facebook-pixel

GDPR in Ireland: Your Privacy Rights Explained (2026 Guide)

L
Lunyb Security Team
··10 min read

Ireland sits at the heart of European data protection. With most of the world's largest tech companies headquartered in Dublin, the Irish Data Protection Commission (DPC) has become one of the most influential regulators in the European Union. But GDPR isn't just a matter for corporate lawyers — it grants every person in Ireland powerful, enforceable rights over their personal data. This guide explains what those rights are, how to exercise them, and what to do when a company gets it wrong.

What is GDPR and How Does It Apply in Ireland?

The General Data Protection Regulation (GDPR) is an EU-wide law that came into force on 25 May 2018. It governs how organisations collect, store, use, and share personal data about individuals in the EU. In Ireland, GDPR is supplemented by the Data Protection Act 2018, which fills in national details such as the age of digital consent (16 in Ireland) and the powers of the DPC.

GDPR applies to any organisation — Irish or foreign — that processes the personal data of people located in Ireland. That includes multinationals like Meta, Google, and TikTok (all with European headquarters in Dublin), as well as small Irish businesses, charities, sports clubs, schools, and public bodies.

What Counts as "Personal Data"?

Personal data is any information that can identify a living person, directly or indirectly. This includes obvious items like your name, PPS number, address, and photo, but also less obvious data such as:

  • IP addresses and device identifiers
  • Location data from your phone
  • Online behavioural profiles and cookies
  • Employment records and CCTV footage
  • Voice recordings from customer service calls

"Special category data" — including health information, sexual orientation, religious beliefs, political opinions, and biometric data — carries additional protections and generally requires explicit consent to process.

Your Eight Core GDPR Rights in Ireland

GDPR gives you eight fundamental rights over your personal data. Every organisation processing your information must respect these rights, and most requests must be answered free of charge within one month.

1. The Right to Be Informed

You have the right to know who is collecting your data, why, how long they'll keep it, and who they'll share it with. This is why every reputable website has a privacy notice or policy — it's not just a formality, it's a legal requirement.

2. The Right of Access (DSAR)

You can ask any organisation for a copy of all personal data they hold about you. This is called a Data Subject Access Request (DSAR). The organisation must respond within one month and provide the data in a commonly used electronic format.

3. The Right to Rectification

If a company holds inaccurate or incomplete data about you, you can require them to correct it without undue delay.

4. The Right to Erasure ("Right to Be Forgotten")

You can request deletion of your personal data in certain circumstances — for example, when the data is no longer needed, when you withdraw consent, or when the data was processed unlawfully. This right isn't absolute; organisations can refuse if they have a legal obligation to retain the data (e.g. Revenue records).

5. The Right to Restrict Processing

Instead of full deletion, you can ask an organisation to "freeze" your data — storing it but not using it — while a dispute is being resolved.

6. The Right to Data Portability

You can obtain your data in a machine-readable format and transfer it to another provider. This is particularly useful when switching banks, energy suppliers, or social media platforms.

7. The Right to Object

You can object to processing based on legitimate interests, direct marketing, or profiling. For direct marketing, this objection is absolute — the company must stop immediately.

8. Rights Related to Automated Decision-Making

You have the right not to be subject to purely automated decisions (including profiling) that produce legal or similarly significant effects — such as automated loan refusals or algorithmic hiring decisions — without human review.

Comparing GDPR Rights at a Glance

RightResponse DeadlineCostCommon Use Case
Access (DSAR)1 monthFreeSeeing what a company knows about you
Rectification1 monthFreeCorrecting wrong address on file
Erasure1 monthFreeRemoving old social media accounts
Restriction1 monthFreePausing use during a dispute
Portability1 monthFreeSwitching service providers
ObjectionImmediate (marketing)FreeStopping unwanted emails/calls
Automated Decisions1 monthFreeChallenging an algorithmic refusal

The Role of the Data Protection Commission (DPC)

The Data Protection Commission, based in Dublin and Portarlington, is Ireland's independent authority for enforcing GDPR. Because so many US tech giants have their European headquarters in Ireland, the DPC acts as the "lead supervisory authority" for cross-border investigations involving companies like Meta, Google, Apple, Microsoft, LinkedIn, and TikTok.

Recent DPC actions have included:

  • A €1.2 billion fine against Meta in 2023 for unlawful data transfers to the US
  • A €345 million fine against TikTok for children's privacy failings
  • A €390 million fine against Meta over the legal basis for behavioural advertising
  • Multiple decisions involving LinkedIn's targeted advertising practices

For ordinary residents, the DPC's most important function is handling individual complaints — a free service available to anyone in Ireland.

How to Make a Data Subject Access Request (DSAR)

A DSAR is your most practical tool as a data subject. Here's how to make one effectively:

  1. Identify the data controller. This is the organisation that decides how your data is used. Check their privacy policy for a data protection officer (DPO) or privacy email address.
  2. Submit your request in writing. Email is easiest and creates a paper trail. You don't need to use the phrase "DSAR" — simply state you're exercising your right of access under Article 15 GDPR.
  3. Prove your identity. The organisation can ask for reasonable ID to prevent data being disclosed to the wrong person.
  4. Be specific if you can. Narrowing the request ("emails between 2023 and 2024 mentioning my account") often speeds things up, though broad requests are also valid.
  5. Wait one month. The controller may extend by two additional months for complex requests, but must inform you within the first month.
  6. Review what you receive. Check for gaps, redactions, and missing categories of data. You can follow up if something is clearly absent.

Filing a Complaint With the DPC

If an organisation ignores your request, gives an inadequate response, or misuses your data, you can complain to the DPC. The process is free and doesn't require a solicitor.

Steps to Lodge a Complaint

  1. Contact the organisation first. The DPC expects you to raise the issue with the controller before escalating.
  2. Gather evidence. Keep copies of your original request, any responses, screenshots, and dates.
  3. Complete the DPC's complaint form. Available at dataprotection.ie, it can be submitted online, by email, or by post.
  4. Cooperate with the investigation. The DPC may seek clarification or additional documents.
  5. Await the decision. Outcomes range from informal resolution to formal decisions, corrective orders, and administrative fines.

GDPR in Everyday Irish Life

GDPR touches almost every area of daily life in Ireland. Understanding how it applies in specific contexts helps you recognise when your rights are being respected — or violated.

At Work

Your employer is a data controller for HR records, payroll, performance reviews, and CCTV. Workplace monitoring — including email surveillance and location tracking of company vehicles — must be proportionate, transparent, and based on a lawful basis. You can request access to your own personnel file at any time.

In Healthcare

The HSE, GPs, hospitals, and pharmacies all hold sensitive health data. You have the right to access your medical records, correct errors, and be informed if there is a data breach affecting your information.

In Schools

Schools process significant amounts of children's data. Parents can request records about their child, and older students may be entitled to make their own requests. The digital age of consent in Ireland is 16, meaning children under this age generally need parental consent before signing up for online services.

Online and on Social Media

Every website you visit collects some form of data. GDPR requires clear cookie banners, meaningful consent choices, and honest privacy notices. If a website makes it easier to "accept all" than to reject non-essential cookies, that's a red flag — and the DPC has taken action on "dark patterns" like these.

Protecting Your Own Data: Practical Steps

Knowing your rights is only half the battle. Reducing how much personal data you expose in the first place is often the most effective privacy strategy.

  1. Audit your accounts. Delete dormant online accounts you no longer use — each one is a potential breach waiting to happen.
  2. Use strong, unique passwords. A reputable password manager makes this effortless.
  3. Enable two-factor authentication on email, banking, and social accounts.
  4. Review app permissions on your phone regularly. Does that torch app really need your contacts?
  5. Use privacy-respecting browsers and encrypted DNS services to reduce tracking.
  6. Be careful what you share in links. Long URLs often contain tracking parameters. Tools like Lunyb let you create clean, shortened links without exposing analytics identifiers to every recipient — useful if you regularly share links via email or social media.
  7. Read privacy notices before signing up for services. Look for how long data is kept and who it's shared with.

If you work in marketing or communications and regularly share links, choosing privacy-conscious tools matters. Our 2026 buyer's guide to URL shorteners compares the leading options on data handling, and our honest review of Lunyb covers how one Irish-friendly service approaches user data. For a paid alternative, see our Rebrandly review.

What Happens When Companies Breach GDPR?

GDPR fines can reach up to €20 million or 4% of global annual turnover, whichever is higher. But financial penalties are only one enforcement tool. The DPC can also:

  • Issue reprimands and warnings
  • Order companies to bring processing into compliance
  • Ban specific processing activities
  • Require data to be deleted
  • Suspend international data transfers

Individuals affected by unlawful processing may also seek compensation through the Irish courts for both material damage (financial loss) and non-material damage (distress, anxiety, reputational harm).

Frequently Asked Questions

Is GDPR still in force in Ireland after Brexit?

Yes. Ireland remains a full EU member state, so GDPR applies unchanged. Brexit only affected the UK, which now operates under "UK GDPR" — a very similar but separate framework. Data transfers between Ireland and the UK continue under an adequacy decision granted by the European Commission.

How much does it cost to make a GDPR request in Ireland?

Nothing. Data subject requests — access, rectification, erasure, and so on — must be handled free of charge. An organisation can only charge a "reasonable fee" if a request is manifestly unfounded or excessive, or if you ask for additional copies of the same information.

Can my employer read my work emails under GDPR?

Employers can monitor work communications, but only in a proportionate, transparent way with a clear lawful basis. They must inform staff in advance through policies, avoid excessive surveillance, and respect any personal correspondence. Covert monitoring is rarely lawful outside of investigating specific, serious misconduct.

What's the difference between a data controller and a data processor?

A data controller decides why and how personal data is processed — for example, your bank or employer. A data processor acts on behalf of a controller, such as a cloud hosting company or payroll bureau. Both have GDPR obligations, but controllers bear primary responsibility for respecting your rights.

How long does the DPC take to resolve a complaint?

Simple complaints may be resolved in a few months, but complex cases — particularly cross-border investigations involving large tech companies — can take several years. The DPC provides updates during the investigation and issues a formal decision at the end, which you can appeal to the Circuit Court if you disagree.

Final Thoughts

GDPR gives people in Ireland some of the strongest data protection rights in the world — but those rights only matter if you use them. Making a DSAR, objecting to marketing, or complaining to the DPC costs nothing and pushes organisations to take privacy seriously. Combined with sensible personal habits like minimising the data you share and choosing privacy-respecting tools, these rights put you back in control of your digital life.

The next time a company asks for your data, remember: you are not just a user or a customer. Under Irish and EU law, you are a data subject with enforceable rights — and a regulator in Dublin whose job is to defend them.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles