facebook-pixel

GDPR in Ireland: Your Privacy Rights Explained

L
Lunyb Security Team
··10 min read

The General Data Protection Regulation (GDPR) is one of the strongest privacy frameworks in the world, and Ireland plays an outsized role in its enforcement. Because so many major tech companies — including Meta, Google, TikTok, and Apple — have their European headquarters in Dublin, the Irish Data Protection Commission (DPC) is effectively the lead regulator for a huge portion of global digital activity. But GDPR isn't just about big tech: it protects every person in Ireland whose data is collected, stored, or processed.

This guide breaks down your privacy rights under GDPR in Ireland, how to exercise them, what obligations organisations have, and where to turn if something goes wrong.

What Is GDPR and How Does It Apply in Ireland?

The GDPR is an EU regulation that took effect on 25 May 2018. It governs how personal data is collected, processed, stored, and shared by organisations operating in or targeting the European Economic Area (EEA). In Ireland, the GDPR is implemented alongside the Data Protection Act 2018, which fills in national-level details such as how the DPC operates and how children's data is protected.

Personal data under GDPR is any information relating to an identified or identifiable person — names, emails, IP addresses, location data, health records, financial information, and even online identifiers like cookies. If a company can single you out from that data, it's protected.

Who Enforces GDPR in Ireland?

The Data Protection Commission (DPC), based in Dublin, is Ireland's independent supervisory authority. It investigates complaints, issues fines, and acts as the lead EU regulator for many multinational tech firms headquartered in Ireland. The DPC has issued some of the largest GDPR fines in history, including €1.2 billion against Meta in 2023.

Your 8 Core Privacy Rights Under GDPR

GDPR grants every person in Ireland eight fundamental rights over their personal data. These rights are enforceable against any organisation processing your information, whether they're based in Cork or California.

  1. The right to be informed — Organisations must tell you what data they collect, why, how long they keep it, and who they share it with. This is usually communicated through a privacy notice.
  2. The right of access — You can request a copy of all personal data an organisation holds about you, free of charge, via a Subject Access Request (SAR).
  3. The right to rectification — If your data is inaccurate or incomplete, you can demand it be corrected.
  4. The right to erasure — Also known as the "right to be forgotten," this lets you request deletion of your data in certain circumstances.
  5. The right to restrict processing — You can limit how an organisation uses your data while a dispute is being resolved.
  6. The right to data portability — You can obtain your data in a machine-readable format and transfer it to another service.
  7. The right to object — You can object to processing based on legitimate interests, direct marketing, or research purposes.
  8. Rights related to automated decision-making — You have protections against being subject to purely automated decisions that significantly affect you, including profiling.

How to Exercise Your GDPR Rights in Ireland

Exercising your GDPR rights is designed to be straightforward and free. Here's the practical process:

  1. Identify the data controller. This is the organisation that decides how your data is used. Check their privacy policy for a Data Protection Officer (DPO) or contact address.
  2. Make your request in writing. Email is usually best. State clearly which right you're exercising (e.g., "I am making a Subject Access Request under Article 15 of the GDPR").
  3. Provide identity verification. The organisation may ask for proof of ID to prevent fraudulent requests, but they cannot demand excessive documentation.
  4. Wait for a response. Organisations have one calendar month to respond. This can be extended by up to two additional months for complex requests, but they must tell you why.
  5. Escalate if needed. If the organisation refuses, ignores you, or gives an unsatisfactory response, you can complain to the DPC.

Sample Wording for a Subject Access Request

You don't need legal jargon. A simple message like this works:

"Dear [Company], I am writing to make a Subject Access Request under Article 15 of the GDPR. Please provide a copy of all personal data you hold about me, including the purposes of processing, categories of data, recipients, retention periods, and the source of the data if not collected from me directly. My details are: [name, email, account ID]. Kind regards, [Your Name]."

The Legal Bases for Processing Your Data

Organisations cannot process your data just because they want to. Under GDPR, they must rely on one of six lawful bases:

Legal BasisWhen It AppliesExample
ConsentYou've given clear, freely given permissionSigning up for a marketing newsletter
ContractProcessing is necessary to fulfil a contract with youAn online retailer processing your delivery address
Legal obligationRequired by Irish or EU lawEmployer reporting PAYE to Revenue
Vital interestsNeeded to protect someone's lifeSharing medical data in an emergency
Public taskCarried out by public authoritiesLocal council administering housing schemes
Legitimate interestsNecessary for the organisation's legitimate interests, balanced against your rightsFraud prevention or basic website analytics

Consent must be a specific, informed, unambiguous action — pre-ticked boxes and cookie walls that force acceptance are not valid consent under GDPR.

Special Rules for Sensitive Data

Certain categories of personal data receive extra protection under GDPR. These are called special category data and include:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic and biometric data
  • Health data
  • Data concerning sex life or sexual orientation

Processing this data is prohibited unless one of ten specific conditions applies — usually explicit consent or a clear legal requirement. This is especially relevant in Ireland's healthcare, HR, and education sectors.

Children's Data Protection in Ireland

Ireland has set the digital age of consent at 16, one of the highest in the EU. This means children under 16 cannot legally consent to their data being processed by information society services (like social media). Below that age, parental consent is required.

The DPC's Fundamentals for a Child-Oriented Approach to Data Processing is a landmark document that sets strict expectations for any service likely to be used by children, including default privacy settings, clear child-friendly language, and minimal data collection.

Business Obligations Under GDPR in Ireland

If you run a business, charity, or public body in Ireland, GDPR imposes significant responsibilities. Compliance is not optional and the DPC actively enforces the rules.

Key Requirements

  • Maintain records of processing activities (ROPA) — Document what data you hold, why, and how you protect it.
  • Publish a clear privacy notice — Written in plain language, accessible from your website.
  • Implement appropriate security measures — Encryption, access controls, regular backups, staff training.
  • Report data breaches — Notify the DPC within 72 hours if a breach is likely to result in risk to individuals.
  • Conduct Data Protection Impact Assessments (DPIAs) — Required for high-risk processing such as large-scale monitoring or profiling.
  • Appoint a Data Protection Officer (DPO) — Mandatory for public bodies and organisations doing large-scale monitoring or processing special category data.

Fines and Penalties

GDPR fines can reach the higher of €20 million or 4% of global annual turnover. Irish businesses have been fined for issues ranging from inadequate cookie banners to insufficient breach notification. Even small businesses can face fines of tens of thousands of euro for basic failures.

Practical Privacy Tips for People in Ireland

Beyond your legal rights, there are everyday steps you can take to protect your personal data online:

  1. Review app permissions regularly. Both iOS and Android let you see which apps access your location, contacts, and camera.
  2. Use privacy-focused browsers. Firefox and Brave block third-party trackers by default.
  3. Enable two-factor authentication on email, banking, and social accounts.
  4. Be selective with cookie banners. Under Irish ePrivacy rules, you have the right to reject non-essential cookies just as easily as accepting them.
  5. Use privacy-respecting tools for sharing links. When shortening URLs for social media or marketing, choose services that are transparent about data collection. Tools like Lunyb offer link shortening without unnecessary tracking — a good example of privacy-by-design in action. You can read more in our honest review of Lunyb.
  6. Check who your data is shared with. Use SARs to see how far your data has travelled.

How to File a Complaint With the DPC

If an organisation has mishandled your data or ignored your rights request, you can file a formal complaint with the Data Protection Commission. The process is free and can be started online at dataprotection.ie.

  1. Gather evidence: your original request, the organisation's response (or lack of it), and any relevant correspondence.
  2. Fill in the DPC's online complaint form or write to their offices in Dublin or Portarlington.
  3. The DPC will assess your complaint and may attempt an amicable resolution first.
  4. If needed, the DPC can launch a formal investigation, issue reprimands, order corrective action, or impose fines.
  5. You also retain the right to seek a judicial remedy through the Irish courts.

GDPR and Marketing: What Businesses Should Know

Marketers in Ireland must comply with both GDPR and the ePrivacy Regulations (S.I. 336 of 2011). Email marketing generally requires prior opt-in consent, though there's a limited "soft opt-in" exception for existing customers of similar products. SMS and phone marketing rules are even stricter.

If you're building marketing campaigns with tracked links, make sure your link shortener and analytics tools are GDPR-compliant. For a broader look at options, see our 2026 buyer's guide to URL shorteners and our Rebrandly review for comparison.

The Future of Data Protection in Ireland

Ireland's role as EU tech hub means privacy enforcement will only intensify. The Digital Services Act, Digital Markets Act, and forthcoming AI Act all add new layers of obligation on top of GDPR. The DPC is also expanding its team and has committed to faster resolution of cross-border cases.

For individuals, the trend is clear: your rights are becoming stronger and easier to exercise. For businesses, the compliance burden is growing — but so is the reputational reward for getting privacy right.

Frequently Asked Questions

Do I need to pay to make a Subject Access Request in Ireland?

No. Under GDPR, Subject Access Requests are free. Organisations can only charge a reasonable administrative fee if requests are "manifestly unfounded or excessive" — for example, if you send dozens of duplicate requests. In practice, the first request is always free.

How long does an organisation have to respond to my GDPR request?

Organisations must respond within one calendar month from the date they receive your request. This can be extended by up to two additional months for particularly complex or numerous requests, but they must inform you of the extension and the reason within the initial month.

Can I be fined for filing a GDPR complaint against my employer?

No. It is unlawful for an employer to penalise you for exercising your data protection rights or filing a complaint with the DPC. If you experience retaliation, this may itself be a breach of employment law and could be reported to the Workplace Relations Commission alongside your DPC complaint.

Does GDPR apply to businesses outside the EU that serve Irish customers?

Yes. GDPR has extraterritorial reach. Any organisation — regardless of location — that offers goods or services to people in Ireland, or monitors their behaviour, must comply. Non-EU organisations typically must also appoint an EU representative.

What's the difference between the DPC and the Data Protection Act 2018?

The DPC is the regulator — the independent authority that enforces data protection law in Ireland. The Data Protection Act 2018 is the piece of Irish legislation that gives effect to GDPR domestically and sets out national-specific rules, such as the digital age of consent and the DPC's powers.

Final Thoughts

GDPR gives you real, enforceable power over your personal data — and in Ireland, that power is backed by one of the most influential regulators in the world. Whether you're a citizen wanting to reclaim your data, a business owner trying to stay compliant, or a marketer building campaigns, understanding these rights is essential. Take five minutes today to review one privacy policy, send one Subject Access Request, or check the app permissions on your phone. Small actions build strong privacy habits — and they're all supported by Irish and EU law.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles