GDPR in Ireland: Your Privacy Rights Explained
The General Data Protection Regulation (GDPR) has been in force across the European Union since May 2018, and in Ireland it is enforced alongside the Data Protection Act 2018. Because so many of the world's largest technology companies — Meta, Google, TikTok, Microsoft, Apple — have their European headquarters in Dublin, Ireland's Data Protection Commission (DPC) has become one of the most influential privacy regulators on the planet. That means your rights as an Irish resident aren't just theoretical; they shape how billions of people's data is handled worldwide.
This guide explains exactly what GDPR privacy rights you have in Ireland, how to exercise them, what to do when a company ignores you, and how to make a formal complaint to the DPC. Whether you're worried about a data breach, want a company to delete your account, or you're a small business owner trying to stay compliant, this article walks you through it in plain English.
What Is GDPR and How Does It Apply in Ireland?
GDPR is an EU-wide regulation that governs how personal data of people in the European Economic Area is collected, stored, processed, and shared. In Ireland, GDPR is supplemented by the Data Protection Act 2018, which fills in national details such as the age of digital consent (16 in Ireland) and rules for law enforcement processing.
The regulation applies to any organisation — public or private, large or small — that processes personal data of people located in Ireland, regardless of where the organisation itself is based. A US company selling to Irish customers is just as bound by GDPR as a local Cork bakery managing its mailing list.
Key Terms You Should Know
- Personal data: Any information relating to an identified or identifiable person — name, email, IP address, location data, cookie IDs, health records, even a photograph.
- Data controller: The organisation that decides why and how your data is processed (e.g. your bank, your employer).
- Data processor: A third party acting on the controller's instructions (e.g. a cloud host or payroll provider).
- Data subject: You — the person the data is about.
- DPC: The Data Protection Commission, Ireland's independent regulator based in Dublin and Portarlington.
Your Eight Core GDPR Rights in Ireland
GDPR grants every resident of Ireland eight specific rights over their personal data. Each of these can be exercised free of charge, and companies must respond within one month (extendable by two more months for complex requests).
1. The Right to Be Informed
Before an organisation collects your data, it must tell you who they are, why they need the data, how long they'll keep it, and who they'll share it with. This is usually delivered through a privacy notice or cookie banner. If a privacy policy is missing, hidden, or impossibly vague, that alone is a GDPR breach.
2. The Right of Access (Subject Access Request)
You can ask any organisation to give you a copy of all personal data they hold about you. This is known as a Subject Access Request (SAR). They must respond within 30 days and cannot charge you unless the request is "manifestly unfounded or excessive."
3. The Right to Rectification
If a company holds inaccurate or incomplete data about you — a wrong address, a misspelled name, outdated employment info — you have the right to have it corrected without undue delay.
4. The Right to Erasure ("Right to Be Forgotten")
You can demand deletion of your personal data when it's no longer necessary, when you withdraw consent, when the data was processed unlawfully, or when you object to processing. There are exceptions — for example, tax records banks must legally retain, or journalistic content in the public interest.
5. The Right to Restrict Processing
Instead of deleting data outright, you can ask that it be "paused" — stored but not used — while a dispute or accuracy check is ongoing.
6. The Right to Data Portability
You can request your data in a structured, commonly used, machine-readable format (usually CSV or JSON) and have it transferred to another provider. This applies to data you provided yourself, processed by consent or contract.
7. The Right to Object
You can object to processing based on legitimate interests or public task, and you have an absolute right to object to direct marketing. Once you object to marketing, the company must stop immediately — no ifs, no buts.
8. Rights Around Automated Decision-Making
If a decision that significantly affects you (loan approvals, insurance pricing, job screening) is made purely by an algorithm, you have the right to human review, to express your point of view, and to contest the outcome.
Quick Reference: Response Times and Costs
| Right | Deadline | Cost to You | Common Exceptions |
|---|---|---|---|
| Access (SAR) | 1 month | Free | Third-party data, legal privilege |
| Rectification | 1 month | Free | None significant |
| Erasure | 1 month | Free | Legal retention, freedom of expression |
| Portability | 1 month | Free | Only data you provided |
| Object (marketing) | Immediate | Free | None |
| Restrict processing | 1 month | Free | Legal claims |
How to Make a Subject Access Request in Ireland
A Subject Access Request is the single most powerful tool GDPR gives you. Here is exactly how to make one that gets results.
- Find the right contact. Look for a "Data Protection Officer" or "Privacy" email in the company's privacy policy. If there isn't one, use their general support address.
- Write a clear request. State your name, that you are making a Subject Access Request under Article 15 GDPR, and specify the data you want (or ask for everything).
- Verify your identity. Be prepared to provide proof — usually the email address linked to your account or, for offline businesses, a copy of ID.
- Keep records. Save the email, note the date, and set a calendar reminder for 30 days later.
- Follow up. If you hear nothing after a month, send a reminder referencing your original request.
- Escalate if ignored. If the response is inadequate or absent, complain to the DPC (see below).
Sample SAR Template
Dear [Company],
Under Article 15 of the General Data Protection Regulation, I am requesting a copy of all personal data you hold about me, including but not limited to: account information, communications, transaction history, location data, cookie identifiers, and any profiling or automated decisions made about me.
My account is registered under [email/username]. Please respond within one month.
Kind regards, [Your name]
The Data Protection Commission (DPC): Ireland's Watchdog
The DPC is Ireland's independent authority responsible for enforcing GDPR. Because so many multinationals are headquartered in Dublin, the DPC acts as "lead supervisory authority" for cross-border cases across the entire EU — a role that has resulted in some of the largest fines in GDPR history, including €1.2 billion against Meta in 2023 for illegal data transfers to the United States.
What the DPC Can Do
- Investigate complaints from individuals
- Conduct audits of organisations
- Issue reprimands, warnings, and corrective orders
- Impose administrative fines up to €20 million or 4% of global annual turnover, whichever is higher
- Order data processing to stop
How to File a Complaint with the DPC
- Try to resolve the issue with the organisation first — the DPC expects this.
- Gather evidence: emails, screenshots, dates, copies of the privacy notice.
- Complete the DPC's online complaint form at dataprotection.ie, or write to their office in Portarlington, Co. Laois.
- Provide a clear timeline and describe which right you believe has been breached.
- Wait for acknowledgement (usually within 2 weeks) and cooperate with any follow-up questions.
Filing a complaint is completely free, and you do not need a solicitor.
Data Breaches: What to Expect
If an organisation suffers a personal data breach that is likely to result in a risk to your rights and freedoms, they must notify the DPC within 72 hours. If the risk is high, they must also notify you directly without undue delay.
A proper breach notification should tell you: what happened, what data was involved, what the likely consequences are, and what steps you can take to protect yourself (such as changing passwords or watching for phishing). If you receive such a notice, act on it quickly — change credentials, enable two-factor authentication, and be extra cautious of suspicious emails referencing the breach.
Practical Steps to Protect Your Privacy in Ireland
GDPR gives you strong legal rights, but proactive habits keep your data safer in the first place. Here are practical measures every Irish resident can adopt today.
Minimise What You Share
Every field you fill in on a form is future data-breach risk. Give only what's strictly necessary. If a newsletter signup asks for your date of birth, ask yourself why — and often, leave it blank.
Use Privacy-Respecting Tools
Switch to browsers that block third-party trackers by default (Firefox, Brave, Safari), search engines that don't profile you, and encrypted DNS providers such as Cloudflare 1.1.1.1 or NextDNS. For link sharing, prefer services that don't build advertising profiles from your click data — Lunyb, for instance, is a URL shortener designed with privacy in mind and doesn't monetise your visitor data. If you're comparing options, our 2026 URL shortener buyer's guide ranks providers partly on their GDPR posture.
Manage Cookie Consent Carefully
Under Irish ePrivacy rules and GDPR, cookie banners must offer a genuine "Reject All" option that is as easy to click as "Accept All." If a site buries the reject option or pre-ticks consent boxes, that's a breach — you can and should refuse.
Regularly Audit Your Digital Footprint
- Every 6 months, list the online services you no longer use and request account deletion.
- Use haveibeenpwned.com to check whether your email has appeared in known breaches.
- Review app permissions on your phone — revoke location, microphone, and contacts access where not essential.
GDPR for Small Businesses and Sole Traders in Ireland
If you run a business in Ireland — even a one-person consultancy — you are almost certainly a data controller. The good news is GDPR compliance is scaled to risk, so a small mailing list doesn't need the same infrastructure as a bank.
Minimum Compliance Checklist
- Publish a plain-language privacy notice on your website.
- Keep a record of processing activities (a simple spreadsheet works for small operators).
- Only collect data you genuinely need and delete it when the purpose is fulfilled.
- Secure data with strong passwords, encryption, and access controls.
- Have a plan for handling SARs and breaches — even a one-page procedure counts.
- Get valid consent for marketing emails (opt-in, not pre-ticked).
- Sign data processing agreements with any vendors handling data on your behalf.
Frequently Asked Questions
Do I need a solicitor to enforce my GDPR rights in Ireland?
No. You can exercise all of your rights directly with the organisation and, if unresolved, complain to the DPC free of charge. Legal representation is only usually needed if you decide to pursue compensation in the Circuit Court under Section 117 of the Data Protection Act 2018.
How long does a DPC complaint take to resolve?
Simple domestic complaints are often handled within a few months. Cross-border cases involving large multinationals can take one to three years, or longer, because they require coordination with other EU regulators through the European Data Protection Board's cooperation mechanism.
Can I claim compensation if my data is misused?
Yes. Under GDPR Article 82 and Section 117 of Ireland's Data Protection Act 2018, you can claim material damages (financial loss) and non-material damages (distress, anxiety) in the Irish courts. Recent Irish case law has confirmed that even relatively modest distress can attract compensation, though amounts are typically in the hundreds to low thousands of euros.
Does GDPR apply to my employer?
Absolutely. Employers are data controllers for their staff and must comply with GDPR just like any other organisation. You can make a Subject Access Request for your HR file, payroll data, monitoring records, and internal emails about you. Note that some information — such as references given in confidence or third-party personal data — may be redacted.
What's the difference between GDPR and the Irish Data Protection Act 2018?
GDPR is the EU-wide regulation that applies directly in every member state. The Data Protection Act 2018 is Ireland's national law that supplements GDPR, setting out the DPC's powers, transposing the Law Enforcement Directive, and specifying certain national choices such as the digital age of consent (16 in Ireland, compared to 13 in some other EU states).
Final Thoughts
GDPR has fundamentally shifted the balance of power between individuals and organisations that collect data. In Ireland, thanks to the DPC's outsized role, the effects of your privacy rights ripple far beyond the country's borders. But those rights are only as strong as your willingness to exercise them — sending a Subject Access Request, refusing tracking cookies, or filing a complaint when a company crosses the line.
Take fifteen minutes this week to audit one online service you use. Request your data, delete what you don't need, and tighten up permissions. Small steps, taken consistently, are what turn GDPR from theory into real protection.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
ICO Fines 2026: Biggest Data Protection Penalties in the UK
The ICO issued some of its toughest data protection penalties yet in 2026, targeting cyber hygiene failures, children's data misuse, and PECR breaches. Discover the biggest UK fines this year and the practical steps your business must take to stay off the regulator's radar.
Australia Privacy Act 2026: Your Rights Explained
The Australia Privacy Act 2026 introduces sweeping new rights, tougher business obligations, and multi-million dollar penalties. This guide explains what has changed, what your rights are, and the practical steps you can take to protect your personal information.
UK Data Protection Act vs GDPR Explained: 2026 Compliance Guide
The UK Data Protection Act 2018 and the GDPR work together, not in competition. This guide breaks down how they relate, where they differ, and what UK organisations must do in 2026 to stay compliant with both the UK and EU regimes.
PIPEDA vs GDPR: Canadian Privacy Law Explained (2026 Guide)
PIPEDA and GDPR both protect personal data, but they differ dramatically in consent rules, breach timelines, and penalties. This guide breaks down what Canadian businesses need to know to comply with both privacy laws in 2026.