GDPR in Ireland: Your Privacy Rights Explained

Ireland sits at the heart of European data protection. With Dublin hosting the EU headquarters of Meta, Google, TikTok, LinkedIn, Microsoft, and Apple, the Irish Data Protection Commission (DPC) is the lead supervisory authority for many of the world's largest technology companies. That means the General Data Protection Regulation (GDPR) — and how Ireland enforces it — affects hundreds of millions of people far beyond the island itself.

If you live, work, or do business in Ireland, GDPR gives you a robust set of legally enforceable rights over how your personal data is collected, stored, and used. This guide breaks down what those rights are, how to exercise them, and what to do when an organisation gets it wrong.

What Is GDPR and How Does It Apply in Ireland?

The General Data Protection Regulation (Regulation (EU) 2016/679) is the EU's comprehensive data protection law, in force since 25 May 2018. In Ireland, it is supplemented by the Data Protection Act 2018, which adapts certain provisions to Irish law and establishes the Data Protection Commission as the national supervisory authority.

GDPR applies whenever an organisation processes the personal data of people in Ireland — regardless of where the organisation itself is based. Personal data is defined broadly: any information relating to an identified or identifiable natural person, including names, email addresses, IP addresses, location data, cookie identifiers, photographs, and even pseudonymised data if it can be linked back to an individual.

Who Enforces GDPR in Ireland?

The Data Protection Commission (DPC), headquartered in Dublin with offices in Portarlington, is the independent authority responsible for upholding the rights of individuals in Ireland. The DPC investigates complaints, conducts audits, issues guidance, and can impose administrative fines of up to €20 million or 4% of a company's global annual turnover — whichever is higher.

Because so many multinational tech firms have their EU base in Ireland, the DPC also acts as the lead supervisory authority under the GDPR's "one-stop-shop" mechanism for cross-border cases. Recent landmark fines from the DPC include €1.2 billion against Meta (2023) and €310 million against LinkedIn (2024).

Your Eight Core Privacy Rights Under GDPR

GDPR grants every data subject in Ireland eight fundamental rights. Understanding each one is the first step to taking control of your personal information.

1. The Right to Be Informed

Organisations must tell you, in clear and plain language, what data they collect, why they collect it, how long they keep it, who they share it with, and what your rights are. This is usually delivered through a privacy notice or policy on a website or app.

2. The Right of Access

You can request a copy of all the personal data an organisation holds about you. This is known as a Subject Access Request (SAR). The organisation must respond within one month, free of charge in most cases.

3. The Right to Rectification

If the data held about you is inaccurate or incomplete, you can require it to be corrected or updated without undue delay.

4. The Right to Erasure ("Right to Be Forgotten")

You can ask an organisation to delete your personal data when, for example, it is no longer needed for the original purpose, you withdraw consent, or the data was processed unlawfully.

5. The Right to Restrict Processing

You can require an organisation to pause processing your data while a dispute — such as a challenge to its accuracy — is being resolved.

6. The Right to Data Portability

For data you have provided based on consent or a contract, you can receive it in a structured, commonly used, machine-readable format and transfer it to another provider.

7. The Right to Object

You can object to processing based on legitimate interests, including direct marketing. For marketing, the objection is absolute — the organisation must stop immediately.

8. Rights Related to Automated Decision-Making

You have the right not to be subject to a decision based solely on automated processing — including profiling — that produces legal or similarly significant effects on you, unless specific safeguards apply.

The Six Lawful Bases for Processing Your Data

An organisation cannot legally process your personal data without at least one of six lawful bases set out in Article 6 of the GDPR. Knowing these helps you challenge unjustified data collection.

Lawful Basis	When It Applies	Example
Consent	You freely give specific, informed, unambiguous permission	Subscribing to a marketing newsletter
Contract	Processing is necessary to fulfil a contract with you	Delivering an order you placed online
Legal Obligation	Required by Irish or EU law	Revenue tax record keeping
Vital Interests	To protect someone's life	Sharing medical data in an emergency
Public Task	Carried out in the public interest by an authority	HSE public health functions
Legitimate Interests	Necessary for the organisation's interests, balanced against your rights	Network security monitoring

How to Make a Subject Access Request in Ireland

A Subject Access Request (SAR) is your single most powerful tool under GDPR. It forces an organisation to disclose exactly what they know about you.

1. Identify the data controller. Check the organisation's privacy policy for the contact details of their Data Protection Officer (DPO) or privacy team.
2. Put your request in writing. Email is best because it creates a clear timestamp. State clearly that you are making a Subject Access Request under Article 15 of the GDPR.
3. Verify your identity. The organisation may ask for proof of identity, but only what is strictly necessary.
4. Specify the data you want. You can request all data or narrow it down (e.g. "all CCTV footage of me from 1 March 2026").
5. Wait up to one month. The response deadline is one calendar month. It may be extended by two further months for complex requests, but you must be informed.
6. Escalate if needed. If you receive no response or an inadequate one, complain to the DPC.

Filing a Complaint With the Data Protection Commission

If an organisation has refused your request, mishandled your data, or breached the GDPR, you can lodge a complaint with the DPC at no cost.

You can submit complaints through the DPC's online webform at dataprotection.ie, by post to 21 Fitzwilliam Square South, Dublin 2, or to the Portarlington office. Include copies of your correspondence with the organisation, screenshots, and any other supporting evidence. The DPC will assess whether the complaint is admissible, attempt amicable resolution, or open a formal inquiry.

What Happens After You Complain?

For cross-border cases involving large tech companies, investigations can take years and may go to the European Data Protection Board for binding decisions. For domestic complaints — against an Irish retailer, employer, or local authority — outcomes are typically faster. The DPC can issue reprimands, compliance orders, temporary processing bans, and fines.

Special Categories of Sensitive Data

GDPR singles out certain types of data as "special categories" requiring stronger protection. Processing these is prohibited unless a specific exception in Article 9 applies.

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Genetic and biometric data used to identify a person
• Health data
• Data concerning sex life or sexual orientation

In Ireland, the Data Protection Act 2018 adds specific rules for processing health data, including by the HSE and private healthcare providers, and tightens the rules around children's data — children under 16 cannot give valid consent for information society services without parental authorisation.

Cookies, Tracking, and the ePrivacy Regulations

In Ireland, cookies and similar tracking technologies are governed primarily by the ePrivacy Regulations 2011 (S.I. No. 336/2011), which sit alongside the GDPR. The DPC's 2020 cookies guidance makes clear that:

• Non-essential cookies require prior, opt-in consent. Pre-ticked boxes and "by continuing to browse" banners are unlawful.
• Rejecting cookies must be as easy as accepting them.
• Strictly necessary cookies (e.g. shopping cart functionality) do not require consent.
• Analytics cookies are not strictly necessary and require consent.

If you visit an Irish website and see a banner with only an "Accept all" button, or where rejection is buried behind multiple clicks, that site is likely non-compliant and can be reported to the DPC.

Practical Steps to Protect Your Privacy

Knowing your rights is only half the battle. Combining them with sensible everyday habits gives you stronger control over your digital footprint.

1. Audit your accounts annually. Use SARs or in-app data export tools to see what major services hold on you.
2. Switch on encrypted DNS. Services like Cloudflare 1.1.1.1 or NextDNS hide your browsing lookups from your internet provider.
3. Use a privacy-respecting browser. Firefox, Brave, and Safari all offer strong built-in tracker blocking.
4. Limit link tracking. When sharing URLs, use a privacy-conscious shortener like Lunyb that doesn't bundle invasive third-party analytics. See our honest Lunyb review and our 2026 shorteners buyer's guide for comparisons.
5. Unsubscribe and object. Use the right to object to remove yourself from marketing lists permanently rather than just unsubscribing.
6. Read privacy notices selectively. Focus on the "data shared with third parties" and "retention period" sections.

GDPR for Small Businesses and Sole Traders in Ireland

If you run a business in Ireland — even a one-person operation — and process personal data, GDPR applies to you. There is no small-business exemption. However, obligations are proportionate to the risk and volume of processing.

Minimum steps for compliance include maintaining a written privacy notice, keeping a record of processing activities (Article 30), securing data with appropriate technical and organisational measures, notifying the DPC of personal data breaches within 72 hours where they pose a risk to individuals, and ensuring any processors you use (web hosts, email providers, marketers) have valid Data Processing Agreements in place.

For businesses sharing branded links — for example, marketing agencies in Dublin or e-commerce stores in Cork — choosing tools that minimise data collection by default reduces compliance overhead. If you are evaluating link management platforms, our Rebrandly review for 2026 walks through how features and data handling compare.

International Data Transfers After Schrems II

The 2020 Schrems II ruling from the Court of Justice of the EU — brought by Austrian lawyer Max Schrems against Facebook Ireland — invalidated the EU-US Privacy Shield and tightened rules around transferring personal data outside the European Economic Area.

Today, transfers to non-EEA countries must rely on an adequacy decision (the EU-US Data Privacy Framework, the UK, Switzerland, Japan, and others), Standard Contractual Clauses with a transfer impact assessment, or Binding Corporate Rules. Irish businesses using US-based cloud services, analytics tools, or marketing platforms must verify these safeguards are in place.

Frequently Asked Questions

How long does an organisation have to respond to a Subject Access Request in Ireland?

One calendar month from receipt of the request. This can be extended by a further two months for complex or numerous requests, but the organisation must inform you within the original month and explain the reason for the delay.

Can I be charged for making a Subject Access Request?

No, in almost all cases SARs are free. An organisation can only charge a "reasonable fee" if the request is manifestly unfounded or excessive — for example, repetitive — or for additional copies of the same data. They must justify any fee.

What is the difference between the DPC and the GDPR?

The GDPR is the EU-wide law setting out the rules. The Data Protection Commission (DPC) is the independent Irish authority that enforces those rules in Ireland, investigates complaints, and issues fines. The DPC is also the lead EU regulator for many large tech companies headquartered in Dublin.

Does GDPR still apply if I'm sharing data within the EU?

Yes. GDPR applies to all processing of personal data within the EU and EEA, including transfers between member states. Such transfers are not considered "international" under the regulation, but the controller still needs a lawful basis and must follow all other GDPR obligations.

What should I do if a company ignores my GDPR request?

First, send a follow-up in writing referencing the one-month deadline. If you still get no response or an inadequate one, file a complaint with the Data Protection Commission via the webform at dataprotection.ie. Include copies of all correspondence and any relevant evidence.

Final Thoughts

GDPR has fundamentally rebalanced the relationship between individuals and organisations that handle personal data, and Ireland — by virtue of geography and economics — sits at the centre of its enforcement. Your rights to access, correct, delete, and object to the processing of your data are not abstract: they are legally enforceable, free to exercise, and backed by one of Europe's most active regulators.

The best privacy strategy combines legal awareness with practical tools: understand your rights, use them when needed, and choose services that minimise data collection in the first place. Whether you're a private individual or running a business, the standards GDPR sets are now the global benchmark — and Ireland is one of the best places in the world to hold organisations to them.