facebook-pixel

GDPR in Ireland: Your Privacy Rights Explained (2026 Guide)

L
Lunyb Security Team
··10 min read

Ireland sits at the centre of European data protection. With most of the world's largest technology companies headquartered in Dublin, the Irish Data Protection Commission (DPC) has become one of the most influential regulators in Europe. If you live, work, or do business in Ireland, understanding your rights under the General Data Protection Regulation (GDPR) is essential.

This guide explains what GDPR means for people in Ireland, the rights you can exercise, how to enforce them, and what organisations must do to stay compliant.

What is GDPR and how does it apply in Ireland?

The General Data Protection Regulation is a European Union law that governs how personal data is collected, stored, processed, and shared. It came into effect on 25 May 2018 and applies directly across all EU member states, including Ireland. In Irish law, GDPR is supplemented by the Data Protection Act 2018, which handles national specifics such as the age of digital consent (16) and rules for law enforcement processing.

GDPR applies to any organisation that processes the personal data of people located in Ireland, regardless of where that organisation is based. That means an American cloud provider serving Irish customers is bound by the same rules as a small Dublin café using a loyalty app.

Who enforces GDPR in Ireland?

The Data Protection Commission (DPC), headquartered in Dublin, is the national supervisory authority. Because so many global tech companies have their EU headquarters in Ireland, the DPC acts as the lead supervisory authority for cross-border cases involving companies like Meta, Google, TikTok, LinkedIn, and Apple. It has the power to investigate complaints, issue reprimands, and levy fines of up to €20 million or 4% of a company's global annual turnover, whichever is higher.

What counts as personal data?

Personal data is any information relating to an identified or identifiable living person. Under GDPR, this is defined very broadly and includes far more than just names and addresses.

  • Direct identifiers: name, PPS number, passport number, email address
  • Online identifiers: IP addresses, cookie IDs, device fingerprints, mobile advertising IDs
  • Location data: GPS coordinates, mobile network cell data
  • Financial data: bank details, salary information, transaction history
  • Special category data: health records, biometric data, ethnicity, religious beliefs, sexual orientation, trade union membership, political opinions

Special category data (sometimes called "sensitive data") receives extra protection under Article 9 of the GDPR and typically requires explicit consent or another specific legal basis to process.

Your eight GDPR rights in Ireland

GDPR grants every person in Ireland eight fundamental rights over their personal data. Understanding these rights is the first step to exercising them effectively.

1. The right to be informed

Organisations must tell you, in plain language, what data they collect, why they collect it, how long they will keep it, and who they share it with. This is usually provided through a privacy notice or policy at the point of data collection.

2. The right of access (subject access request)

You can request a copy of all the personal data an organisation holds about you. This is known as a Subject Access Request (SAR). The organisation must respond within one month, and in most cases the response must be free of charge.

3. The right to rectification

If an organisation holds inaccurate or incomplete data about you, you can require them to correct or complete it without undue delay.

4. The right to erasure ("right to be forgotten")

You can ask for your personal data to be deleted where it is no longer necessary for the purpose it was collected, you withdraw consent, or the data was processed unlawfully. This right is not absolute — legal obligations, freedom of expression, and public interest can override it.

5. The right to restrict processing

Instead of full deletion, you can ask an organisation to stop actively using your data while a dispute is resolved, for example while accuracy is being verified.

6. The right to data portability

Where processing is based on consent or a contract and carried out by automated means, you can receive your data in a structured, commonly used, machine-readable format — and have it transmitted to another controller where technically feasible.

7. The right to object

You can object to processing based on legitimate interests or public interest, and you have an absolute right to object to direct marketing at any time. Once you object to direct marketing, processing for that purpose must stop immediately.

8. Rights related to automated decision-making and profiling

You have the right not to be subject to a decision based solely on automated processing — including profiling — that produces legal or similarly significant effects. Examples include automated credit scoring or algorithmic hiring decisions.

Comparison of GDPR rights and when they apply

Right Response Time Cost Absolute or Qualified?
Access1 monthFree (usually)Qualified
Rectification1 monthFreeQualified
Erasure1 monthFreeQualified
Restriction1 monthFreeQualified
Portability1 monthFreeQualified
Object (marketing)ImmediateFreeAbsolute
Object (other)1 monthFreeQualified
Automated decisions1 monthFreeQualified

How to make a Subject Access Request in Ireland

A Subject Access Request is the most commonly exercised GDPR right. Here is a step-by-step process to make one effectively.

  1. Identify the controller. Find the correct organisation and its data protection contact — usually a Data Protection Officer (DPO) or privacy team email listed in the privacy policy.
  2. Write your request. State clearly that you are making a Subject Access Request under Article 15 of the GDPR. You do not need to give a reason.
  3. Provide identity verification. The controller may ask for reasonable proof of identity to prevent data being disclosed to the wrong person.
  4. Be specific if you can. If you only want data from a particular time period or category (for example, call recordings from March), say so — it speeds up the response.
  5. Wait up to one month. The controller can extend this by two further months for complex requests, but must tell you within the first month.
  6. Review the response. Check that it includes not just the data but also the purposes of processing, categories of recipients, retention periods, and the source of the data if not collected from you.

What to do if an organisation refuses or ignores you

If a controller fails to respond within one month, refuses your request without a valid legal reason, or gives an incomplete response, you can escalate.

  1. Complain to the organisation. Write to their DPO stating the issue and requesting resolution within a reasonable time (usually 14 days).
  2. Lodge a complaint with the DPC. Go to dataprotection.ie and file a complaint. Include copies of your original request, the response (or lack of it), and evidence of any harm.
  3. Seek a judicial remedy. Under Article 79 of the GDPR and section 117 of the Data Protection Act 2018, you can bring a civil action in the Irish courts, including a claim for compensation for material or non-material damage.

GDPR obligations for Irish businesses

If you run a business in Ireland — whether a sole trader, SME, or large enterprise — you almost certainly process personal data and must comply with GDPR. Key obligations include:

  • Lawful basis: Identify a valid legal basis (consent, contract, legal obligation, vital interests, public task, or legitimate interests) for every processing activity.
  • Privacy notice: Provide a clear, accessible privacy policy at the point of data collection.
  • Records of processing (ROPA): Maintain internal records of all processing activities, especially if you have 250+ employees or process high-risk data.
  • Data Protection Impact Assessments (DPIAs): Conduct DPIAs for high-risk processing, such as large-scale monitoring or special category data.
  • Breach notification: Report personal data breaches to the DPC within 72 hours of becoming aware, and to affected individuals if there is high risk to their rights.
  • Data Protection Officer: Appoint a DPO if you are a public authority, carry out large-scale systematic monitoring, or process special category data at scale.
  • International transfers: Use approved safeguards (Standard Contractual Clauses, adequacy decisions) for transfers outside the EEA.

Practical steps to protect your privacy in Ireland

Beyond exercising your legal rights, there are practical measures you can take to reduce how much data you expose in the first place.

  • Review cookie banners carefully. Under the ePrivacy Regulations 2011 and DPC guidance, sites must ask for opt-in consent for non-essential cookies. Reject anything you don't need.
  • Use privacy-focused browsers. Browsers like Firefox and Brave block trackers by default. Enable strict tracking protection.
  • Consider encrypted DNS. Services like Cloudflare 1.1.1.1 or NextDNS encrypt your DNS queries so your internet provider cannot easily log which sites you visit.
  • Use a password manager. Reusing passwords is one of the biggest causes of data breaches affecting Irish consumers.
  • Shorten and control the links you share. When posting URLs publicly, a privacy-respecting link shortener like Lunyb lets you share short links without exposing the underlying destination or your analytics to a third party unnecessarily. You can read an honest review of Lunyb or see how it compares in the 2026 buyer's guide to URL shorteners.
  • Check third-party tools. If you use link shorteners, analytics tools, or marketing platforms, make sure they are GDPR-compliant. The 2026 Rebrandly review discusses compliance considerations for branded links.

Recent GDPR enforcement in Ireland

The DPC has issued some of the largest GDPR fines in Europe. Recent notable decisions include multi-hundred-million-euro penalties against major social media platforms for unlawful data transfers, inadequate transparency around targeted advertising, and improper handling of children's data. These cases demonstrate that even the largest global companies are being held to account under Irish enforcement — and that individuals in Ireland benefit from an active regulator.

Complaints from individuals often drive these investigations. Even a single well-documented complaint can trigger a wider inquiry.

GDPR and children in Ireland

Ireland set the digital age of consent at 16, one of the highest in the EU. This means that for information society services (like social media apps), children under 16 need parental consent for their data to be processed on the basis of consent. Schools, apps, and platforms serving Irish children must be especially careful about how they collect and use data, and the DPC has published a specific set of "Fundamentals for a Child-Oriented Approach to Data Processing."

Frequently asked questions

How long do organisations have to respond to a GDPR request in Ireland?

Organisations must respond to a Subject Access Request or any other GDPR rights request within one calendar month of receiving it. This can be extended by up to two further months for complex or numerous requests, but they must inform you of the extension within the original month.

Can I claim compensation for a GDPR breach in Ireland?

Yes. Under Article 82 of the GDPR and section 117 of the Data Protection Act 2018, you can claim compensation in the Irish courts for both material damage (financial loss) and non-material damage (distress, anxiety, loss of control over data). Recent Irish and CJEU case law has clarified that some level of actual harm must be shown — mere infringement is not enough.

Does GDPR apply to small businesses and sole traders?

Yes. GDPR applies regardless of business size. However, smaller organisations have lighter documentation obligations — for example, businesses with fewer than 250 employees usually do not need to maintain full records of processing unless the processing is high-risk, not occasional, or involves special category data.

What is the difference between the DPC and the GDPR?

GDPR is the European regulation that sets out the rules. The Data Protection Commission (DPC) is the Irish state body responsible for enforcing those rules in Ireland. Think of GDPR as the law and the DPC as the referee.

Do I need to give a reason when exercising my GDPR rights?

No. For most rights — including access, erasure, and objection to direct marketing — you do not need to justify your request. The controller must comply unless a specific legal exemption applies, and the burden is on them to show that exemption applies.

Final thoughts

GDPR gives people in Ireland real, enforceable control over their personal data — but rights only matter if they are exercised. Whether you are asking for a copy of your data, telling a company to stop marketing to you, or reporting a breach to the DPC, using these tools keeps organisations accountable and strengthens the wider culture of privacy across Ireland. Combine your legal rights with practical measures like tracker-blocking browsers, encrypted DNS, and privacy-respecting tools for the everyday web, and you significantly reduce your exposure to the data economy.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles