GDPR in Ireland: Your Privacy Rights Explained

The General Data Protection Regulation (GDPR) is one of the most powerful privacy laws in the world, and Ireland sits at the very heart of how it's enforced across Europe. With Dublin hosting the European headquarters of Google, Meta, TikTok, Microsoft, LinkedIn, and many others, the Irish Data Protection Commission (DPC) is effectively the front-line regulator for some of the largest data processors on the planet. But GDPR isn't just about Big Tech — it's about you, the individual, and the rights you have over your personal data.

This guide explains GDPR in Ireland in plain English: what your rights are, how to use them, who enforces the rules, and what practical steps you can take to protect your privacy online in 2026.

What Is GDPR and How Does It Apply in Ireland?

The General Data Protection Regulation (GDPR) is an EU-wide law that came into force on 25 May 2018, giving individuals strong, enforceable rights over their personal data. In Ireland, GDPR is supplemented by the Data Protection Act 2018, which tailors certain provisions to Irish law and establishes the Data Protection Commission as the national supervisory authority.

Together, these laws apply to any organisation that processes personal data of people in Ireland — whether the organisation is based in Dublin, Berlin, or California. "Personal data" is defined very broadly: it includes your name, email address, phone number, IP address, location data, online identifiers, photos, health information, and even opinions about you held in a CRM system.

Who Enforces GDPR in Ireland?

The Data Protection Commission (DPC), headquartered in Dublin with offices in Portarlington, is the independent authority responsible for upholding the fundamental right of individuals in the EU to have their personal data protected. Because so many multinationals have their EU base in Ireland, the DPC often acts as the "lead supervisory authority" for cross-border cases under the GDPR's one-stop-shop mechanism.

The DPC has issued some of the largest GDPR fines in history, including penalties against Meta, TikTok, and WhatsApp running into hundreds of millions of euros.

Your Eight Core GDPR Rights in Ireland

GDPR gives every individual in Ireland eight specific data protection rights. These rights apply whenever an organisation holds or processes your personal data, and most can be exercised free of charge.

1. The right to be informed — to know what data is collected, why, and who it's shared with.
2. The right of access — to get a copy of the personal data held about you.
3. The right to rectification — to correct inaccurate or incomplete data.
4. The right to erasure ("right to be forgotten") — to have your data deleted in certain circumstances.
5. The right to restrict processing — to limit how your data is used.
6. The right to data portability — to receive your data in a machine-readable format and transfer it elsewhere.
7. The right to object — to stop processing for direct marketing or based on legitimate interests.
8. Rights related to automated decision-making and profiling — to not be subject to purely automated decisions with legal effects.

The Right of Access: Making a Subject Access Request (SAR)

The right of access is by far the most commonly used right. You can write to any organisation — your bank, employer, gym, mobile operator, or a social media platform — and request a copy of all personal data they hold about you. This is called a Subject Access Request (SAR).

Under GDPR, the organisation must respond within one calendar month, free of charge in most cases. They can extend this by two months for complex requests, but they must tell you why. If they refuse, they must explain the legal basis and inform you of your right to complain to the DPC.

The Right to Erasure: When Can You Be Forgotten?

The right to erasure is not absolute. You can request deletion when:

• The data is no longer necessary for the original purpose.
• You withdraw consent (and consent was the lawful basis).
• You object to processing and there's no overriding legitimate interest.
• The data was processed unlawfully.
• Deletion is required to comply with a legal obligation.

However, organisations can refuse erasure if the data is needed for legal claims, freedom of expression, public interest tasks, or compliance with another law (for example, banks must keep transaction records for several years under anti-money-laundering rules).

The Six Lawful Bases for Processing

Every time an organisation in Ireland processes your data, it must rely on one of six lawful bases under Article 6 of the GDPR. Understanding these helps you assess whether what's being done with your data is actually legal.

Lawful Basis	When It Applies	Example
Consent	You've freely given clear, specific permission	Subscribing to a newsletter
Contract	Processing is needed to fulfil a contract	Delivery address for an online order
Legal obligation	Required by Irish or EU law	Revenue tax reporting
Vital interests	To protect someone's life	Emergency medical care
Public task	Performed by a public authority	Census data collection by the CSO
Legitimate interests	Reasonable use that doesn't override your rights	Fraud prevention by your bank

Special Category Data Gets Extra Protection

Some data is considered especially sensitive and requires an additional lawful basis under Article 9. This "special category data" includes information about your health, race, ethnic origin, religious beliefs, political opinions, trade union membership, sexual orientation, genetic data, and biometric data used for identification.

How to Make a GDPR Complaint to the Irish DPC

If you believe an organisation has mishandled your personal data, you have the right to complain directly to the Data Protection Commission. The process is free and relatively straightforward.

1. Contact the organisation first. The DPC strongly encourages you to raise the issue with the controller's Data Protection Officer (DPO) before escalating. Many issues are resolved at this stage.
2. Wait for their response. They have one month to reply substantively.
3. Gather evidence. Save emails, screenshots, dates, reference numbers, and copies of the original requests.
4. Submit your complaint. Use the DPC's online complaint form at dataprotection.ie, or send a letter to their Portarlington office.
5. Engage with the investigation. The DPC may ask for further information or attempt mediation before issuing a binding decision.

Decisions of the DPC can be appealed to the Circuit Court or High Court. You also retain a separate right to seek compensation directly through the Irish courts for material or non-material damage caused by a GDPR breach.

Cookies, Tracking, and the ePrivacy Regulations

While GDPR covers personal data generally, cookies and similar tracking technologies in Ireland are governed by the ePrivacy Regulations (S.I. 336 of 2011), enforced alongside GDPR by the DPC.

The DPC's guidance is clear: cookies that aren't strictly necessary for a service to function — including analytics, advertising, and social media trackers — require prior, freely given, specific, informed consent. That means:

• No pre-ticked boxes.
• No "by continuing to use this site you consent" banners.
• Rejecting cookies must be as easy as accepting them.
• Consent must be refreshed periodically (the DPC suggests every six months).

If you visit an Irish website with a non-compliant cookie banner — for example, one without a clear "Reject All" button on the first layer — that's potentially a breach you can report.

Data Breaches: What You're Entitled to Know

A personal data breach is a security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. Under GDPR, controllers must notify the DPC within 72 hours of becoming aware of a breach where it's likely to result in a risk to your rights and freedoms.

If the breach is likely to result in a high risk to you, the organisation must also notify you directly, in clear and plain language, describing the nature of the breach, the likely consequences, and the measures taken to address it.

In 2023 and 2024 the DPC received tens of thousands of breach notifications, ranging from misdirected emails to large-scale cyberattacks. If you receive such a notice, take it seriously: change passwords, enable two-factor authentication, and watch for phishing attempts.

Practical Steps to Protect Your Privacy in Ireland

Knowing your legal rights is only half the battle. Here are practical, technology-based steps you can take to reduce how much personal data you expose in the first place.

1. Audit Your Digital Footprint

Search your name, email address, and phone number in Google. Then make subject access or erasure requests to remove outdated or unwanted listings. Data broker sites, old forum posts, and abandoned social profiles are common sources of leakage.

2. Use Privacy-Respecting Tools

Switch to a browser that blocks trackers by default (Brave, Firefox with strict mode, or Safari with Intelligent Tracking Prevention). Use a private search engine like DuckDuckGo or Startpage. Consider encrypted DNS services such as Cloudflare 1.1.1.1 or NextDNS to prevent your internet provider from logging every domain you visit.

3. Be Careful What You Click and Share

Shortened links are everywhere — in emails, SMS, social posts, and QR codes — but not all link shorteners treat your data the same way. A privacy-conscious URL shortener like Lunyb minimises data collection and lets you share links without exposing recipients to invasive tracking pixels. You can read more in our honest Lunyb review or our 2026 buyer's guide to URL shorteners for a wider comparison.

4. Lock Down Your Accounts

Enable two-factor authentication on every important account — especially email, banking, and Revenue.ie / MyGovID. Use a password manager so each account has a unique, long password. This dramatically reduces the impact of any single data breach.

5. Review App Permissions Regularly

On both Android and iOS, go through which apps have access to your location, contacts, microphone, and camera. Revoke anything that isn't essential. Under GDPR, app developers must justify each permission they request.

GDPR for Irish Businesses: A Quick Overview

If you run a business in Ireland — even a sole trader with a mailing list — GDPR applies to you. Key obligations include:

• Maintaining a record of processing activities (Article 30).
• Having a clear, accessible privacy notice.
• Implementing appropriate technical and organisational security measures.
• Responding to data subject requests within one month.
• Notifying breaches within 72 hours where required.
• Appointing a Data Protection Officer if you carry out large-scale monitoring or process special category data on a large scale.
• Carrying out Data Protection Impact Assessments (DPIAs) for high-risk processing.

Fines for non-compliance can reach €20 million or 4% of global annual turnover — whichever is higher. For SMEs, the reputational damage of a publicised breach is often even more costly than the fine itself.

International Data Transfers After Schrems II

One of the most complex areas of GDPR in Ireland is the transfer of personal data outside the European Economic Area, particularly to the United States. The Court of Justice of the EU's Schrems II ruling in 2020 — a case brought by Austrian lawyer Max Schrems against Facebook Ireland — invalidated the EU–US Privacy Shield and forced organisations to carefully assess each transfer.

In July 2023, the European Commission adopted the EU–US Data Privacy Framework, which restored a legal basis for transfers to certified US organisations. However, this framework is already facing legal challenges, and businesses should not assume it's permanent. Standard Contractual Clauses (SCCs), supplementary safeguards, and Transfer Impact Assessments remain important tools.

Frequently Asked Questions

How long does an Irish company have to respond to my GDPR request?

One calendar month from the date they receive your request. They can extend this by up to two further months for complex or numerous requests, but they must inform you of the extension and the reasons within the original month.

Can I be charged a fee for a Subject Access Request in Ireland?

No, the first copy is free. A reasonable fee based on administrative costs can only be charged if requests are manifestly unfounded, excessive, or repetitive — or if you ask for additional copies of the same information.

What's the difference between the DPC and the Office of the Ombudsman?

The Data Protection Commission handles complaints about how your personal data is processed under GDPR and the Data Protection Act 2018. The Office of the Ombudsman investigates complaints about the administrative actions of public bodies more generally. For privacy issues, the DPC is the correct body.

Does GDPR apply to my personal blog or hobby website?

There's a "household exemption" for purely personal or domestic activities, but as soon as you have comments, analytics, advertising, a mailing list, or any commercial element, GDPR likely applies. The safest approach is to publish a simple privacy notice and use privacy-friendly tools.

Can I sue an Irish company directly for a GDPR breach?

Yes. Article 82 of the GDPR and section 117 of the Data Protection Act 2018 give you a right to compensation for material damage (financial loss) and non-material damage (distress, anxiety, reputational harm) through the Circuit Court or High Court — independently of any complaint to the DPC.

Final Thoughts

GDPR has transformed the conversation around personal data in Ireland, shifting power from organisations back toward individuals. Your rights are real, enforceable, and free to exercise — but they only matter if you use them. Combine that legal knowledge with sensible privacy practices and privacy-respecting tools, and you'll be in a strong position to control your digital life in 2026 and beyond.

For more on choosing tools that respect your data, see our 2026 URL shortener buyer's guide and our Rebrandly review.