GDPR in Ireland: Your Privacy Rights Explained
The General Data Protection Regulation (GDPR) gives every person in Ireland a powerful set of legal rights over how their personal data is collected, stored, and used. Since the GDPR took effect in May 2018, alongside Ireland's Data Protection Act 2018, Irish residents have some of the strongest privacy protections in the world. Yet many people still don't fully understand what rights they actually have, how to exercise them, or what to do when a company ignores their request.
This guide explains, in plain English, how the GDPR works in Ireland, what each of your rights means in practice, and the exact steps to take when your privacy is breached. Whether you're concerned about a marketing email you can't unsubscribe from, a data breach notification, or a company refusing to delete your account, this article will help you take action with confidence.
What is the GDPR and How Does It Apply in Ireland?
The GDPR is an EU-wide regulation that governs how personal data is processed by organisations operating in the European Economic Area (EEA). In Ireland, it is enforced by the Data Protection Commission (DPC), the country's independent supervisory authority based in Dublin.
Because so many global technology companies — including Meta, Google, TikTok, Microsoft, and Apple — have their European headquarters in Ireland, the Irish DPC plays a uniquely important role. It acts as the lead regulator for most major tech firms across the entire EU under the GDPR's "one-stop-shop" mechanism. This means decisions made in Dublin often shape privacy enforcement across all 27 member states.
The Two Key Laws You Should Know
- EU Regulation 2016/679 (GDPR) — the directly applicable EU regulation.
- Data Protection Act 2018 — the Irish national law that gives effect to the GDPR and covers areas like state agencies, law enforcement processing, and children's data.
Who Must Comply?
Any organisation that processes the personal data of people in Ireland must comply, regardless of where the company itself is based. This includes small Irish businesses, multinational platforms, public bodies, charities, sports clubs, and even sole traders who maintain a customer mailing list.
What Counts as "Personal Data" Under Irish GDPR?
Personal data is any information that relates to an identified or identifiable living person. The definition is intentionally broad and covers far more than just your name and address.
Examples of personal data include:
- Your name, PPS number, and Eircode
- Email addresses, phone numbers, and IP addresses
- Photographs and CCTV footage
- Location data from your phone
- Cookies and online identifiers
- Bank account and payment details
- Employment records and performance reviews
A special category of "sensitive personal data" receives extra protection. This includes data about your health, race or ethnic origin, religious beliefs, political opinions, trade union membership, sexual orientation, biometric data, and genetic data. Organisations need a specific lawful basis — usually your explicit consent — to process this kind of information.
Your Eight Core GDPR Rights in Ireland
The GDPR gives you eight enforceable rights. Every Irish resident can use them free of charge, and organisations must respond within one calendar month.
1. The Right to Be Informed
You have the right to know what data is being collected about you, why, how long it will be kept, and who it will be shared with. This is usually delivered through a privacy notice on a company's website.
2. The Right of Access (Subject Access Request)
You can ask any organisation to give you a copy of all the personal data it holds about you. This is known as a Subject Access Request (SAR). The organisation must respond within 30 days and provide the information in a commonly used electronic format.
3. The Right to Rectification
If data held about you is inaccurate or incomplete, you can demand that it be corrected without undue delay.
4. The Right to Erasure ("Right to Be Forgotten")
You can ask an organisation to delete your personal data in several situations — for example, when the data is no longer needed, when you withdraw consent, or when the data has been processed unlawfully. There are exceptions, such as legal record-keeping obligations under Revenue or employment law.
5. The Right to Restrict Processing
You can ask an organisation to pause its use of your data while a dispute is being resolved, for example if you contest its accuracy.
6. The Right to Data Portability
You can request your data in a machine-readable format (such as CSV or JSON) and have it transferred directly to another service provider where technically feasible.
7. The Right to Object
You can object to your data being used for direct marketing at any time, and the organisation must stop immediately. You can also object to processing based on legitimate interests or public tasks.
8. Rights Related to Automated Decision-Making
You have the right not to be subject to a decision based solely on automated processing — including profiling — that produces legal or similarly significant effects on you. This is increasingly relevant in areas like credit scoring, insurance pricing, and AI-driven recruitment.
Quick Reference: Your Rights at a Glance
| Right | What It Lets You Do | Response Deadline |
|---|---|---|
| Be Informed | Receive clear privacy notices | At point of collection |
| Access | Get a copy of your data | 1 month (free) |
| Rectification | Correct inaccurate data | 1 month |
| Erasure | Delete your data | 1 month |
| Restrict Processing | Pause use of your data | 1 month |
| Portability | Move data to another provider | 1 month |
| Object | Stop marketing or certain processing | Immediate for marketing |
| Automated Decisions | Demand human review | 1 month |
How to Make a GDPR Request in Ireland: Step-by-Step
Exercising your rights is straightforward and free. Here's the practical process:
- Identify the data controller. This is the organisation that decides why and how your data is processed. Look for their contact details in the privacy policy.
- Write a clear request. Email is usually best. State which right you are exercising (for example, "This is a request under Article 15 GDPR for access to my personal data").
- Verify your identity. The organisation may ask for proof of identity, but only what is strictly necessary.
- Wait up to one month. The deadline can be extended by two further months for complex requests, but they must tell you within the first month.
- Review the response. Check whether the organisation has answered fully and lawfully.
- Escalate if needed. If you are unhappy, complain to the Data Protection Commission.
Filing a Complaint with the Data Protection Commission
The Data Protection Commission (DPC) is Ireland's independent regulator. You can file a complaint free of charge if an organisation has not respected your rights.
How to Submit a Complaint
- Online: via the DPC's official complaint webform at dataprotection.ie
- By post: Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28
- By email: through the contact form on their website
Include copies of your original request, the organisation's response (or lack thereof), and a clear explanation of what went wrong. The DPC has the power to investigate, mediate, issue reprimands, and impose administrative fines of up to €20 million or 4% of global annual turnover, whichever is higher.
Data Breaches: What Should Happen and What You Can Do
A personal data breach is any security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, your personal data. Common examples include hacking incidents, lost laptops, misdirected emails, and ransomware attacks.
Notification Obligations
- Organisations must notify the DPC within 72 hours of becoming aware of a breach that risks people's rights and freedoms.
- If the breach poses a high risk to you personally, the organisation must also notify you directly, without undue delay.
What You Can Do After a Breach
- Change passwords on the affected account and any account using the same password.
- Enable two-factor authentication where available.
- Watch for phishing emails referencing the breach.
- Consider a credit watch with the Central Credit Register if financial data was exposed.
- You may be entitled to compensation for material or non-material damage through the Irish courts.
Children's Data Protection in Ireland
Ireland has set the digital age of consent at 16. This means online services aimed at children under 16 generally need parental consent before processing their data. The DPC's "Fundamentals for a Child-Oriented Approach to Data Processing" provides 14 detailed principles that platforms must follow when they know — or should know — that their users include children.
Practical Privacy Tips for Everyday Irish Internet Users
Knowing your rights is only half the battle. Reducing how much data you expose in the first place is just as important. Here are practical steps that complement your legal protections:
- Use privacy-respecting browsers such as Firefox or Brave with tracking protection enabled.
- Enable encrypted DNS (DNS-over-HTTPS) so your internet provider can't easily log every site you visit.
- Review app permissions on your phone monthly — turn off location, contacts, and microphone access for apps that don't need them.
- Use strong, unique passwords stored in a reputable password manager.
- Be cautious with link shorteners. Some free shorteners log and sell click data. A privacy-conscious option like Lunyb minimises tracking and gives you control over the links you share. You can read more in our honest review of Lunyb or compare it to alternatives in our 2026 buyer's guide.
- Read cookie banners properly. Under Irish ePrivacy rules, refusing non-essential cookies must be as easy as accepting them.
GDPR for Small Businesses and Sole Traders in Ireland
If you run a small business — even a one-person operation — the GDPR applies the moment you handle any customer information. Common compliance steps include:
- Maintain a simple record of processing activities.
- Publish a clear privacy notice on your website.
- Use a lawful basis for marketing (usually explicit opt-in consent).
- Have a written data breach response plan.
- Sign data processing agreements with any third-party providers (hosting, email, CRM).
- Train any staff who handle customer data.
Failing to comply can result in DPC investigations even for small operators, though fines are typically proportionate. The DPC also offers free guidance specifically aimed at SMEs.
Common Myths About GDPR in Ireland
Myth 1: "GDPR only applies to big tech companies."
False. It applies to any organisation processing personal data, including local shops, GAA clubs, and freelancers.
Myth 2: "I need to charge for a subject access request."
False. Requests are free unless they are manifestly unfounded or excessive.
Myth 3: "Consent is the only lawful basis."
False. There are six lawful bases, including contract, legal obligation, vital interests, public task, and legitimate interests.
Myth 4: "Once I consent, I can't change my mind."
False. You can withdraw consent at any time, and it must be as easy to withdraw as it was to give.
Frequently Asked Questions
How long does a company have to respond to my GDPR request in Ireland?
One calendar month from the date the request is received. This can be extended by up to two further months for complex or numerous requests, but the organisation must inform you of the extension within the original month and explain why.
Can I get compensation if my data is breached?
Yes. Under Article 82 of the GDPR and Section 117 of the Data Protection Act 2018, you can sue for both material damage (financial loss) and non-material damage (distress, anxiety, reputational harm) in the Irish Circuit Court. Recent Irish case law has confirmed that mere upset is not enough — you must show actual, identifiable damage.
What happens if a company ignores my erasure request?
First, send a follow-up reminding them of their one-month deadline. If they still refuse or ignore you without a valid legal exception, file a complaint with the Data Protection Commission. The DPC can compel the organisation to act and may impose fines.
Does GDPR apply to companies based outside the EU?
Yes, if they offer goods or services to people in Ireland or monitor their behaviour. A US-based online retailer selling to Irish customers, for example, must comply with the GDPR and may need to appoint an EU representative.
Is my workplace allowed to monitor my emails or use CCTV?
Only with a lawful basis, clear policies, and proportionate measures. Covert monitoring is generally prohibited except in very narrow circumstances such as suspected criminal activity. Employees must be informed in advance through transparent policies, and CCTV must follow the DPC's specific guidance on workplace surveillance.
Conclusion: Take Control of Your Data
The GDPR transformed Irish residents from passive subjects of data collection into active rights-holders. Your eight core rights — access, rectification, erasure, restriction, portability, objection, information, and protection from automated decisions — are powerful tools, but only if you use them. Combined with everyday privacy habits like minimising the apps and services you trust with your data, they give you genuine control over your digital life.
If a company is not respecting your rights, don't accept it. Send a written request, document everything, and escalate to the Data Protection Commission if needed. Irish privacy law is on your side — make it work for you.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
Australian Data Breach Notification Scheme: The Complete 2026 Guide
Australia's Notifiable Data Breaches scheme imposes strict obligations on organisations that handle personal information. This complete 2026 guide explains who must comply, what counts as an eligible breach, notification timelines, OAIC requirements, and how to build a breach-ready organisation.
Australia Privacy Act 2026: Your Rights Explained
The Australia Privacy Act 2026 introduces stronger individual rights, tougher penalties, and a new statutory tort for serious invasions of privacy. This guide explains what's changed, your key rights, and how to exercise them.
PIPEDA vs GDPR: Canadian Privacy Law Explained for 2026
PIPEDA and GDPR both protect personal data, but they take different paths on consent, individual rights, and penalties. This guide compares Canada's privacy law with the EU's GDPR and explains what Canadian businesses need to do to stay compliant in 2026.
ICO Fines 2026: Biggest Data Protection Penalties in the UK
The ICO issued some of the UK's largest data protection fines in 2026, with penalties topping £12 million for security failures. This guide breaks down the biggest cases, why they happened, and what your organisation can do to avoid joining the list.