facebook-pixel

GDPR in Ireland: Your Privacy Rights Explained (2026 Guide)

L
Lunyb Security Team
··11 min read

The General Data Protection Regulation (GDPR) gives people in Ireland some of the strongest privacy rights in the world. Whether you're browsing online, signing up for a service, or receiving marketing emails, Irish and EU law grants you clear legal control over how organisations handle your personal data. This guide explains those rights in plain English, shows you how to enforce them through Ireland's Data Protection Commission (DPC), and offers practical steps to protect yourself day to day.

What Is GDPR and How Does It Apply in Ireland?

The GDPR is an EU-wide regulation that took effect on 25 May 2018. It sets rules for how organisations collect, store, use, and share personal data belonging to people in the EU. In Ireland, GDPR is enforced through the Data Protection Act 2018 and overseen by the Data Protection Commission (DPC), based in Dublin.

Because many of the world's largest tech companies — including Meta, Google, TikTok, Apple, and Microsoft — have their European headquarters in Ireland, the Irish DPC acts as the lead supervisory authority for a huge share of cross-border data protection cases across the EU. That gives GDPR in Ireland unusual global significance.

Who Does GDPR Protect?

GDPR protects any "natural person" (an individual, not a company) whose personal data is processed in the EU. If you live in Ireland, work here, or even just visit an Irish website that collects your data, your rights apply. It doesn't matter whether the organisation processing your data is based in Dublin, Delaware, or Dubai — if they target EU users, they must comply.

What Counts as Personal Data?

Personal data is any information that can identify a living person, directly or indirectly. Examples include:

  • Name, address, phone number, email
  • PPS number and passport details
  • IP address, cookie IDs, device identifiers
  • Location data and browsing history
  • Photos, videos, and voice recordings
  • Health, financial, and employment records
  • Biometric data such as fingerprints or facial scans

Some categories — health data, racial or ethnic origin, religious beliefs, sexual orientation, political opinions, and trade union membership — are considered "special category data" and receive extra legal protection.

Your Eight Core GDPR Rights in Ireland

GDPR grants every individual in Ireland eight fundamental data protection rights. These are the legal tools you can use to control your personal information.

1. The Right to Be Informed

Organisations must tell you clearly what data they collect, why, how long they'll keep it, and who they share it with. This is usually done through a privacy notice or policy. If the notice is missing, hidden, or written in impenetrable legalese, that itself may be a breach.

2. The Right of Access

You can ask any organisation for a copy of the personal data they hold about you. This is called a Subject Access Request (SAR). They must respond within one month and, in most cases, provide the data free of charge.

3. The Right to Rectification

If personal data about you is inaccurate or incomplete, you can require it to be corrected without undue delay.

4. The Right to Erasure ("Right to Be Forgotten")

You can ask an organisation to delete your data when it's no longer needed, when you withdraw consent, or when it was processed unlawfully. This right is not absolute — for example, banks and public bodies may need to retain records for legal reasons.

5. The Right to Restrict Processing

You can require an organisation to pause processing your data while a dispute is resolved — for example, while they check whether the data is accurate.

6. The Right to Data Portability

You can request your data in a structured, commonly used, machine-readable format and transfer it to another service. This is especially useful when switching banks, social networks, or streaming providers.

7. The Right to Object

You can object to processing based on "legitimate interests" or for direct marketing. Where marketing is concerned, the objection is absolute — the organisation must stop immediately.

8. Rights Related to Automated Decision-Making and Profiling

You have the right not to be subject to decisions based solely on automated processing — including AI and algorithmic profiling — where those decisions produce legal or similarly significant effects on you, such as loan refusals or job filtering.

Lawful Bases: How Organisations Must Justify Using Your Data

Under GDPR, an organisation cannot process your personal data unless it has a valid lawful basis. There are six, and every processing activity must map to at least one.

Lawful BasisWhen It AppliesExample in Ireland
ConsentYou freely agree after being informedSigning up for a marketing newsletter
ContractNeeded to fulfil a contract with youDelivering an order from an Irish online shop
Legal obligationRequired by Irish or EU lawRevenue collecting PAYE tax data
Vital interestsProtecting someone's lifeSharing medical info in an emergency
Public taskCarrying out official functionsAn Garda Síochána investigating a crime
Legitimate interestsBusiness need balanced against your rightsFraud prevention by a bank

Consent, when relied upon, must be freely given, specific, informed, and unambiguous. Pre-ticked boxes, buried checkboxes, or "cookie walls" that force you to accept tracking to access a site are not valid consent under Irish law.

How to Exercise Your GDPR Rights: A Step-by-Step Guide

Enforcing your rights is easier than most people think. Here's the standard process for making a request in Ireland.

  1. Identify the data controller. Find the organisation responsible for your data — check their privacy policy or website footer for a Data Protection Officer (DPO) contact.
  2. Put your request in writing. Email is fine. State clearly which right you're exercising (e.g. "This is a Subject Access Request under Article 15 GDPR").
  3. Provide identity verification. The organisation may ask for reasonable proof it's really you, to prevent fraud.
  4. Wait up to one month. They must respond within 30 days, though they can extend by two further months for complex requests (and must tell you why).
  5. Escalate if unhappy. If they refuse, ignore you, or respond inadequately, you can complain to the Data Protection Commission.

Sample Subject Access Request (SAR) Template

"Dear [Company DPO], Under Article 15 of the GDPR, I request a copy of all personal data you hold about me, along with information on the purposes of processing, categories of data, recipients, retention periods, and the source of the data if not collected from me. My details are [name, email, account number]. Please respond within one month. Kind regards, [Your Name]."

The Data Protection Commission (DPC): Ireland's Regulator

The DPC is the independent authority responsible for upholding data protection rights in Ireland. It investigates complaints, issues guidance, imposes fines, and represents Ireland in the European Data Protection Board.

How to Make a Complaint to the DPC

If an organisation has ignored your request or mishandled your data, you can complain to the DPC free of charge:

  1. Try to resolve the issue directly with the organisation first (the DPC generally expects this).
  2. Gather your evidence — emails, screenshots, dates.
  3. Submit a complaint via the DPC website (dataprotection.ie), by post to 21 Fitzwilliam Square South, Dublin 2, or by email.
  4. The DPC will assess, potentially investigate, and may attempt amicable resolution or launch a formal inquiry.

Fines and Enforcement

GDPR fines can reach €20 million or 4% of global annual turnover — whichever is higher. The Irish DPC has issued some of the largest fines in EU history, including €1.2 billion against Meta in 2023 for unlawful data transfers to the United States, and hundreds of millions against TikTok and WhatsApp. This makes Ireland one of the most consequential GDPR jurisdictions globally.

GDPR and Everyday Online Life in Ireland

GDPR isn't just a courtroom concept — it shapes almost every website, app, and service you use in Ireland.

Cookies and Website Tracking

Under the ePrivacy Regulations (SI 336/2011) and GDPR, Irish websites must obtain your consent before setting non-essential cookies. That means the banner should offer a clear "Reject All" option as easily as "Accept All". Dark patterns that nudge you toward acceptance are unlawful, and the DPC has actively pursued offenders.

Marketing Emails and Texts

Businesses can generally only send marketing to you if you've opted in, or if you're an existing customer for similar products. Every marketing message must include an easy unsubscribe option. If you've unsubscribed and it keeps coming, that's a clear breach.

Data Breaches

If an organisation suffers a personal data breach that's likely to result in a risk to your rights, they must notify the DPC within 72 hours. If the risk is high, they must also tell you directly — clearly and promptly, not buried in a footer notice weeks later.

Protecting Your Privacy in Practice

GDPR gives you legal rights, but you also have practical control over how much data you hand over in the first place. A few habits go a long way.

  • Use privacy-respecting browsers and search engines. Firefox, Brave, and DuckDuckGo minimise tracking by default.
  • Enable encrypted DNS (DoH/DoT). This prevents your internet provider and third parties on the network from easily logging every domain you visit.
  • Audit app permissions. On iOS and Android, revoke location, microphone, and contacts access from apps that don't genuinely need it.
  • Use strong, unique passwords with a manager. Bitwarden, 1Password, and Proton Pass are solid options.
  • Enable two-factor authentication on email, banking, Revenue, and social accounts.
  • Be cautious with link shorteners. Choose services that don't sell your click data or track users invasively. A privacy-focused shortener like Lunyb keeps analytics minimal and doesn't monetise your audience's behaviour — useful for both personal and business links. For a broader comparison, see our 2026 buyer's guide to URL shorteners.
  • Read privacy policies selectively. Focus on data sharing, retention, and international transfers — that's where the meaningful clauses live.

Special Situations: Employees, Children, and Public Bodies

Employees in Ireland

Your employer is a data controller and must handle HR data lawfully. Workplace monitoring — email checks, CCTV, GPS tracking of vehicles — must be proportionate, transparent, and documented in a policy you've been informed about.

Children's Data

Under Irish law, the "digital age of consent" is 16. Below that, providers of online services must obtain parental consent for data processing. The DPC's Fundamentals for a Child-Oriented Approach to Data Processing sets strict standards for platforms used by minors.

Public Bodies

Government departments, the HSE, local councils, and An Garda Síochána are all bound by GDPR, though some processing (e.g. criminal investigations) falls under the parallel Law Enforcement Directive framework. You have the same rights against public bodies — including free Subject Access Requests.

What's Changing: GDPR in 2026 and Beyond

GDPR itself is stable, but the wider EU digital rulebook is expanding fast. Key developments Irish residents should watch:

  • The EU AI Act introduces new transparency and risk rules for artificial intelligence, layering on top of GDPR profiling protections.
  • The Digital Services Act (DSA) gives users more control over algorithmic feeds and targeted advertising on large platforms.
  • The Data Act gives users new rights over data generated by connected devices, from smart meters to cars.
  • Ongoing reform of the DPC — the Commission has been restructured with additional Commissioners to speed up big-tech investigations.

Frequently Asked Questions

Is a Subject Access Request really free in Ireland?

Yes. Under GDPR, organisations must provide a copy of your personal data free of charge. They can only charge a "reasonable fee" if a request is manifestly unfounded, excessive, or repetitive — and they'd have to justify that decision if challenged.

How long do I have to wait for a response?

One month from the date the organisation receives your request. For complex or multiple requests, they can extend by a further two months, but must inform you of the extension and the reason within the first month.

Can I sue a company directly for a GDPR breach, or must I go through the DPC?

Both are available. You can complain to the DPC, and separately (or together) bring a civil action in the Irish courts for compensation for material or non-material damage — including distress — caused by a breach. Many people start with the DPC because it's free.

Does GDPR apply to companies outside the EU that I use?

Yes, if they offer goods or services to people in the EU, or monitor their behaviour. That's why US companies from Meta to Netflix comply with GDPR for Irish users. Enforcement against non-EU firms without an EU presence can be slower in practice, but the rights still apply.

What should I do if a data breach exposes my information?

First, secure your accounts: change passwords, enable two-factor authentication, and monitor your bank statements. If financial data was leaked, alert your bank. If you were not notified but should have been, or the organisation's response was poor, file a complaint with the DPC. You may also be entitled to compensation.

Final Thoughts

GDPR gives people in Ireland genuine, enforceable control over their personal data — but rights only matter if you use them. Send that Subject Access Request. Reject non-essential cookies. Object to marketing you never signed up for. Escalate to the DPC when organisations don't listen. Combined with sensible everyday privacy habits — encrypted DNS, privacy-first tools, minimal permissions — GDPR turns Ireland into one of the safest places in the world to live a digital life. Take advantage of it.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles