GDPR in Ireland: Your Privacy Rights Explained
The General Data Protection Regulation (GDPR) is the cornerstone of privacy law across the European Union, and in Ireland it carries particular weight. With Dublin hosting the European headquarters of Google, Meta, TikTok, Apple, LinkedIn, and many other global technology companies, the Irish Data Protection Commission (DPC) acts as the lead supervisory authority for hundreds of millions of users worldwide. For Irish residents, this means GDPR isn't just an abstract regulation — it's a powerful set of enforceable rights you can use every single day.
This guide explains exactly what GDPR means for people living in Ireland, the specific rights you hold, how to exercise them, and what to do when an organisation gets it wrong.
What Is GDPR and How Does It Apply in Ireland?
GDPR is an EU-wide regulation that came into force on 25 May 2018, governing how organisations collect, store, process, and share personal data. In Ireland, it is supplemented by the Data Protection Act 2018, which gives effect to the regulation under Irish law and establishes the Data Protection Commission as the national supervisory authority.
GDPR applies to any organisation — whether based in Ireland, elsewhere in the EU, or outside the EU — that processes the personal data of people in Ireland. This includes:
- Irish businesses of every size, from sole traders to multinationals
- Government departments and public bodies (HSE, Revenue, local councils)
- Schools, universities, and healthcare providers
- Charities, sports clubs, and community organisations
- Foreign websites and apps that target Irish users
"Personal data" is interpreted broadly: it covers anything that can identify a living person, including your name, PPS number, email address, IP address, location data, photographs, medical history, and even online identifiers like cookies.
The Eight Core Privacy Rights You Have Under GDPR
GDPR gives every person in Ireland eight specific, legally enforceable rights. Understanding them is the first step to taking control of your personal information.
1. The Right to Be Informed
Organisations must tell you, in clear and plain language, what data they collect about you, why they collect it, how long they keep it, and who they share it with. This is typically delivered through a privacy notice on a website or app.
2. The Right of Access
You can ask any organisation for a copy of the personal data they hold about you. This is called a Subject Access Request (SAR). The organisation must respond within one month, free of charge in most cases.
3. The Right to Rectification
If data held about you is inaccurate or incomplete, you can require the organisation to correct it without undue delay.
4. The Right to Erasure ("Right to Be Forgotten")
You can ask an organisation to delete your personal data when it is no longer necessary, when you withdraw consent, or when it has been processed unlawfully. There are exceptions — for example, where the data is needed to comply with a legal obligation or for the establishment of legal claims.
5. The Right to Restrict Processing
You can ask an organisation to pause processing your data while a dispute is resolved, for example if you contest the accuracy of the information.
6. The Right to Data Portability
You can request your data in a structured, commonly used, machine-readable format, and have it transferred to another service provider. This applies particularly to data you have provided to services like social networks, streaming platforms, or banks.
7. The Right to Object
You can object to processing based on legitimate interests, direct marketing, or research purposes. For direct marketing, the objection is absolute — the organisation must stop immediately.
8. Rights Related to Automated Decision-Making
You have the right not to be subject to decisions made solely by automated processing — including profiling — that produce legal or similarly significant effects on you, such as automated loan denials or insurance pricing.
The Role of the Irish Data Protection Commission (DPC)
The Data Protection Commission, headquartered in Dublin with offices in Portarlington, is Ireland's independent regulator for data protection. Its remit is unusually significant because, under the GDPR "one-stop-shop" mechanism, the DPC supervises any company whose main EU establishment is in Ireland.
The DPC's powers include:
- Investigating complaints from individuals
- Conducting audits and inquiries
- Issuing reprimands, warnings, and corrective orders
- Imposing administrative fines of up to €20 million or 4% of global annual turnover, whichever is higher
- Banning data transfers outside the EU
Recent enforcement has been substantial. The DPC has issued multi-hundred-million-euro fines against Meta, TikTok, and others, demonstrating that GDPR enforcement in Ireland has real teeth.
How to Exercise Your GDPR Rights: A Step-by-Step Process
Putting your rights into practice is more straightforward than many people expect. Here is the standard process:
- Identify the data controller. This is the organisation that decides how and why your data is processed. Check their privacy notice for contact details and the Data Protection Officer (DPO).
- Submit a written request. Email is fine. State clearly which right you are exercising (e.g., "I am making a Subject Access Request under Article 15 GDPR"). Include enough information to identify yourself.
- Wait up to one month. The organisation must respond within 30 days. They can extend this by two further months for complex requests, but must tell you why.
- Review the response. Check that the data provided is complete and accurate.
- Escalate if necessary. If you are unhappy with the response — or get no response — you can lodge a complaint with the DPC at dataprotection.ie.
GDPR vs. Pre-2018 Irish Data Protection Law: What Changed
The shift from the old Data Protection Acts 1988 and 2003 to GDPR brought significant strengthening of individual rights. The table below summarises the key differences.
| Aspect | Pre-GDPR (1988/2003 Acts) | GDPR + Data Protection Act 2018 |
|---|---|---|
| Maximum fines | €100,000 | €20 million or 4% of global turnover |
| Consent standard | Implied or opt-out acceptable | Explicit, freely given, specific opt-in |
| Breach notification | Not mandatory | Mandatory within 72 hours |
| Right to portability | Did not exist | Established as a core right |
| SAR response time | 40 days, fee permitted | 30 days, free in most cases |
| Territorial scope | Limited to Irish-established entities | Applies to anyone targeting Irish residents |
| Data Protection Officer | Not required | Mandatory for many organisations |
Special Categories of Data: Extra Protection
GDPR identifies certain categories of personal data as especially sensitive, requiring stronger justification to process. These "special category" data include:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic and biometric data
- Health data
- Sex life or sexual orientation
In Ireland, these categories are particularly relevant in healthcare (HSE records), employment, and education contexts. Processing requires either your explicit consent or one of a narrow set of legal grounds, such as employment law obligations or public health.
Children's Privacy Rights in Ireland
Ireland has set the "digital age of consent" at 16 years old under the Data Protection Act 2018 — one of the higher thresholds in the EU. This means online services offered directly to children must obtain parental consent for under-16s before processing their data on the basis of consent.
The DPC also published the "Fundamentals for a Child-Oriented Approach to Data Processing," a set of 14 principles that organisations dealing with children's data must follow. This affects schools, social media platforms, gaming companies, and edtech providers operating in Ireland.
Practical Steps to Protect Your Privacy Online in Ireland
While GDPR gives you strong legal protections, day-to-day privacy hygiene still matters. Here are practical measures every Irish internet user should consider:
- Read privacy notices before signing up. Yes, they're long — but skim for what data is collected and who it's shared with.
- Use strong, unique passwords stored in a reputable password manager.
- Enable two-factor authentication on email, banking, and social accounts.
- Review app permissions on your phone monthly, revoking anything unnecessary.
- Use privacy-focused browsers like Firefox or Brave with tracker blocking enabled.
- Consider encrypted DNS (such as DNS-over-HTTPS) to prevent your internet provider from logging every site you visit.
- Be careful what you click and share. When sharing links, use a privacy-respecting URL shortener like Lunyb that doesn't aggressively profile users or sell click data to advertisers. You can read more in our honest Lunyb review or our 2026 buyer's guide to URL shorteners.
- Exercise your rights regularly. Send a Subject Access Request to a service you use heavily — you may be surprised what they hold.
Common GDPR Misconceptions in Ireland
"GDPR Means Companies Can't Contact Me at All"
False. GDPR regulates how organisations use your data, not whether they can use it. With a valid legal basis — such as a contract you've entered into — businesses can absolutely continue to communicate with you.
"Cookie Banners Mean a Site Is GDPR-Compliant"
Not necessarily. Many cookie banners in Ireland still fall short of GDPR and ePrivacy requirements. A compliant banner must allow you to reject non-essential cookies as easily as you can accept them.
"I Can Demand Complete Erasure of My Data Any Time"
Not always. The right to erasure has exceptions — for instance, your bank cannot delete records they're legally required to keep for anti-money-laundering purposes.
"Only Big Tech Companies Have to Comply"
Wrong. A local GAA club holding member contact details must comply just as Meta must. The principles apply universally; only some specific obligations (like appointing a DPO) depend on scale.
What to Do If Your Data Is Breached
If an organisation suffers a data breach involving your information, they generally must notify the DPC within 72 hours and, where the risk to you is high, notify you directly without undue delay. If you learn of a breach affecting you, take these steps:
- Change passwords for the affected service and any other account using the same password.
- Enable two-factor authentication wherever possible.
- Monitor bank and credit card statements for suspicious activity.
- Be alert to phishing emails that reference the breach.
- Consider a credit check through the Central Credit Register if financial data was exposed.
- Lodge a complaint with the DPC if you believe the organisation handled the breach poorly.
Frequently Asked Questions
How do I make a complaint to the Irish Data Protection Commission?
Visit dataprotection.ie and use the online complaint form. You'll need to describe the issue, identify the organisation involved, and provide evidence you've already tried to resolve it with them directly. The DPC will assess your complaint and may open an investigation. There is no fee.
Can my employer monitor my emails and internet use under GDPR?
Employers in Ireland can monitor employee communications, but only with clear justification, a documented policy, proportionality, and transparency. Covert monitoring is generally unlawful except in very limited circumstances such as suspected serious wrongdoing. Employees must be told in advance what monitoring takes place and why.
How long does an organisation have to respond to my Subject Access Request?
One calendar month from receipt of the request. They can extend this by up to two further months for complex or numerous requests, but must inform you of the extension and the reasons within the first month.
Does GDPR still apply after Brexit when I deal with UK companies?
Yes. If you are in Ireland, your GDPR rights travel with you. UK companies offering goods or services to Irish residents must comply with EU GDPR. The UK also has its own near-identical "UK GDPR," and adequacy decisions currently allow data to flow between Ireland and the UK without extra safeguards.
What's the difference between a data controller and a data processor?
A controller decides why and how your data is processed (e.g., your bank). A processor handles data on the controller's behalf (e.g., a cloud hosting provider used by your bank). You can exercise your rights against the controller, who is ultimately responsible.
Can I be charged for making a GDPR request?
In almost all cases, no. Organisations can only charge a "reasonable fee" or refuse requests that are manifestly unfounded or excessive — for example, repeated identical requests. They must justify any charge or refusal.
Final Thoughts
GDPR has fundamentally rebalanced the relationship between individuals and the organisations that hold their data. In Ireland, with the DPC playing a leading role in European enforcement, residents enjoy some of the most actively defended privacy rights in the world. But rights only matter if you use them. Take ten minutes this week to send a Subject Access Request to a service you've used for years — it's the most concrete way to see GDPR working for you.
And as you go about your online life, remember that the small choices — which browser you use, which apps you install, which links you click — all add up to your overall privacy footprint. Pick services that respect your data by design, not just by legal compliance.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
ICO Fines 2026: Biggest Data Protection Penalties in the UK
The ICO issued record-breaking data protection fines across the UK in 2026, targeting ransomware failures, AI profiling, and children's data misuse. This guide breaks down the biggest penalties, enforcement trends, and how organisations can stay compliant.
PIPEDA vs GDPR: Canadian Privacy Law Explained for 2026
PIPEDA and the GDPR both protect personal data, but they take different approaches to consent, enforcement, and individual rights. This guide breaks down the key differences—and what Canadian businesses need to know as Bill C-27 reshapes the country's privacy landscape.
Australia Privacy Act 2026: Your Rights Explained
The Australia Privacy Act 2026 is the biggest privacy reform in nearly 40 years, introducing new rights to erasure, faster breach notification, and a direct right to sue. Here's what every Australian and business needs to know.
GDPR After Brexit: What Changed for UK Businesses and Data Protection
GDPR didn't disappear when the UK left the EU – it was reborn as UK GDPR. This guide explains what changed, what stayed the same, and how UK organisations should approach data protection compliance in 2026, including international transfers, ongoing reforms, and the EU adequacy decision.