GDPR in Ireland: Your Privacy Rights Explained
Ireland sits at the heart of European data protection. As the European headquarters for many of the world's largest technology companies, the Irish Data Protection Commission (DPC) plays an outsized role in enforcing the General Data Protection Regulation (GDPR). Yet for everyday people in Ireland, the practical meaning of GDPR often gets lost in legal jargon. This guide breaks down your privacy rights under GDPR in Ireland, how to exercise them, and what to do when companies fall short.
What Is GDPR and How Does It Apply in Ireland?
The General Data Protection Regulation (GDPR) is an EU-wide law that came into force on 25 May 2018. It sets out how organisations must collect, store, and process personal data belonging to individuals in the European Union and European Economic Area.
In Ireland, GDPR is given effect domestically by the Data Protection Act 2018, which supplements the regulation and creates the Data Protection Commission as the supervisory authority. Because Ireland hosts the EU headquarters of companies like Meta, Google, Apple, TikTok, and LinkedIn, the Irish DPC often acts as the "lead supervisory authority" for cross-border investigations under the one-stop-shop mechanism.
GDPR applies to any organisation — public or private, large or small — that processes the personal data of people located in Ireland, even if the organisation itself is based outside the EU.
What Counts as Personal Data?
Personal data is any information that can identify a living person, directly or indirectly. This includes:
- Name, address, email, phone number, and PPS number
- IP addresses, device identifiers, and cookies
- Photos, voice recordings, and CCTV footage
- Location data and online browsing history
- Financial information, health records, and biometric data
Certain categories receive enhanced protection as "special category data" — including racial or ethnic origin, political opinions, religious beliefs, trade union membership, health data, sex life, and sexual orientation.
Your Eight Core GDPR Rights in Ireland
GDPR gives every individual in Ireland eight enforceable rights over how their personal data is handled. Knowing these rights is the first step to using them.
1. The Right to Be Informed
Organisations must tell you, in clear and plain language, why they collect your data, what they do with it, how long they keep it, and who they share it with. This is usually delivered through a privacy notice or policy displayed on a website or app.
2. The Right of Access
You can ask any organisation for a copy of the personal data they hold about you. This is known as a Subject Access Request (SAR). The organisation must respond within one calendar month, and the response is free of charge in most cases.
3. The Right to Rectification
If a company holds inaccurate or incomplete data about you, you can require them to correct it without undue delay.
4. The Right to Erasure ("Right to Be Forgotten")
You can request deletion of your personal data in certain circumstances — for example, when the data is no longer necessary for the original purpose, when you withdraw consent, or when the data was processed unlawfully.
5. The Right to Restrict Processing
In some situations you can tell an organisation to stop processing your data without requiring full deletion. This is useful when you contest the accuracy of data or have objected to processing and are awaiting a response.
6. The Right to Data Portability
You can request your data in a structured, commonly used, machine-readable format so you can move it to another service provider — for example, switching banks, fitness apps, or social platforms.
7. The Right to Object
You have an absolute right to object to direct marketing. You can also object to processing based on legitimate interests or public task, although the organisation may continue if it can demonstrate compelling legitimate grounds.
8. Rights Related to Automated Decision-Making and Profiling
You have the right not to be subject to a decision based solely on automated processing — such as algorithmic credit scoring or automated job screening — where it produces legal or similarly significant effects on you, without human review.
How to Make a Subject Access Request in Ireland
A Subject Access Request (SAR) is the most commonly used GDPR right. Here is a step-by-step process for making one effectively.
- Identify the data controller. This is the organisation that decides how your data is used. Check their privacy policy for a Data Protection Officer (DPO) contact or a dedicated SAR email address.
- Put your request in writing. Email is usually the easiest. State clearly that you are making a Subject Access Request under Article 15 of the GDPR.
- Specify what you want. You can request all personal data they hold, or narrow it down — for example, "all emails between me and your support team since January 2024."
- Verify your identity. The organisation may ask for ID to ensure they are not releasing your data to someone else.
- Wait up to one month. The response must arrive within 30 calendar days. For complex requests, this can be extended by two further months, but you must be informed.
- Review the response. Check whether the data is complete and accurate. If anything is missing, follow up in writing.
The Role of the Irish Data Protection Commission
The Data Protection Commission (DPC), based in Dublin and Portarlington, is Ireland's independent supervisory authority for GDPR. Its remit covers:
- Handling complaints from individuals
- Investigating data breaches
- Issuing fines and corrective orders
- Providing guidance to organisations
- Acting as lead supervisory authority for many multinational tech companies
The DPC has issued some of the largest GDPR fines in EU history, including penalties exceeding €1 billion against major social media platforms for cross-border data transfer violations and child data processing failures.
How to File a Complaint with the DPC
If an organisation has not respected your rights or you suspect a data breach, you can complain to the DPC. Here is the process:
- Try to resolve it directly first. Contact the organisation's Data Protection Officer and give them a reasonable chance to respond.
- Gather evidence. Save emails, screenshots, copies of your original request, and any responses.
- Submit the complaint online. Visit dataprotection.ie and use the online complaint form, or send a letter or email with full details.
- Cooperate with the investigation. The DPC may request further information or attempt amicable resolution before formal investigation.
- Receive an outcome. The DPC can require the organisation to take corrective action, issue reprimands, or impose administrative fines.
You can also seek a judicial remedy through the Irish courts and may be entitled to compensation for material or non-material damage caused by a GDPR breach.
GDPR Fines and Enforcement Powers
GDPR fines can be substantial. The maximum penalties depend on the type of infringement:
| Infringement Type | Maximum Fine | Examples |
|---|---|---|
| Lower tier | €10 million or 2% of global annual turnover (whichever is higher) | Failure to maintain records, late breach notification, inadequate security |
| Higher tier | €20 million or 4% of global annual turnover (whichever is higher) | Violating data subject rights, unlawful processing, illegal international transfers |
Beyond fines, the DPC can also order organisations to suspend data flows, restrict processing, or change their practices entirely.
Practical Steps to Protect Your Privacy in Ireland
Knowing your rights is only half the battle. Taking proactive steps reduces how much personal data is exposed in the first place.
1. Audit Your Digital Footprint
List the major services you use — email, banking, social media, shopping, streaming — and review their privacy settings at least once a year. Delete dormant accounts you no longer need.
2. Manage Cookies and Trackers
Under Irish ePrivacy rules, websites must obtain your consent before placing non-essential cookies. Reject what you do not need. Use a privacy-focused browser and consider encrypted DNS providers to reduce passive tracking by your network.
3. Use Strong, Unique Passwords
A password manager helps you generate and store credentials securely. Enable two-factor authentication on every account that supports it, especially email and banking.
4. Be Careful What You Share in Links
Long URLs often contain tracking parameters, session tokens, or even personal identifiers. When sharing links publicly or on social media, using a privacy-respecting URL shortener like Lunyb can strip unnecessary tracking and give you a cleaner, branded link. You can read more in our honest review of Lunyb or compare options in our 2026 buyer's guide to URL shorteners.
5. Read Privacy Notices Selectively
You do not need to read every word. Look for: what data is collected, who it is shared with, how long it is kept, and whether it is transferred outside the EU. These four items tell you most of what matters.
GDPR for Small Businesses and Sole Traders in Ireland
If you run a business in Ireland — even as a sole trader — and you handle customer data, GDPR applies to you. Key obligations include:
- Maintaining a clear, accessible privacy policy
- Obtaining valid consent for marketing communications
- Keeping records of processing activities
- Reporting data breaches to the DPC within 72 hours where they pose a risk to individuals
- Appointing a Data Protection Officer if you carry out large-scale or special category data processing
- Ensuring any third-party processors (cloud providers, email platforms, marketing tools) sign a Data Processing Agreement
Marketing tools, link tracking platforms, and analytics services all process personal data on your behalf. Choosing providers with strong EU data protection postures helps reduce your compliance burden. For comparisons of link management platforms, our Rebrandly review for 2026 covers what to look for in a compliant solution.
Common GDPR Myths in Ireland
Several misconceptions persist about GDPR. Clearing them up helps you focus on what actually matters.
- Myth: GDPR only applies to big tech companies. It applies to almost every organisation that processes personal data, including charities, sports clubs, and one-person businesses.
- Myth: You must always consent for processing to be lawful. Consent is just one of six lawful bases. Others include contract, legal obligation, vital interests, public task, and legitimate interests.
- Myth: Companies must delete data immediately when you ask. The right to erasure has limits — for example, when data is needed for legal obligations or to defend legal claims.
- Myth: GDPR fines are always the maximum. Most fines are proportionate to the breach, the organisation's size, and whether it cooperated.
What's Changing in 2026 and Beyond
GDPR continues to evolve through case law and new EU legislation. Key developments to watch include:
- The EU AI Act — adds obligations for organisations using artificial intelligence to process personal data
- The Digital Services Act and Digital Markets Act — impose additional transparency and user-control requirements on large online platforms
- Updated guidance on international data transfers — following the EU-US Data Privacy Framework
- Reform proposals to the GDPR procedural regulation — aimed at speeding up cross-border investigations led by the Irish DPC
Frequently Asked Questions
How long do I have to wait for a response to a Subject Access Request in Ireland?
Organisations must respond within one calendar month of receiving your request. They can extend this by a further two months if the request is particularly complex, but they must inform you of the extension and reasons within the first month.
Can I be charged for a Subject Access Request?
No. A SAR is free of charge in almost all cases. An organisation can only charge a "reasonable fee" if your request is manifestly unfounded, excessive, or repetitive, or if you are asking for additional copies of data already supplied.
What should I do if a company ignores my GDPR request?
First, follow up in writing and reference the one-month deadline. If they still do not respond or refuse without valid reason, file a complaint with the Data Protection Commission at dataprotection.ie. Keep all correspondence as evidence.
Does GDPR apply to data I share on public social media?
Yes. Even when you post content publicly, the social media platform is processing your personal data and must comply with GDPR. However, GDPR does not generally apply to purely personal or household activities — so a private individual sharing holiday photos with friends is exempt, while a business or influencer is not.
Can I claim compensation for a GDPR breach in Ireland?
Yes. Under Article 82 of the GDPR and section 117 of the Data Protection Act 2018, you can claim compensation for material damage (financial loss) and non-material damage (distress, anxiety) caused by a GDPR breach. Claims are made through the Circuit Court or higher, and you should seek legal advice for significant cases.
Final Thoughts
GDPR gives people in Ireland some of the strongest privacy rights in the world — but rights are only as powerful as the people who use them. By understanding what data is collected about you, who controls it, and what you can do when something goes wrong, you take real control of your digital life. Whether you are an individual reviewing your social media settings, a sole trader writing a privacy policy, or a consumer filing your first Subject Access Request, the rules are on your side. The Irish DPC, while sometimes criticised for slow enforcement, has the authority and increasingly the resources to hold even the largest companies to account.
Make privacy a habit, not an afterthought. The rights are yours — use them.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
Singapore PDPA vs GDPR: Key Differences for Businesses
Singapore's PDPA and the EU's GDPR both protect personal data, but they differ in scope, consent rules, DPO requirements, penalties, and breach notification timelines. This guide compares the two regimes side-by-side and offers practical compliance tips for businesses operating across both jurisdictions.
Singapore PDPA: Your Personal Data Protection Rights Explained
Singapore's PDPA gives individuals strong rights over their personal data, including access, correction, consent withdrawal, and data portability. This guide explains every key right, how to exercise them, and what to do if an organisation violates the law.
ICO Fines 2026: Biggest Data Protection Penalties in the UK
The ICO has issued record-breaking penalties in 2026, targeting ransomware victims, AI data scrapers, and even NHS trusts. We break down the biggest fines, the regulatory trends behind them, and the practical steps UK organisations can take to stay compliant.
Australia Privacy Act 2026: Your Rights Explained
The Australia Privacy Act 2026 introduces sweeping new rights for individuals, including erasure, de-indexing, and a direct right of action against organisations. This guide explains what's changed, how to exercise your rights, and what businesses must now do to comply.