GDPR in Ireland: Your Privacy Rights Explained
The General Data Protection Regulation (GDPR) gives people in Ireland some of the strongest privacy rights in the world. Since coming into force in May 2018, alongside the Irish Data Protection Act 2018, GDPR has changed how companies handle your personal information — from your name and email address to your location data, browsing history, and biometric details.
But laws only protect you if you know how to use them. This guide explains your GDPR rights in Ireland in plain English, shows you how to enforce them, and explains the role of the Data Protection Commission (DPC) — the Irish regulator that has become one of the most powerful privacy enforcers in Europe.
What Is GDPR and Why Does It Matter in Ireland?
GDPR is an EU regulation that governs how organisations collect, store, use, and share personal data about individuals in the European Economic Area. It applies directly in Ireland and is supplemented by the Data Protection Act 2018, which fills in national details such as the age of digital consent (16 in Ireland) and the powers of the DPC.
Ireland matters disproportionately in the GDPR ecosystem because most major US technology companies — Meta, Google, Apple, Microsoft, TikTok, X, and LinkedIn — have their European headquarters in Dublin. This makes the Irish DPC the lead supervisory authority for hundreds of millions of EU users, and Irish regulatory decisions ripple across the entire bloc.
Who Does GDPR Protect?
GDPR protects any identifiable living individual (a "data subject") whose personal data is processed by an organisation operating in the EU, or by an organisation outside the EU that offers goods or services to people in the EU. If you live in Ireland, GDPR protects you whether the company is in Cork, California, or Singapore.
What Counts as Personal Data?
Personal data is any information that can identify you directly or indirectly. Common examples include:
- Name, address, phone number, email
- PPS number, passport number, driving licence
- IP address, device IDs, cookies
- Location data and GPS coordinates
- Photos, voice recordings, CCTV footage
- Biometric data (fingerprints, facial recognition)
- Health, genetic, sexual orientation, religious, or political information (these are "special category" data with extra protections)
Your Eight Core GDPR Rights in Ireland
GDPR grants you eight specific rights over your personal data. Every organisation that processes your information — banks, retailers, social networks, employers, your GP — must respect them.
1. The Right to Be Informed
You have the right to know what data an organisation collects about you, why they collect it, how long they keep it, and who they share it with. This is usually delivered through a privacy notice or privacy policy at the point of collection.
2. The Right of Access (Subject Access Request)
You can ask any organisation for a copy of all personal data they hold about you. This is called a Subject Access Request (SAR). The organisation must respond within one month, and the response must be free of charge in most cases.
3. The Right to Rectification
If data held about you is inaccurate or incomplete, you can require the organisation to correct or complete it without undue delay.
4. The Right to Erasure ("Right to Be Forgotten")
You can ask an organisation to delete your personal data in certain circumstances — for example, when the data is no longer needed, when you withdraw consent, or when the data has been processed unlawfully. This right is not absolute; it can be refused where there is a legal obligation to keep the data (such as tax records or medical files).
5. The Right to Restrict Processing
You can ask an organisation to pause processing your data while a dispute is resolved — for instance, while it verifies the accuracy of data you have challenged.
6. The Right to Data Portability
You can request your personal data in a structured, commonly used, machine-readable format (such as CSV or JSON) and transfer it to another service. This is especially relevant for banking, telecoms, and social media accounts.
7. The Right to Object
You can object to processing of your data, particularly for direct marketing. If you object to marketing, the organisation must stop immediately — no exceptions.
8. Rights Related to Automated Decision-Making and Profiling
You have the right not to be subject to a decision based solely on automated processing — including profiling — that produces legal or similarly significant effects on you. Think loan denials, insurance pricing, or recruitment screening done entirely by algorithm.
Quick Reference: Your GDPR Rights at a Glance
| Right | What It Lets You Do | Response Time | Cost |
|---|---|---|---|
| Be Informed | Know what data is collected and why | At collection | Free |
| Access | Get a copy of your data | 1 month | Free |
| Rectification | Correct inaccurate data | 1 month | Free |
| Erasure | Have data deleted | 1 month | Free |
| Restrict Processing | Pause processing during disputes | 1 month | Free |
| Data Portability | Transfer data to another service | 1 month | Free |
| Object | Stop marketing or specific uses | Immediate for marketing | Free |
| Automated Decisions | Demand human review | 1 month | Free |
The Six Lawful Bases for Processing Your Data
Organisations cannot process your data simply because they want to. They must rely on one of six lawful bases set out in Article 6 of GDPR:
- Consent — you have given clear, freely given, specific, informed permission.
- Contract — processing is necessary to perform a contract with you (for example, delivering a package you ordered).
- Legal obligation — required by Irish or EU law (for instance, Revenue tax reporting).
- Vital interests — necessary to protect someone's life.
- Public task — for tasks carried out in the public interest by a public authority.
- Legitimate interests — necessary for a legitimate interest of the controller, balanced against your rights.
Knowing which basis a company relies on matters: if they rely on consent, you can withdraw it at any time. If they rely on legitimate interests, you have a strong right to object.
How to Make a Subject Access Request in Ireland
A Subject Access Request (SAR) is the most practical privacy tool available to you. Here's a step-by-step process:
- Identify the data controller. This is the organisation that decides how and why your data is processed.
- Find the right contact. Look for the Data Protection Officer (DPO) email or a privacy contact in the company's privacy notice.
- Write your request. Keep it clear: "I am exercising my right of access under Article 15 GDPR. Please provide a copy of all personal data you hold about me, along with the purposes of processing, recipients, retention periods, and the source of the data."
- Verify your identity. The organisation may ask for proof — provide what's reasonable, but you do not need to send a full copy of your passport unless strictly necessary.
- Wait up to one month. They can extend this by two further months for complex requests, but they must tell you why.
- Review the response. Check whether anything is missing or redacted. If you are unhappy, you can complain to the DPC.
The Data Protection Commission: Your Irish Regulator
The Data Protection Commission (DPC), headquartered in Dublin, is Ireland's independent authority for upholding data protection rights. It handles complaints, audits organisations, and issues fines for non-compliance.
Major DPC Enforcement Actions
The DPC has issued several record-breaking fines in recent years, including over €1.2 billion against Meta for unlawful data transfers, hundreds of millions against TikTok for children's data violations, and substantial penalties against WhatsApp, Instagram, and LinkedIn. These decisions affect users across the EU and demonstrate that GDPR has real teeth.
How to Lodge a Complaint with the DPC
If an organisation has not responded to your request, or has handled your data unlawfully, you can complain to the DPC:
- First, try to resolve the issue directly with the organisation in writing.
- If you are unsatisfied, submit a complaint via the DPC's online webform at dataprotection.ie.
- Include copies of correspondence and a clear summary of the issue.
- The DPC will assess the complaint and may mediate, investigate, or issue a binding decision.
Complaints to the DPC are free, and you do not need a solicitor to lodge one.
Cookies, Tracking, and the ePrivacy Regulations
Alongside GDPR, the Irish ePrivacy Regulations (S.I. 336 of 2011) require that websites obtain your consent before placing non-essential cookies or trackers on your device. This is why you see cookie banners on virtually every Irish website.
A compliant cookie banner must:
- Make it as easy to reject cookies as to accept them.
- Not pre-tick consent boxes.
- Explain clearly what each category of cookie does.
- Allow you to withdraw consent at any time.
If a site nags you with dark patterns or forces "Accept All" as the only easy option, that is potentially a breach you can report to the DPC.
Protecting Your Privacy in Practice
Legal rights are only half the picture. Practical steps to reduce how much personal data you expose include:
- Use a privacy-respecting browser with tracker blocking enabled by default.
- Enable encrypted DNS (DNS over HTTPS or DNS over TLS) to stop your internet provider seeing every site you visit.
- Review app permissions on iOS and Android regularly — revoke location, contacts, and microphone access from apps that don't need them.
- Use a privacy-focused link shortener when sharing URLs publicly. Many free shorteners track clickers and build profiles. Lunyb is a GDPR-friendly URL shortener that minimises tracking and respects user privacy — a good choice for Irish businesses that need to be GDPR-compliant when sharing links. You can compare options in our 2026 buyer's guide to URL shorteners or read our Rebrandly review for an alternative.
- Limit social media data sharing by reviewing privacy settings annually and deleting old accounts.
- Use unique passwords and a password manager so a single breach doesn't compromise everything.
What to Do If Your Data Is Breached
Organisations must notify the DPC of personal data breaches within 72 hours when there is a risk to your rights. If the risk is high, they must also notify you directly. If you receive a breach notification:
- Change passwords on the affected service and anywhere you reused them.
- Enable two-factor authentication.
- Watch for phishing attempts pretending to be related to the breach.
- Monitor bank statements if financial data was exposed.
- Consider freezing your credit file with the Central Credit Register if your PPS or financial identity is at risk.
Special Rules for Children's Data in Ireland
Ireland set the digital age of consent at 16. Information society services (apps, websites, social media) cannot lawfully rely on consent to process the data of a child under 16 without parental authorisation. The DPC's "Fundamentals for a Child-Oriented Approach to Data Processing" sets out 14 principles that platforms must follow, including high-privacy defaults and child-friendly transparency.
Frequently Asked Questions
Does GDPR still apply if a company is based outside the EU?
Yes. GDPR applies to any organisation that offers goods or services to people in the EU, or that monitors their behaviour, regardless of where the organisation is based. A US e-commerce site selling to Irish customers must comply.
How long does an organisation have to respond to my GDPR request?
One calendar month from receipt of the request. They can extend this by up to two further months for complex or numerous requests, but they must inform you of the extension and the reason within the first month.
Can I be charged for a Subject Access Request?
No, not in the vast majority of cases. Organisations can only charge a reasonable fee if the request is "manifestly unfounded or excessive" — for example, repeated identical requests. The default is free.
What can the DPC actually do if a company breaks GDPR?
The DPC can issue warnings, reprimands, orders to comply, temporary or permanent processing bans, and administrative fines of up to €20 million or 4% of global annual turnover, whichever is higher. It has imposed billions in fines in recent years.
Can I sue a company directly for a GDPR breach?
Yes. Under Article 82 of GDPR and Section 117 of the Data Protection Act 2018, you can bring a civil action in the Irish courts for material or non-material damage (including distress) caused by a breach. You do not have to wait for the DPC to act first.
Conclusion
GDPR gives people in Ireland a genuinely powerful set of privacy rights — but those rights only work when you exercise them. Knowing how to make a Subject Access Request, how to object to marketing, how to lodge a complaint with the DPC, and how to minimise your data footprint in the first place puts you back in control.
Combine your legal rights with practical privacy habits — encrypted DNS, privacy-respecting browsers, careful permission management, and privacy-friendly tools like Lunyb for link sharing — and you'll be far better protected than the average Irish internet user.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
ICO Fines 2026: Biggest Data Protection Penalties in the UK
From a £24.6m retail penalty to record action against adtech and children's data misuse, 2026 was the ICO's most aggressive enforcement year yet. Here's a full breakdown of the biggest UK data protection fines, why they happened, and how to keep your organisation off next year's list.
PIPEDA vs GDPR: Canadian Privacy Law Explained for 2026
PIPEDA and the GDPR both protect personal data, but they take very different paths. This guide compares scope, consent, rights, penalties, and what Canadian businesses must do to stay compliant in 2026 — including how Bill C-27 will change the landscape.
Australia Privacy Act 2026: Your Rights Explained
The Australia Privacy Act 2026 introduces the biggest privacy law reforms in three decades, with new rights to sue, higher penalties, and stronger protections for children. Here's what every Australian — consumer and business — needs to know.
Singapore PDPA: Your Personal Data Protection Rights Explained
Singapore's PDPA gives every individual enforceable rights over their personal data — including access, correction, consent withdrawal, and data portability. This guide explains each right, how to exercise it, and what penalties apply when organisations fail to comply.