facebook-pixel

GDPR in Ireland: Your Privacy Rights Explained

L
Lunyb Security Team
··11 min read

The General Data Protection Regulation (GDPR) has been in force across the European Union since May 2018, and in Ireland it is enforced alongside the Data Protection Act 2018. Because so many of the world's largest technology companies — Meta, Google, TikTok, Microsoft, Apple — have their European headquarters in Dublin, Ireland's Data Protection Commission (DPC) has become one of the most influential privacy regulators on the planet. That means your rights as an Irish resident aren't just theoretical; they shape how billions of people's data is handled worldwide.

This guide explains exactly what GDPR privacy rights you have in Ireland, how to exercise them, what to do when a company ignores you, and how to make a formal complaint to the DPC. Whether you're worried about a data breach, want a company to delete your account, or you're a small business owner trying to stay compliant, this article walks you through it in plain English.

What Is GDPR and How Does It Apply in Ireland?

GDPR is an EU-wide regulation that governs how personal data of people in the European Economic Area is collected, stored, processed, and shared. In Ireland, GDPR is supplemented by the Data Protection Act 2018, which fills in national details such as the age of digital consent (16 in Ireland) and rules for law enforcement processing.

The regulation applies to any organisation — public or private, large or small — that processes personal data of people located in Ireland, regardless of where the organisation itself is based. A US company selling to Irish customers is just as bound by GDPR as a local Cork bakery managing its mailing list.

Key Terms You Should Know

  • Personal data: Any information relating to an identified or identifiable person — name, email, IP address, location data, cookie IDs, health records, even a photograph.
  • Data controller: The organisation that decides why and how your data is processed (e.g. your bank, your employer).
  • Data processor: A third party acting on the controller's instructions (e.g. a cloud host or payroll provider).
  • Data subject: You — the person the data is about.
  • DPC: The Data Protection Commission, Ireland's independent regulator based in Dublin and Portarlington.

Your Eight Core GDPR Rights in Ireland

GDPR grants every resident of Ireland eight specific rights over their personal data. Each of these can be exercised free of charge, and companies must respond within one month (extendable by two more months for complex requests).

1. The Right to Be Informed

Before an organisation collects your data, it must tell you who they are, why they need the data, how long they'll keep it, and who they'll share it with. This is usually delivered through a privacy notice or cookie banner. If a privacy policy is missing, hidden, or impossibly vague, that alone is a GDPR breach.

2. The Right of Access (Subject Access Request)

You can ask any organisation to give you a copy of all personal data they hold about you. This is known as a Subject Access Request (SAR). They must respond within 30 days and cannot charge you unless the request is "manifestly unfounded or excessive."

3. The Right to Rectification

If a company holds inaccurate or incomplete data about you — a wrong address, a misspelled name, outdated employment info — you have the right to have it corrected without undue delay.

4. The Right to Erasure ("Right to Be Forgotten")

You can demand deletion of your personal data when it's no longer necessary, when you withdraw consent, when the data was processed unlawfully, or when you object to processing. There are exceptions — for example, tax records banks must legally retain, or journalistic content in the public interest.

5. The Right to Restrict Processing

Instead of deleting data outright, you can ask that it be "paused" — stored but not used — while a dispute or accuracy check is ongoing.

6. The Right to Data Portability

You can request your data in a structured, commonly used, machine-readable format (usually CSV or JSON) and have it transferred to another provider. This applies to data you provided yourself, processed by consent or contract.

7. The Right to Object

You can object to processing based on legitimate interests or public task, and you have an absolute right to object to direct marketing. Once you object to marketing, the company must stop immediately — no ifs, no buts.

8. Rights Around Automated Decision-Making

If a decision that significantly affects you (loan approvals, insurance pricing, job screening) is made purely by an algorithm, you have the right to human review, to express your point of view, and to contest the outcome.

Quick Reference: Response Times and Costs

RightDeadlineCost to YouCommon Exceptions
Access (SAR)1 monthFreeThird-party data, legal privilege
Rectification1 monthFreeNone significant
Erasure1 monthFreeLegal retention, freedom of expression
Portability1 monthFreeOnly data you provided
Object (marketing)ImmediateFreeNone
Restrict processing1 monthFreeLegal claims

How to Make a Subject Access Request in Ireland

A Subject Access Request is the single most powerful tool GDPR gives you. Here is exactly how to make one that gets results.

  1. Find the right contact. Look for a "Data Protection Officer" or "Privacy" email in the company's privacy policy. If there isn't one, use their general support address.
  2. Write a clear request. State your name, that you are making a Subject Access Request under Article 15 GDPR, and specify the data you want (or ask for everything).
  3. Verify your identity. Be prepared to provide proof — usually the email address linked to your account or, for offline businesses, a copy of ID.
  4. Keep records. Save the email, note the date, and set a calendar reminder for 30 days later.
  5. Follow up. If you hear nothing after a month, send a reminder referencing your original request.
  6. Escalate if ignored. If the response is inadequate or absent, complain to the DPC (see below).

Sample SAR Template

Dear [Company],

Under Article 15 of the General Data Protection Regulation, I am requesting a copy of all personal data you hold about me, including but not limited to: account information, communications, transaction history, location data, cookie identifiers, and any profiling or automated decisions made about me.

My account is registered under [email/username]. Please respond within one month.

Kind regards, [Your name]

The Data Protection Commission (DPC): Ireland's Watchdog

The DPC is Ireland's independent authority responsible for enforcing GDPR. Because so many multinationals are headquartered in Dublin, the DPC acts as "lead supervisory authority" for cross-border cases across the entire EU — a role that has resulted in some of the largest fines in GDPR history, including €1.2 billion against Meta in 2023 for illegal data transfers to the United States.

What the DPC Can Do

  • Investigate complaints from individuals
  • Conduct audits of organisations
  • Issue reprimands, warnings, and corrective orders
  • Impose administrative fines up to €20 million or 4% of global annual turnover, whichever is higher
  • Order data processing to stop

How to File a Complaint with the DPC

  1. Try to resolve the issue with the organisation first — the DPC expects this.
  2. Gather evidence: emails, screenshots, dates, copies of the privacy notice.
  3. Complete the DPC's online complaint form at dataprotection.ie, or write to their office in Portarlington, Co. Laois.
  4. Provide a clear timeline and describe which right you believe has been breached.
  5. Wait for acknowledgement (usually within 2 weeks) and cooperate with any follow-up questions.

Filing a complaint is completely free, and you do not need a solicitor.

Data Breaches: What to Expect

If an organisation suffers a personal data breach that is likely to result in a risk to your rights and freedoms, they must notify the DPC within 72 hours. If the risk is high, they must also notify you directly without undue delay.

A proper breach notification should tell you: what happened, what data was involved, what the likely consequences are, and what steps you can take to protect yourself (such as changing passwords or watching for phishing). If you receive such a notice, act on it quickly — change credentials, enable two-factor authentication, and be extra cautious of suspicious emails referencing the breach.

Practical Steps to Protect Your Privacy in Ireland

GDPR gives you strong legal rights, but proactive habits keep your data safer in the first place. Here are practical measures every Irish resident can adopt today.

Minimise What You Share

Every field you fill in on a form is future data-breach risk. Give only what's strictly necessary. If a newsletter signup asks for your date of birth, ask yourself why — and often, leave it blank.

Use Privacy-Respecting Tools

Switch to browsers that block third-party trackers by default (Firefox, Brave, Safari), search engines that don't profile you, and encrypted DNS providers such as Cloudflare 1.1.1.1 or NextDNS. For link sharing, prefer services that don't build advertising profiles from your click data — Lunyb, for instance, is a URL shortener designed with privacy in mind and doesn't monetise your visitor data. If you're comparing options, our 2026 URL shortener buyer's guide ranks providers partly on their GDPR posture.

Manage Cookie Consent Carefully

Under Irish ePrivacy rules and GDPR, cookie banners must offer a genuine "Reject All" option that is as easy to click as "Accept All." If a site buries the reject option or pre-ticks consent boxes, that's a breach — you can and should refuse.

Regularly Audit Your Digital Footprint

  • Every 6 months, list the online services you no longer use and request account deletion.
  • Use haveibeenpwned.com to check whether your email has appeared in known breaches.
  • Review app permissions on your phone — revoke location, microphone, and contacts access where not essential.

GDPR for Small Businesses and Sole Traders in Ireland

If you run a business in Ireland — even a one-person consultancy — you are almost certainly a data controller. The good news is GDPR compliance is scaled to risk, so a small mailing list doesn't need the same infrastructure as a bank.

Minimum Compliance Checklist

  1. Publish a plain-language privacy notice on your website.
  2. Keep a record of processing activities (a simple spreadsheet works for small operators).
  3. Only collect data you genuinely need and delete it when the purpose is fulfilled.
  4. Secure data with strong passwords, encryption, and access controls.
  5. Have a plan for handling SARs and breaches — even a one-page procedure counts.
  6. Get valid consent for marketing emails (opt-in, not pre-ticked).
  7. Sign data processing agreements with any vendors handling data on your behalf.

Frequently Asked Questions

Do I need a solicitor to enforce my GDPR rights in Ireland?

No. You can exercise all of your rights directly with the organisation and, if unresolved, complain to the DPC free of charge. Legal representation is only usually needed if you decide to pursue compensation in the Circuit Court under Section 117 of the Data Protection Act 2018.

How long does a DPC complaint take to resolve?

Simple domestic complaints are often handled within a few months. Cross-border cases involving large multinationals can take one to three years, or longer, because they require coordination with other EU regulators through the European Data Protection Board's cooperation mechanism.

Can I claim compensation if my data is misused?

Yes. Under GDPR Article 82 and Section 117 of Ireland's Data Protection Act 2018, you can claim material damages (financial loss) and non-material damages (distress, anxiety) in the Irish courts. Recent Irish case law has confirmed that even relatively modest distress can attract compensation, though amounts are typically in the hundreds to low thousands of euros.

Does GDPR apply to my employer?

Absolutely. Employers are data controllers for their staff and must comply with GDPR just like any other organisation. You can make a Subject Access Request for your HR file, payroll data, monitoring records, and internal emails about you. Note that some information — such as references given in confidence or third-party personal data — may be redacted.

What's the difference between GDPR and the Irish Data Protection Act 2018?

GDPR is the EU-wide regulation that applies directly in every member state. The Data Protection Act 2018 is Ireland's national law that supplements GDPR, setting out the DPC's powers, transposing the Law Enforcement Directive, and specifying certain national choices such as the digital age of consent (16 in Ireland, compared to 13 in some other EU states).

Final Thoughts

GDPR has fundamentally shifted the balance of power between individuals and organisations that collect data. In Ireland, thanks to the DPC's outsized role, the effects of your privacy rights ripple far beyond the country's borders. But those rights are only as strong as your willingness to exercise them — sending a Subject Access Request, refusing tracking cookies, or filing a complaint when a company crosses the line.

Take fifteen minutes this week to audit one online service you use. Request your data, delete what you don't need, and tighten up permissions. Small steps, taken consistently, are what turn GDPR from theory into real protection.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles