GDPR in Ireland: Your Privacy Rights Explained
The General Data Protection Regulation (GDPR) has been in force across the European Union since May 2018, and in Ireland it is enforced under the Data Protection Act 2018. For Irish residents, GDPR provides some of the strongest privacy rights in the world — giving you meaningful control over how organisations collect, use, store, and share your personal data. Yet many people still don't fully understand what those rights actually mean in practice, or how to enforce them when something goes wrong.
This guide breaks down GDPR in Ireland in plain English: what your rights are, how to exercise them, what the Data Protection Commission (DPC) does, and what businesses operating in Ireland must do to remain compliant.
What Is GDPR and How Does It Apply in Ireland?
GDPR is an EU-wide regulation that governs how personal data is processed by organisations. In Ireland, it is supplemented and enforced through the Data Protection Act 2018, and the supervisory authority is the Data Protection Commission (DPC), based in Dublin.
Because many of the world's largest technology companies — including Meta, Google, TikTok, Apple, and Microsoft — have their EU headquarters in Ireland, the Irish DPC plays an outsized role in enforcing GDPR across Europe. That means decisions made in Dublin often affect hundreds of millions of Europeans.
GDPR applies whenever an organisation:
- Is established in Ireland or the EU and processes personal data;
- Offers goods or services to people located in Ireland/EU, regardless of where the company is based; or
- Monitors the behaviour of people in the EU (for example, through tracking cookies or analytics).
What Counts as Personal Data?
Personal data is any information that relates to an identified or identifiable living person. This is a very broad definition and includes obvious items like name, address, email, PPS number, or date of birth, as well as less obvious ones like IP addresses, cookie identifiers, location data, device IDs, photographs, and even behavioural profiles.
Certain categories are classed as "special category data" and receive extra protection, including health data, racial or ethnic origin, religious beliefs, political opinions, trade union membership, sexual orientation, and biometric data used to identify a person.
Your Eight Core GDPR Rights in Ireland
GDPR gives every Irish resident eight fundamental rights over their personal data. Understanding each one is the first step to taking control of your digital privacy.
1. The Right to Be Informed
Organisations must clearly tell you what data they collect, why they collect it, how long they keep it, who they share it with, and what your rights are. This is usually done through a privacy notice or privacy policy, which must be written in plain, accessible language.
2. The Right of Access
You can ask any organisation for a copy of the personal data they hold about you. This is known as a Subject Access Request (SAR). The organisation must respond within one month and cannot charge you a fee in most cases.
3. The Right to Rectification
If any personal data an organisation holds about you is inaccurate or incomplete, you can require them to correct or update it.
4. The Right to Erasure ("Right to Be Forgotten")
You can ask for your personal data to be deleted in certain circumstances — for example, if the data is no longer needed for the original purpose, if you withdraw consent, or if it has been unlawfully processed.
5. The Right to Restrict Processing
You can ask an organisation to pause processing your data while a dispute or investigation is ongoing — for example, while they check the accuracy of your data.
6. The Right to Data Portability
You can request that your data be provided to you in a structured, machine-readable format (such as CSV or JSON), and you can ask that it be transferred directly to another provider where technically feasible.
7. The Right to Object
You can object to certain types of processing, especially direct marketing. Once you object to marketing, the organisation must stop immediately.
8. Rights Related to Automated Decision-Making
You have the right not to be subject to a decision based solely on automated processing — including profiling — that produces legal or similarly significant effects. Think credit scoring, insurance pricing, or automated recruitment decisions.
Lawful Bases for Processing: Why Companies Can Use Your Data
Organisations cannot process your personal data just because they want to. Under GDPR they must identify a lawful basis before processing. There are six lawful bases, and each carries different implications for you.
| Lawful Basis | When It Applies | Your Key Right |
|---|---|---|
| Consent | You have freely given clear permission | You can withdraw consent at any time |
| Contract | Processing is needed to fulfil a contract with you | Limited — data is essential to the service |
| Legal Obligation | The law requires processing (e.g. tax records) | Cannot be objected to |
| Vital Interests | Needed to protect someone's life | Rare, emergency situations |
| Public Task | Public authority carrying out official function | Right to object in some cases |
| Legitimate Interests | Reasonable business need, balanced against your rights | Strong right to object |
How to Exercise Your Rights: A Step-by-Step Guide
Exercising your GDPR rights in Ireland is straightforward if you follow a clear process. Here is how to make a request effectively.
- Identify the data controller. This is the organisation that decides how and why your data is processed. Their contact details are usually in their privacy policy.
- Put your request in writing. Email is fine. Clearly state which right you are exercising (access, erasure, rectification, etc.) and what data you're asking about.
- Verify your identity. The organisation may ask for reasonable proof of identity, but they cannot demand excessive documentation.
- Wait up to one month. The response deadline is one calendar month, extendable by two more months for complex requests (they must tell you if they extend).
- Review the response. Check whether they've given you everything you're entitled to and whether any redactions are justified.
- Escalate if needed. If unhappy, complain internally first, then to the Data Protection Commission.
Sample Wording for a Subject Access Request
"Under Article 15 of the GDPR, I request access to all personal data you hold about me, together with the information listed in Article 15(1)(a)–(h). Please respond within one month of receipt. My contact details are [insert]."
The Role of the Data Protection Commission (DPC)
The Data Protection Commission is Ireland's independent supervisory authority for GDPR. It has the power to investigate complaints, audit organisations, issue reprimands, order changes in processing, and impose fines of up to €20 million or 4% of global annual turnover — whichever is higher.
Anyone in Ireland can lodge a complaint with the DPC free of charge. You do this through their website at dataprotection.ie. You don't need a solicitor, and there's no filing fee.
What to Expect When You Complain
- The DPC will acknowledge your complaint and assign it to a case handler.
- They typically try to resolve issues amicably first, through mediation with the organisation.
- If that fails, a formal statutory investigation may follow.
- Outcomes can include compliance orders, reprimands, or administrative fines.
- You have the right to an effective judicial remedy in the Irish courts if you disagree with the DPC's decision.
GDPR Obligations for Irish Businesses
If you run a business in Ireland — even a small one — GDPR almost certainly applies to you. Non-compliance is expensive, and reputational damage from a public breach can be worse than the fine itself.
Core Compliance Requirements
- Maintain a Record of Processing Activities (ROPA). Document what data you collect, why, where it's stored, who it's shared with, and how long you retain it.
- Publish a clear privacy notice. It must be easy to find and written in plain English (or Irish).
- Implement appropriate security measures. Encryption at rest and in transit, access controls, staff training, and secure backups.
- Manage consent properly. For cookies, marketing, and non-essential processing, consent must be opt-in, granular, and easy to withdraw.
- Have a data breach response plan. Breaches likely to result in risk to individuals must be reported to the DPC within 72 hours.
- Appoint a Data Protection Officer (DPO) if you carry out large-scale monitoring, process special category data at scale, or are a public authority.
- Vet your processors. Any third party that processes data on your behalf (cloud providers, email tools, analytics platforms) must be bound by a written data processing agreement.
Practical Tools for Reducing Data Exposure
Minimising the personal data you handle is one of the best ways to reduce GDPR risk. This principle — called data minimisation — is baked into Article 5 of the regulation. In practice, this means using privacy-friendly tools wherever possible: encrypted email, privacy-respecting analytics, and link-management platforms that don't harvest unnecessary data from your users.
For example, if you share links across marketing campaigns, using a privacy-respecting shortener like Lunyb lets you track clicks without over-collecting personal information about your audience. If you'd like an independent take, see our honest review of Lunyb or compare options in our 2026 buyer's guide to URL shorteners.
Cookies, Tracking, and the ePrivacy Rules
In Ireland, cookies and similar tracking technologies are governed by both GDPR and the ePrivacy Regulations (SI 336/2011). The DPC has issued detailed guidance making clear that:
- Non-essential cookies (analytics, advertising, social plugins) require prior opt-in consent.
- Pre-ticked boxes, implied consent, or "cookie walls" are not valid.
- Refusing cookies must be as easy as accepting them.
- Consent must be renewed periodically (typically no longer than 6–12 months).
Many Irish websites still fall short of these standards, and the DPC has confirmed cookie compliance is an ongoing enforcement priority.
International Data Transfers After Schrems II
Irish businesses often use US-based services (AWS, Google Workspace, Microsoft 365, Mailchimp, and so on). Following the Court of Justice of the EU's landmark Schrems II ruling — brought by Irish privacy activist Max Schrems — transfers of personal data outside the EEA require additional safeguards.
Currently, most transatlantic transfers rely on either the EU–US Data Privacy Framework (adopted in July 2023) or Standard Contractual Clauses supplemented by a Transfer Impact Assessment. Businesses must document their transfer mechanisms and reassess them periodically.
Penalties and Recent Enforcement in Ireland
The Irish DPC has issued some of the largest GDPR fines in Europe, including multi-hundred-million-euro penalties against major social media platforms for issues ranging from unlawful data transfers to inadequate protection of children's data. These enforcement actions send a clear message: GDPR is not paperwork — it's enforceable law with serious financial consequences.
Fine bands under GDPR are structured in two tiers:
| Tier | Maximum Fine | Typical Violations |
|---|---|---|
| Lower tier | €10 million or 2% of global turnover | Records, breach notification, DPO appointment failures |
| Upper tier | €20 million or 4% of global turnover | Violating rights, unlawful processing, illegal transfers |
Practical Tips to Protect Your Own Privacy
Knowing your rights is only half the battle. Here are practical steps every Irish resident can take today:
- Review the privacy settings on your social media, email, and mobile apps every few months.
- Use a privacy-focused browser (Firefox, Brave) and enable tracking protection.
- Turn on encrypted DNS (DNS over HTTPS) to prevent your ISP from logging every domain you visit.
- Delete accounts you no longer use — dormant accounts are common breach vectors.
- Use a password manager and enable two-factor authentication everywhere.
- Submit a Subject Access Request once a year to a major platform you use — it's eye-opening.
- Check Have I Been Pwned to see if your email has appeared in known breaches.
Frequently Asked Questions
Is GDPR the same as the Irish Data Protection Act 2018?
No, but they work together. GDPR is the EU regulation that applies directly across all member states. The Data Protection Act 2018 is the Irish law that gives effect to GDPR in Ireland, sets out national derogations (for example, the age of digital consent, which is 16 in Ireland), and establishes the powers of the Data Protection Commission.
How long does an organisation have to respond to my Subject Access Request?
One calendar month from the date they receive your request. They can extend by up to two additional months for complex or numerous requests, but they must notify you within the first month if they're extending, along with reasons why.
Can I be charged a fee for making a GDPR request?
In most cases, no. Requests must be handled free of charge. An organisation can only charge a "reasonable fee" (or refuse to act) if a request is manifestly unfounded or excessive — for example, if you make the same request repeatedly without new grounds. They must justify any refusal in writing.
What should I do if a company ignores my GDPR request?
First, send a follow-up in writing referencing your original request date. If they still don't respond within the one-month deadline, you can lodge a complaint directly with the Data Protection Commission at dataprotection.ie. The complaint is free and doesn't require legal representation. You can also pursue compensation through the Irish courts for material or non-material damage caused by GDPR breaches.
Does GDPR apply to sole traders and small businesses in Ireland?
Yes. There is no "small business exemption" under GDPR. However, the obligations are proportional to your risk profile. A one-person consultancy that emails a modest client list has far fewer practical compliance steps than a fintech processing millions of transactions. The core principles — lawful basis, transparency, security, and respecting individual rights — apply to everyone.
Can I sue a company directly under GDPR?
Yes. Article 82 of GDPR gives you the right to compensation for material damage (financial loss) or non-material damage (distress, anxiety, reputational harm) caused by a GDPR breach. You can bring a claim in the Circuit Court or High Court in Ireland, either independently or after a DPC finding.
Final Thoughts
GDPR gives Irish residents genuinely powerful rights over their personal data — but those rights only matter if people know about them and use them. Whether you're an individual wanting more control over how companies profile you, or a business trying to build customer trust through good data hygiene, understanding your obligations and entitlements under GDPR is essential.
The best approach is proactive: exercise your rights regularly, choose privacy-respecting tools, and hold organisations to account when they fall short. In doing so, you help strengthen a data protection culture that benefits everyone in Ireland.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
Singapore Online Safety Act 2026: Complete Guide for Users and Businesses
Singapore's Online Safety Act has evolved significantly by 2026, with tougher rules on deepfakes, child safety, and scam content. This complete guide explains who the Act applies to, what platforms and businesses must do, and how everyday users are protected.
ICO Fines 2026: Biggest Data Protection Penalties in the UK
The ICO has issued some of its largest data protection fines yet in 2026, targeting ransomware failures, cookie consent breaches, and health data mishandling. This guide breaks down the biggest UK penalties of the year and shows how your business can stay compliant.
How Canadian Businesses Should Handle Data Privacy in 2026
Canadian businesses face a rapidly evolving privacy landscape, from PIPEDA and Quebec's Law 25 to the upcoming Bill C-27. This guide breaks down the legal requirements, a practical 10-step compliance framework, and how to turn privacy into a competitive advantage.
UK Data Protection Act vs GDPR Explained: A 2026 Compliance Guide
The UK Data Protection Act 2018 and the GDPR share a common DNA but differ in scope, enforcement, and post-Brexit application. This guide explains how the DPA 2018, UK GDPR, and EU GDPR interact, and what UK organisations must do to stay compliant in 2026.