GDPR in Ireland: Your Privacy Rights Explained
Ireland sits at the heart of Europe's data economy. With most of the world's largest tech companies basing their European headquarters in Dublin, the General Data Protection Regulation (GDPR) and the Irish Data Protection Act 2018 have unusual significance here. They don't just protect Irish residents — they shape how billions of people's data is handled worldwide. This guide explains exactly what privacy rights you have in Ireland, how to use them, and what to do when something goes wrong.
What Is GDPR and How Does It Apply in Ireland?
The General Data Protection Regulation (GDPR) is an EU-wide law that came into force on 25 May 2018. It governs how organisations collect, store, use, and share personal data about individuals in the European Union. In Ireland, GDPR is given full legal effect through the Data Protection Act 2018, which adds national-specific provisions on areas such as children's data, law enforcement processing, and the powers of the Data Protection Commission (DPC).
GDPR applies to any organisation — whether based in Ireland, elsewhere in the EU, or outside Europe — that processes personal data of people located in Ireland. That includes shops, schools, hospitals, employers, marketing companies, social media platforms, and even small clubs or charities. If they handle your name, email, location, payment details, IP address, or behavioural data, GDPR applies.
Who Enforces GDPR in Ireland?
The Data Protection Commission (DPC), headquartered in Dublin, is Ireland's independent supervisory authority. Because so many multinational tech companies have their EU base in Ireland, the DPC also acts as the lead regulator for cross-border investigations under the GDPR's "one-stop shop" mechanism. The DPC has issued some of the largest GDPR fines in Europe, including landmark decisions against major platforms.
Your Eight Core GDPR Rights in Ireland
GDPR gives every person in Ireland eight fundamental rights over their personal data. These rights apply whether the organisation is a local café running a loyalty programme or a global social network.
1. The Right to Be Informed
You have the right to know what personal data an organisation collects about you, why they collect it, how long they keep it, and who they share it with. This is usually delivered through a privacy notice or privacy policy. Notices must be concise, transparent, easy to understand, and written in plain language.
2. The Right of Access (Subject Access Request)
You can ask any organisation for a copy of the personal data they hold about you. This is known as a Subject Access Request (SAR). The organisation must respond within one month and cannot normally charge a fee. You're entitled to the data itself plus information about how it's processed.
3. The Right to Rectification
If data held about you is inaccurate or incomplete, you can ask for it to be corrected or updated. The organisation must act without undue delay, generally within one month.
4. The Right to Erasure ("Right to Be Forgotten")
You can request that your personal data be deleted in certain circumstances — for example, when it's no longer needed, when you withdraw consent, or when it was processed unlawfully. This right is not absolute; legal obligations or public interest may override it.
5. The Right to Restrict Processing
You can ask an organisation to pause processing your data while a dispute is resolved, for example while they verify the accuracy of data you've challenged.
6. The Right to Data Portability
You can ask for the personal data you've provided to be supplied in a structured, commonly used, machine-readable format — and have it transferred to another provider. This commonly applies to banks, telecoms, streaming services, and social platforms.
7. The Right to Object
You can object to processing based on legitimate interests, public interest tasks, or direct marketing. For direct marketing, the objection is absolute — organisations must stop immediately.
8. Rights Related to Automated Decision-Making and Profiling
You have the right not to be subject to a purely automated decision that has a legal or similarly significant effect on you (for example, an automated loan refusal), unless specific conditions and safeguards apply.
The Six Lawful Bases for Processing Your Data
Organisations cannot process your personal data simply because they want to. They must rely on one of six lawful bases set out in Article 6 of GDPR.
| Lawful Basis | Typical Example |
|---|---|
| Consent | Opting in to a marketing newsletter |
| Contract | Processing your address to deliver an online order |
| Legal Obligation | An employer reporting PAYE data to Revenue |
| Vital Interests | Sharing medical information in an emergency |
| Public Task | A local authority processing housing applications |
| Legitimate Interests | A retailer detecting payment fraud |
Special categories of data — health, ethnicity, religion, biometric, genetic, sexual orientation, trade union membership, and political opinions — need an additional condition under Article 9 because of the higher risk they carry.
How to Make a Subject Access Request in Ireland
A Subject Access Request is one of the most powerful tools you have. Here's a simple process to follow.
- Identify the data controller. This is the organisation that decides why and how your data is processed.
- Find the right contact. Look for a Data Protection Officer (DPO) or a privacy email address in the company's privacy notice.
- Make the request in writing. Email is fine. State clearly that you are making a request under Article 15 of GDPR.
- Verify your identity. The organisation may ask for reasonable proof to ensure they don't release data to the wrong person.
- Wait up to one month. This can be extended by two months for complex requests, but they must tell you.
- Review the response. If it's incomplete or refused, you can escalate to the DPC.
Sample Wording
"Dear [Organisation], I am writing to make a Subject Access Request under Article 15 of the GDPR. Please provide a copy of all personal data you hold about me, along with the purposes of processing, recipients, retention periods, and the source of the data. My identifying details are below."
Data Breaches: What Should Happen and What You Can Do
A personal data breach is any security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. Under GDPR, organisations must notify the DPC within 72 hours where the breach poses a risk to individuals. Where the risk is high, they must also notify you directly.
If you suspect your data has been exposed in a breach:
- Change passwords immediately and enable two-factor authentication.
- Monitor bank statements and credit reports for unusual activity.
- Be alert to phishing emails and texts referencing the breach.
- Ask the organisation for written confirmation of what data was affected.
- Lodge a complaint with the DPC if you're unsatisfied with the response.
Cookies, Tracking, and Online Privacy in Ireland
Cookies and similar tracking technologies are governed by the ePrivacy Regulations 2011 alongside GDPR. The DPC has issued specific guidance: most non-essential cookies — including analytics, advertising, and social media trackers — require prior, freely given consent. Pre-ticked boxes, cookie walls that force consent, and "continued browsing equals consent" approaches are not lawful in Ireland.
You should expect a clear cookie banner that lets you accept all, reject all, or customise your choices with equal prominence. If a website only offers an "Accept" button without an equally easy "Reject" option, that is a likely breach of Irish guidance.
Practical Steps to Strengthen Your Online Privacy
- Use a privacy-focused browser and enable tracker blocking.
- Switch to encrypted DNS providers to reduce profiling at the network level.
- Review app permissions on your phone monthly and revoke anything excessive.
- Use unique passwords stored in a reputable password manager.
- Be cautious about which links you click, especially in unsolicited messages. Tools like Lunyb can help you check, preview, and safely share links while preserving your privacy.
Even simple measures, like using a trustworthy URL shortener with built-in safety features, can reduce your exposure to phishing and tracking. If you're evaluating tools, our 2026 buyer's guide to URL shorteners walks through the privacy considerations in detail.
Children's Data and the Digital Age of Consent in Ireland
Ireland's Data Protection Act 2018 sets the digital age of consent at 16. This means children under 16 cannot lawfully consent to the processing of their personal data by information society services (such as social media, gaming, or apps) — a parent or guardian must consent on their behalf.
The DPC's "Fundamentals for a Child-Oriented Approach to Data Processing" sets out 14 principles organisations must follow when their services are likely to be used by children, including age-appropriate transparency, default high-privacy settings, and a prohibition on profiling children for marketing.
How to Complain to the Data Protection Commission
If an organisation has not respected your rights, you can lodge a complaint with the DPC free of charge.
- Try the organisation first. Most disputes can be resolved directly. Keep written records.
- Gather evidence. Save emails, screenshots, dates, and copies of your original request.
- Submit your complaint. Use the DPC's online webform at dataprotection.ie, or email/post a written complaint.
- Engage with the DPC's investigation. They may attempt amicable resolution before launching a formal inquiry.
- Consider judicial remedies. You can also bring a civil action in the Irish courts for compensation, including for non-material damage such as distress.
GDPR Penalties: What Organisations Face for Breaking the Rules
GDPR fines are tiered. Lesser infringements can attract fines of up to €10 million or 2% of global annual turnover, whichever is higher. Serious infringements — such as breaches of the core principles, individuals' rights, or international transfer rules — can lead to fines of up to €20 million or 4% of global annual turnover. Ireland's DPC has imposed multi-hundred-million-euro fines in cross-border cases, making it one of the most consequential regulators in the world.
Common Misconceptions About GDPR in Ireland
- "GDPR only applies to big companies." False. It applies to any organisation processing personal data, including sole traders and small clubs.
- "I need consent for everything." Consent is just one of six lawful bases. Many lawful processing activities rely on contract or legitimate interests.
- "GDPR doesn't apply to paper records." It does, when they form part of a structured filing system.
- "I can ask for any data to be deleted." The right to erasure has limits, especially where legal obligations require data retention.
- "Brexit means UK companies don't need to comply." If they process data of people in Ireland, GDPR still applies via its extraterritorial reach.
Frequently Asked Questions
How long does an organisation have to respond to my GDPR request?
One calendar month from receipt of your request. This can be extended by up to two further months for particularly complex or numerous requests, but the organisation must inform you of the extension and the reasons within the first month.
Can I be charged for a Subject Access Request in Ireland?
No, not normally. SARs are free. A "reasonable fee" can only be charged where requests are manifestly unfounded, excessive, or repetitive, or where you ask for additional copies of data already provided.
What's the difference between a data controller and a data processor?
A data controller decides why and how personal data is processed (for example, your bank). A data processor acts on behalf of the controller (for example, a cloud provider hosting the bank's systems). You usually exercise your rights against the controller.
Can I claim compensation under GDPR in Ireland?
Yes. Article 82 of GDPR and Section 117 of the Data Protection Act 2018 allow you to bring a claim in the Circuit Court or High Court for material damage (financial loss) and non-material damage (distress, anxiety, reputational harm) caused by a breach of your rights.
Does GDPR protect me when I use services based outside the EU?
Yes, if those services target or monitor people in the EU. The provider must comply with GDPR, appoint an EU representative where required, and ensure any international data transfers use lawful safeguards such as Standard Contractual Clauses.
Final Thoughts
GDPR has reshaped the relationship between individuals and the organisations that hold their data. In Ireland — home to so much of Europe's digital infrastructure — those rights are particularly significant. Knowing your eight core rights, how to exercise them, and where to turn when they're ignored puts real power back in your hands. Treat your personal data the way you'd treat your wallet: know who has access to it, check it regularly, and don't be shy about asking questions when something doesn't add up.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
PIPEDA vs GDPR: Canadian Privacy Law Explained for 2026
PIPEDA and GDPR both protect personal data, but they differ in scope, consent rules, individual rights, and penalties. This guide explains the key differences and what Canadian businesses need to do to stay compliant with both in 2026.
ICO Fines 2026: Biggest Data Protection Penalties in the UK
The biggest ICO fines of 2026 have reshaped UK data protection enforcement. From £14M retail breaches to NHS data exposures, we break down the top penalties, why they happened, and how your organisation can stay compliant under UK GDPR.
Australia Privacy Act 2026: Your Rights Explained
The Australia Privacy Act 2026 introduces sweeping reforms, including new rights to erasure, a direct right to sue for serious invasions of privacy, and stronger obligations on businesses. Here's a complete guide to what's changed and how to exercise your rights.
Singapore PDPA: Your Personal Data Protection Rights Explained
Singapore's PDPA gives you powerful rights over your personal data — from access and correction to consent withdrawal and breach notifications. This guide explains each right in plain English and shows you exactly how to exercise them.