPR breach in Ireland?
Yes. Under Section 117 of the Data Protection Act 2018, you can bring a civil action in the Circuit Court or High Court for compensation, including for non-material damage such as distress or anxiety. You do not need to wait for a DPC investigation to conclude before issuing proceedings.
Conclusion
GDPR gives Irish residents some of the strongest privacy protections in the world, and the Data Protection Commission has shown it is willing to enforce them aggressively — even against the largest global tech firms. Understanding your eight core rights, knowing how to file a complaint, and combining your legal protections with sensible online habits puts you firmly in control of your personal data. Privacy in Ireland is not just a legal abstraction; it is a practical, enforceable right you can exercise today.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
ePrivacy Regulations Ireland: Latest Updates for 2026
Ireland's ePrivacy Regulations under SI 336/2011 continue to drive DPC enforcement on cookies, consent, and electronic marketing. This 2026 guide explains the latest updates, compliance requirements, and practical steps Irish businesses need to take.
Singapore PDPA: Your Personal Data Protection Rights Explained
A clear, practical guide to your rights under Singapore's Personal Data Protection Act (PDPA). Learn how to access, correct, and protect your personal data, and what to do when organisations fall short.
Singapore PDPA vs GDPR: Key Differences for Businesses in 2026
Singapore's PDPA and the EU's GDPR both protect personal data but differ on consent, fines, DPO requirements, and individual rights. This guide compares both frameworks and shows businesses how to build a single compliance strategy that satisfies both regimes.
ICO Fines 2026: Biggest Data Protection Penalties in the UK
The ICO issued record-breaking penalties in 2026, with fines targeting retailers, healthcare providers, and financial firms. We break down the biggest cases, common causes, and what UK businesses must do to stay compliant.