GDPR in Ireland: Your Privacy Rights Explained
Ireland sits at the heart of European data protection enforcement. With many of the world's largest technology companies headquartered in Dublin, the country's Data Protection Commission (DPC) acts as the lead supervisory authority for cross-border investigations across the EU. For Irish residents, this means your privacy rights under the General Data Protection Regulation (GDPR) are not just theoretical — they are actively enforced, often with record-breaking fines.
This guide explains exactly what GDPR means for you in Ireland, the rights you can exercise today, and the practical steps you can take if a company misuses your personal data.
What Is GDPR and How Does It Apply in Ireland?
The General Data Protection Regulation (GDPR) is an EU-wide law that came into force on 25 May 2018. It governs how organisations collect, store, use, and share personal data about individuals in the European Union. In Ireland, GDPR is supplemented by the Data Protection Act 2018, which fills in national-level details and establishes the Data Protection Commission as the country's supervisory authority.
GDPR applies to any organisation — Irish or foreign — that processes the personal data of people in Ireland. That includes everything from your local GP and credit union to multinationals like Meta, Google, TikTok, and Microsoft, many of which have their European headquarters in Dublin. Because of this concentration, the Irish DPC has become one of the most influential regulators in Europe.
What Counts as Personal Data?
Personal data is any information that can identify you, directly or indirectly. Examples include:
- Your name, address, phone number, and email
- Your PPS number and bank details
- IP addresses, device IDs, and cookies
- Location data and online identifiers
- Photos, CCTV footage, and voice recordings
- Health, biometric, and genetic information (special category data)
Your Eight Core Privacy Rights Under GDPR
GDPR gives you eight specific rights over your personal data. These rights apply whether the organisation processing your data is a small Irish business or a global tech giant.
1. The Right to Be Informed
Organisations must tell you clearly what data they collect, why they collect it, how long they keep it, and who they share it with. This is usually delivered through a privacy notice or policy on a website.
2. The Right of Access
You can ask any company for a copy of the personal data they hold about you. This is known as a Subject Access Request (SAR). The organisation must respond within one month and, in most cases, provide the information free of charge.
3. The Right to Rectification
If your data is inaccurate or incomplete, you can ask for it to be corrected without undue delay.
4. The Right to Erasure ("Right to Be Forgotten")
You can request deletion of your personal data in specific situations — for example, when the data is no longer needed, you withdraw consent, or it was processed unlawfully.
5. The Right to Restrict Processing
You can ask an organisation to pause processing your data, for example while a dispute about its accuracy is investigated.
6. The Right to Data Portability
You can request your data in a structured, commonly used, machine-readable format so you can move it to another service provider.
7. The Right to Object
You can object to processing based on legitimate interests, direct marketing, or profiling. For direct marketing, the objection is absolute — the company must stop immediately.
8. Rights Related to Automated Decision-Making
You have the right not to be subject to decisions made solely by automated processing — including profiling — that produce legal or similarly significant effects on you.
The Role of the Irish Data Protection Commission
The Data Protection Commission (DPC), based in Dublin and Portarlington, is Ireland's national authority responsible for upholding GDPR. It handles complaints, investigates breaches, issues guidance, and imposes administrative fines.
Because so many US tech companies have their EU base in Ireland, the DPC acts as the "lead supervisory authority" for most cross-border cases involving Meta, Google, X (Twitter), TikTok, LinkedIn, and Apple. Recent landmark decisions include:
- A €1.2 billion fine against Meta in 2023 for unlawful EU–US data transfers
- A €345 million fine against TikTok in 2023 over children's data
- A €310 million fine against LinkedIn in 2024 for unlawful behavioural advertising
- Multiple fines against Meta totalling over €2.5 billion since 2021
Lawful Bases for Processing Your Data
An organisation cannot simply collect your data because it wants to. Under GDPR, it must rely on one of six lawful bases. Understanding these helps you challenge processing you believe is unjustified.
| Lawful Basis | When It Applies | Example |
|---|---|---|
| Consent | You freely give clear, specific permission | Subscribing to a newsletter |
| Contract | Needed to fulfil a contract with you | Delivering an online order |
| Legal obligation | Required by Irish or EU law | Revenue tax records |
| Vital interests | Necessary to protect someone's life | Emergency medical care |
| Public task | Carried out by a public authority | HSE health services |
| Legitimate interests | Reasonable business need, balanced against your rights | Fraud prevention |
How to Make a Subject Access Request in Ireland
A Subject Access Request (SAR) is the most powerful tool in your GDPR toolkit. It forces an organisation to show you exactly what they know about you. Here is how to make one effectively.
- Identify the data controller. Find the company's privacy policy and locate their Data Protection Officer (DPO) or privacy contact email.
- Write a clear request. State that you are making a request under Article 15 of the GDPR. You do not need a special form.
- Verify your identity. The controller may ask for proof of ID, but they cannot demand excessive documentation.
- Specify the scope (optional). If you only want certain records (e.g. emails from a specific period), say so — it speeds up the response.
- Wait up to one month. The controller must respond within 30 days. Complex requests can be extended by two further months with notice.
- Escalate if needed. If you get no response or an inadequate one, complain to the DPC.
What to Do If Your Rights Are Breached
If you believe a company has misused your personal data, you have several routes available.
Step 1: Contact the Organisation Directly
Most issues can be resolved by raising the matter with the company's Data Protection Officer. Keep a written record of your complaint.
Step 2: Lodge a Complaint with the DPC
If the company fails to resolve the issue, you can file a complaint with the Irish Data Protection Commission via dataprotection.ie. The DPC will investigate and can order remediation or fines.
Step 3: Seek a Judicial Remedy
Under Article 82 of GDPR, you have the right to compensation for material or non-material damage caused by a breach. You can pursue this through the Irish courts, including the Circuit Court.
GDPR Obligations for Irish Businesses
If you run a business in Ireland — even a sole trader with a website — GDPR applies to you. Key obligations include:
- Maintaining a Record of Processing Activities (ROPA)
- Publishing a clear, accessible privacy notice
- Obtaining valid consent for marketing and non-essential cookies
- Reporting personal data breaches to the DPC within 72 hours
- Conducting Data Protection Impact Assessments (DPIAs) for high-risk processing
- Appointing a Data Protection Officer where required
- Ensuring international data transfers comply with EU adequacy rules or Standard Contractual Clauses
Even simple online tools can affect compliance. If you share links on behalf of customers — for example through marketing campaigns, QR codes, or social posts — choose a link management platform that respects user privacy and avoids unnecessary tracking. Privacy-conscious services like Lunyb offer URL shortening with transparent data practices, which makes GDPR documentation easier. You can read our honest review of Lunyb or compare alternatives in our 2026 buyer's guide to URL shorteners.
Cookies, Consent, and the ePrivacy Regulations
In Ireland, cookies and similar tracking technologies are governed by the ePrivacy Regulations 2011 alongside GDPR. The DPC has issued strict guidance: pre-ticked boxes, cookie walls, and implied consent are not lawful. You must be given a genuine choice to accept or reject non-essential cookies, and rejecting must be as easy as accepting.
If you visit an Irish website and see only an "Accept All" button with no equally prominent "Reject All" option, that site is likely in breach of Irish guidance, and you can report it to the DPC.
Children's Data Protection in Ireland
Ireland sets the digital age of consent at 16, one of the highest in the EU. This means online services that rely on consent (like social media platforms) generally need parental authorisation to process the data of users under 16. The DPC's "Fundamentals for a Child-Oriented Approach to Data Processing" set out 14 principles all organisations dealing with children's data must follow.
International Data Transfers After Schrems II
Two landmark cases brought by Austrian lawyer Max Schrems through the Irish courts reshaped global data protection law. The Schrems II judgment in 2020 invalidated the EU–US Privacy Shield framework, forcing organisations transferring data to the US to implement additional safeguards. The 2023 EU–US Data Privacy Framework now provides a new mechanism, but legal challenges continue. For Irish residents, this matters because most data sent to US-based services passes through this framework.
Practical Steps to Protect Your Privacy in Ireland
Beyond exercising your legal rights, you can take everyday actions to limit how much personal data you expose online.
- Review app permissions on your phone and revoke access to location, contacts, or microphone where unnecessary.
- Use encrypted messaging apps like Signal for sensitive conversations.
- Enable two-factor authentication on email, banking, and social accounts.
- Switch to a privacy-respecting browser such as Firefox or Brave, and consider encrypted DNS services like Cloudflare 1.1.1.1 or Quad9.
- Audit your social media settings annually and remove old accounts you no longer use.
- Be cautious with link tracking — choose services that don't sell click data to advertisers.
- Check Have I Been Pwned to see if your email has appeared in a data breach.
Frequently Asked Questions
How long does a company have to respond to a GDPR request in Ireland?
Organisations must respond to most GDPR requests within one calendar month. For complex or numerous requests, they can extend this by a further two months but must inform you of the delay and the reason within the first month.
Can I be charged for a Subject Access Request?
No — Subject Access Requests are free in almost all cases. A controller can only charge a "reasonable fee" if the request is manifestly unfounded, excessive, or if you ask for additional copies of the same information.
What is the maximum fine for GDPR breaches in Ireland?
The maximum administrative fine is €20 million or 4% of the organisation's total annual worldwide turnover, whichever is higher. The Irish DPC has issued some of the largest GDPR fines in EU history, including the €1.2 billion penalty against Meta in 2023.
Does GDPR apply to small Irish businesses and sole traders?
Yes. GDPR applies regardless of the size of the organisation. However, small businesses with fewer than 250 employees have lighter record-keeping obligations unless their processing is high-risk, regular, or involves special category data.
Can I claim compensation for distress caused by a data breach?
Yes. Under Article 82 of GDPR and Section 117 of the Data Protection Act 2018, Irish residents can claim compensation for both material damage (financial loss) and non-material damage (distress, anxiety, reputational harm) caused by a GDPR breach. Recent Circuit Court cases have confirmed that non-material damages are recoverable in Ireland.
Conclusion
GDPR gives Irish residents some of the strongest privacy protections in the world — but those rights only have power when people use them. By understanding the eight core rights, knowing how to submit a Subject Access Request, and recognising when to escalate to the Data Protection Commission, you can take meaningful control of your personal information. And as a business, building privacy into your operations from day one is no longer optional — it's a legal duty and a competitive advantage in an Ireland where data protection is taken seriously.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
ICO Fines 2026: Biggest Data Protection Penalties in the UK
The ICO has issued some of the UK's largest data protection fines in 2026, from a £6m healthcare IT penalty to a landmark AI recruitment case. This guide breaks down the biggest fines, why they happened, and how UK organisations can stay compliant.
Australia Privacy Act 2026: Your Rights Explained
The Australia Privacy Act 2026 introduces sweeping new rights for individuals and tough obligations for businesses. This guide explains what's changed, what you can now demand from organisations, and how to stay compliant in 2026 and beyond.
Singapore PDPA: Your Personal Data Protection Rights Explained
Singapore's PDPA gives you powerful rights over your personal data — from access and correction to breach notification and legal action. This guide explains your rights, the obligations organisations must meet, and the exact steps to take when something goes wrong.
Singapore PDPA vs GDPR: Key Differences for Businesses in 2026
Singapore's PDPA and the EU's GDPR both protect personal data, but they differ significantly in scope, consent rules, penalties, and DPO requirements. This guide breaks down the key differences and offers practical compliance tips for businesses operating across both jurisdictions.