GDPR in Ireland: Your Privacy Rights Explained
The General Data Protection Regulation (GDPR) is one of the most powerful privacy laws in the world, and Ireland sits at the heart of its enforcement. Because so many global tech companies — Meta, Google, TikTok, LinkedIn, Apple — have their European headquarters in Dublin, the Irish Data Protection Commission (DPC) acts as the lead regulator for hundreds of millions of users across the EU. If you live in Ireland, you have an exceptionally strong set of privacy rights, and a clear path to enforce them.
This guide explains your GDPR privacy rights in Ireland in plain English: what they are, how to exercise them, what businesses must do, and where to turn when something goes wrong.
What Is GDPR and How Does It Apply in Ireland?
GDPR is an EU regulation that came into force on 25 May 2018. It governs how organisations collect, store, use, and share personal data about individuals in the European Economic Area. In Ireland, GDPR is implemented through the Data Protection Act 2018, which fills in national details and gives the Data Protection Commission (DPC) its enforcement powers.
Personal data, under GDPR, is any information that can identify you directly or indirectly — your name, email address, IP address, location data, photos, online identifiers, health records, or even behavioural profiles built from clicks and purchases. If a business processes that data, it must have a lawful basis and must respect your rights.
Who Must Comply?
GDPR applies to:
- Any organisation established in Ireland that processes personal data.
- Any organisation outside the EU that offers goods or services to people in Ireland or monitors their behaviour (such as via cookies or analytics).
- Public bodies, charities, and private companies of every size — there is no small-business exemption.
Your Eight Core GDPR Rights in Ireland
GDPR grants you eight specific rights as a data subject. Each one is enforceable, free of charge in most cases, and must be responded to within one calendar month.
1. The Right to Be Informed
Before an organisation collects your data, it must tell you who they are, why they want the data, how long they will keep it, who they will share it with, and what your rights are. This is usually delivered through a privacy notice or policy.
2. The Right of Access (Subject Access Request)
You can ask any organisation to provide a copy of all personal data they hold about you. This is called a Subject Access Request (SAR). The organisation has one month to respond and must do so free of charge.
3. The Right to Rectification
If data about you is inaccurate or incomplete, you can demand correction. This applies to everything from a misspelled name to an incorrect credit profile.
4. The Right to Erasure (Right to Be Forgotten)
You can request that your personal data be deleted when it is no longer needed, when you withdraw consent, or when it has been processed unlawfully. This right is not absolute — for example, banks must retain certain records under Irish anti-money-laundering law.
5. The Right to Restrict Processing
You can ask an organisation to pause processing your data while a dispute about accuracy or legality is resolved.
6. The Right to Data Portability
You can request your data in a structured, commonly used, machine-readable format (like CSV or JSON) and have it transferred to another service. This is especially useful when switching banks, energy suppliers, or social networks.
7. The Right to Object
You can object to processing based on legitimate interests, direct marketing, or profiling. For direct marketing, the objection is absolute — the organisation must stop immediately.
8. Rights Related to Automated Decision-Making
You have the right not to be subject to fully automated decisions — including profiling — that produce legal or similarly significant effects. Think credit scoring, insurance pricing, or automated job screening.
Quick Reference: Your Rights at a Glance
| Right | What It Means | Response Time | Cost |
|---|---|---|---|
| Access | Get a copy of your data | 1 month | Free |
| Rectification | Correct inaccurate data | 1 month | Free |
| Erasure | Delete your data | 1 month | Free |
| Restriction | Pause processing | 1 month | Free |
| Portability | Transfer to another provider | 1 month | Free |
| Object | Stop certain processing | Immediate for marketing | Free |
| Automated Decisions | Demand human review | 1 month | Free |
| Be Informed | Transparent privacy notice | At point of collection | Free |
The Role of the Data Protection Commission (DPC)
The Data Protection Commission, based in Dublin and Portarlington, is Ireland's independent supervisory authority. It investigates complaints, audits organisations, issues fines, and acts as the EU's lead authority for most US tech giants under GDPR's One-Stop-Shop mechanism.
The DPC has issued some of the largest GDPR fines on record, including a €1.2 billion penalty against Meta in 2023 for unlawful data transfers, and substantial fines against TikTok and WhatsApp. For everyday Irish residents, the DPC is also where you go when a company ignores your rights.
What the DPC Can Do
- Investigate complaints from individuals.
- Order organisations to comply, correct, or delete data.
- Impose administrative fines of up to €20 million or 4% of global annual turnover.
- Suspend data flows to third countries.
- Refer cases to the courts for criminal prosecution.
How to Exercise Your GDPR Rights in Ireland: Step by Step
- Identify the data controller. This is the organisation that decides how your data is used — typically the company you have an account with.
- Find their contact details. Look in their privacy policy for a Data Protection Officer (DPO) email or a dedicated privacy request form.
- Write a clear request. State which right you are exercising (e.g. "I am making a Subject Access Request under Article 15 GDPR"). Include enough information to identify yourself.
- Set a deadline. The legal deadline is one calendar month from receipt. Complex requests can be extended by two further months, but they must tell you within the first month.
- Keep records. Save your email, any reference numbers, and all replies. You will need these if you complain.
- Escalate if needed. If the organisation refuses, ignores you, or gives an inadequate response, file a complaint with the DPC.
How to File a Complaint with the DPC
Filing a complaint is free and you do not need a solicitor. The DPC accepts complaints by post, email (info@dataprotection.ie), or through its online webform at dataprotection.ie.
Your complaint should include:
- Your name and contact details.
- The name of the organisation you are complaining about.
- A description of what happened and why you believe GDPR has been breached.
- Copies of any correspondence with the organisation.
- What outcome you are seeking (deletion, correction, compensation, etc.).
The DPC will usually try to mediate first, encouraging amicable resolution. If that fails, it opens a formal inquiry, which can result in binding decisions, fines, and corrective orders.
Special Categories: Extra Protection
GDPR gives extra protection to "special category" data, which includes:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic and biometric data
- Health data
- Data about sex life or sexual orientation
Organisations generally need your explicit consent — or another tightly defined legal basis — before processing this data. Irish health bodies, employers, and insurers must take particular care.
Children's Data in Ireland
Under Irish law, the digital age of consent is 16. That means online services targeted at children must obtain parental consent for users under 16 in Ireland (the GDPR default is 16, and member states can lower it to 13 — Ireland chose to keep it at 16). The DPC also publishes the Fundamentals for a Child-Oriented Approach to Data Processing, which sets strict standards on profiling, marketing, and default privacy settings for under-18s.
Cookies, Tracking, and ePrivacy
Alongside GDPR, Ireland enforces the ePrivacy Regulations (S.I. No. 336 of 2011), which require websites to obtain genuine consent before placing non-essential cookies or trackers. The DPC's 2020 cookie guidance made clear that:
- Pre-ticked boxes are not valid consent.
- "Continuing to browse" does not equal consent.
- Rejecting cookies must be as easy as accepting them.
- Analytics cookies are not "strictly necessary" and require consent.
If a website forces you into tracking, you can complain to the DPC.
Practical Steps to Protect Your Privacy
Knowing your rights is the first layer of defence. Sensible day-to-day habits form the second. Here are practical steps Irish residents can take:
- Audit your accounts. Use services like Have I Been Pwned to see where your email has been exposed in breaches.
- Use encrypted DNS (such as DNS-over-HTTPS) in your browser and on your home router to stop your ISP from logging every site you visit.
- Switch to privacy-respecting browsers like Firefox or Brave, and consider Tor for highly sensitive research.
- Use strong, unique passwords with a password manager, and turn on two-factor authentication everywhere.
- Be careful what you share in links. Long URLs often contain tracking parameters or personal identifiers. A privacy-focused link shortener like Lunyb lets you share clean, branded short links without leaking unnecessary data — useful for journalists, small businesses, and anyone publishing on social media. You can read our honest review of Lunyb or compare it against alternatives in our 2026 buyer's guide to URL shorteners.
- Review app permissions on your phone every few months and revoke anything unnecessary.
- Opt out of marketing — under GDPR this is one click, and companies must honour it immediately.
What Businesses in Ireland Must Do
If you run a business in Ireland — even a one-person sole trader — you are a data controller the moment you collect a customer's email. Core obligations include:
- Maintain a Record of Processing Activities (ROPA).
- Publish a clear, accessible privacy notice.
- Identify a lawful basis for every processing activity.
- Implement appropriate technical and organisational security measures.
- Have written data processing agreements with all vendors who touch personal data.
- Report qualifying data breaches to the DPC within 72 hours.
- Appoint a Data Protection Officer if you are a public body, do large-scale monitoring, or handle special category data at scale.
- Respond to data subject requests within one month.
Whether you publish links, send newsletters, or run an online shop, choosing privacy-respecting tools makes compliance easier. Marketing teams comparing link platforms can review our analysis of Rebrandly's 2026 pricing and features to understand how data handling differs between providers.
Penalties and Real-World Enforcement
GDPR fines fall into two tiers:
- Lower tier: Up to €10 million or 2% of global annual turnover for procedural violations.
- Upper tier: Up to €20 million or 4% of global annual turnover for breaching core principles or data subject rights.
The DPC has issued fines exceeding €2.5 billion in total since 2018. Beyond fines, organisations face reputational damage, individual lawsuits for compensation under Section 117 of the Data Protection Act 2018, and orders to halt processing.
Frequently Asked Questions
How long do I have to wait for a response to a Subject Access Request in Ireland?
One calendar month from the date the organisation receives your request. They can extend this by up to two further months for complex or numerous requests, but they must notify you of the extension and the reasons within the first month.
Can I claim compensation for a GDPR breach in Ireland?
Yes. Section 117 of the Data Protection Act 2018 gives you the right to bring a civil action in the Circuit Court or High Court for material or non-material damage — including distress — caused by a GDPR infringement. You can do this in addition to, or instead of, complaining to the DPC.
Does GDPR apply to my employer?
Yes. Your employer processes large amounts of personal data — payroll, HR records, performance reviews, CCTV, IT monitoring — and must comply with GDPR for every employee. You can make a Subject Access Request to your employer and complain to the DPC if they refuse.
What is the difference between a data controller and a data processor?
A controller decides why and how data is processed (for example, an online shop deciding to collect customer addresses). A processor only handles data on the controller's instructions (for example, a cloud hosting provider storing the shop's database). Both have obligations under GDPR, but controllers carry the primary responsibility for your rights.
Can a company refuse my erasure request?
Sometimes, yes. The right to erasure is not absolute. A company can refuse if they need the data to comply with a legal obligation (such as tax records), for the establishment or defence of legal claims, for reasons of public interest in public health, or for archiving in the public interest. They must explain the refusal in writing and tell you about your right to complain to the DPC.
Is GDPR still in force after Brexit?
For Ireland, absolutely — Ireland remains in the EU, so GDPR applies in full. The UK now has its own UK GDPR, which is similar but separate. If you transfer data between Ireland and the UK, you need to be aware of adequacy decisions and may need additional safeguards.
Final Thoughts
GDPR gives Irish residents some of the strongest privacy rights in the world, backed by a regulator that is willing to take on the largest companies on the planet. But rights only matter when you use them. Knowing how to make a Subject Access Request, how to object to marketing, and how to escalate to the Data Protection Commission turns GDPR from an abstract law into a practical tool.
Combine those rights with good digital hygiene — encrypted DNS, strong passwords, privacy-respecting browsers, and tools that minimise tracking — and you build a privacy posture that very few people in the world can match.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
Singapore Online Safety Act 2026: Complete Guide for Businesses & Users
Singapore's Online Safety Act 2026 expands platform duties, scam-prevention obligations, and protections for minors. This complete guide breaks down who is covered, the new penalties, compliance steps, and what users and businesses need to do.
OAIC Complaints: How to Report a Privacy Breach in Australia
A complete Australian guide to lodging OAIC complaints after a privacy breach. Learn who is covered by the Privacy Act, how to gather evidence, the step-by-step lodgement process, likely outcomes and compensation, plus mistakes to avoid.
Singapore PDPA vs GDPR: Key Differences for Businesses in 2026
Singapore's PDPA and the EU's GDPR share the same goal but differ in scope, consent rules, DPO requirements, breach timelines, and penalties. This guide breaks down the key differences for businesses operating in 2026 and provides a practical compliance checklist.
ePrivacy Regulations Ireland: Latest Updates for 2026
Ireland's ePrivacy rules under S.I. 336/2011 govern cookies, electronic marketing and confidentiality of communications. This 2026 guide explains the latest DPC enforcement trends, what's changing as the EU finalises the new ePrivacy Regulation, and how Irish businesses can stay compliant.