GDPR in Ireland: Your Privacy Rights Explained
Ireland sits at the heart of European data protection enforcement. As the EU home of Meta, Google, TikTok, LinkedIn, Apple and many other tech giants, the Irish Data Protection Commission (DPC) is one of the most powerful privacy regulators in the world. But GDPR is not just about massive corporate fines — it is a set of legal rights that every person living in Ireland can use to control how their personal data is collected, stored and shared.
This guide explains your GDPR privacy rights in Ireland in plain English, how to exercise them, what to do when a company ignores you, and how the DPC steps in when things go wrong.
What Is GDPR and How Does It Apply in Ireland?
The General Data Protection Regulation (GDPR) is an EU-wide law that came into force on 25 May 2018. In Ireland, it is implemented alongside the Data Protection Act 2018, which fills in national details such as the age of digital consent (16 in Ireland) and the powers of the DPC.
GDPR applies to any organisation — Irish or foreign — that processes the personal data of people located in Ireland. This includes your bank, employer, GP, local council, online retailers, social media platforms and even small businesses running a mailing list.
Key definitions you should know
- Personal data: Any information relating to an identified or identifiable person — name, email, IP address, PPS number, location, biometric data, even browsing behaviour.
- Data controller: The organisation that decides why and how your data is processed (e.g. your employer).
- Data processor: A third party that processes data on the controller's behalf (e.g. a cloud payroll provider).
- Special category data: Sensitive data like health, race, religion, sexual orientation or trade union membership, which has stronger protections.
Your Eight Core GDPR Rights in Ireland
GDPR gives you eight legally enforceable rights over your personal data. Any organisation processing your data in Ireland must respect these rights, usually within one month of your request.
1. The right to be informed
Before an organisation collects your data, it must tell you who they are, why they need the data, how long they will keep it, who they share it with, and what your rights are. This is usually delivered through a privacy notice on a website or a form.
2. The right of access (Subject Access Request)
You can ask any organisation for a copy of the personal data they hold about you — for free — and they must respond within one month. This is one of the most powerful GDPR tools in Ireland, and one of the most commonly used.
3. The right to rectification
If data about you is inaccurate or incomplete, you can require it to be corrected. This is especially important for medical records, credit files and employment records.
4. The right to erasure ("right to be forgotten")
You can ask an organisation to delete your data when it is no longer necessary, when you withdraw consent, or when it was processed unlawfully. Exceptions apply — for example, Revenue must keep your tax records for statutory periods.
5. The right to restrict processing
You can ask an organisation to pause processing your data while a dispute (such as accuracy) is being resolved.
6. The right to data portability
You can obtain your data in a common, machine-readable format (like CSV or JSON) and move it to another provider. This is particularly relevant for banking, social media and streaming services.
7. The right to object
You can object to processing based on legitimate interests or for direct marketing. If you object to marketing, the organisation must stop immediately — no exceptions.
8. Rights around automated decision-making and profiling
You have the right not to be subject to a decision made purely by an algorithm that significantly affects you (like a loan refusal), without human review.
Quick Reference: Your Rights and Response Times
| Right | What It Does | Response Deadline | Cost |
|---|---|---|---|
| Access | Get a copy of your data | 1 month | Free |
| Rectification | Correct inaccurate data | 1 month | Free |
| Erasure | Delete your data | 1 month | Free |
| Restriction | Pause processing | 1 month | Free |
| Portability | Export your data | 1 month | Free |
| Object | Stop certain processing | Immediate for marketing | Free |
| Automated decisions | Request human review | 1 month | Free |
| Be informed | Receive privacy notice | At collection | Free |
How to Make a GDPR Request in Ireland
Exercising your rights is straightforward. You do not need a solicitor, a fancy template or any legal fees. Here is the process step by step.
- Identify the data controller. Check the organisation's privacy notice — usually linked in the website footer or provided at sign-up. Find the Data Protection Officer (DPO) contact if listed.
- Write a clear request. State your name, contact details, what right you are exercising, and the data or processing you are referring to. Email is fine.
- Prove your identity. The organisation may ask for reasonable ID verification — but they cannot demand excessive documentation.
- Wait one month. They must respond within 30 calendar days. A two-month extension is allowed only for complex requests, and they must tell you why.
- Review the response. Check that it is complete. Missing categories of data, or blanket redactions, are common issues.
- Escalate if needed. If unhappy, complain to the DPC (see below).
Sample subject access request wording
Dear [Company],
Under Article 15 of the GDPR, I am requesting a copy of all personal data you hold about me, including the purposes of processing, categories of data, recipients, retention periods, and the source of the data if not collected from me. My details are: [name, email, account ID].
Please respond within one month. Kind regards, [Your Name].
The Irish Data Protection Commission (DPC)
The DPC, headquartered in Dublin, is Ireland's independent regulator responsible for enforcing GDPR. Because so many global tech companies have their EU headquarters in Ireland, the DPC also acts as "lead supervisory authority" for cross-border complaints across the EU.
What the DPC does
- Handles complaints from individuals in Ireland
- Investigates data breaches and issues fines
- Provides guidance to organisations and the public
- Coordinates with other EU regulators through the European Data Protection Board
How to file a complaint with the DPC
If an organisation ignores your request, gives an inadequate response, or misuses your data, you can lodge a complaint free of charge:
- Try to resolve the issue with the organisation first (the DPC prefers this).
- Gather evidence: your original request, their reply, timestamps, screenshots.
- Submit the complaint via the DPC website (dataprotection.ie) or by post to 21 Fitzwilliam Square South, Dublin 2.
- The DPC will assess, may seek amicable resolution, or launch a formal inquiry.
Recent years have seen the DPC issue record fines — including €1.2 billion against Meta in 2023 and €345 million against TikTok — showing that even the largest processors are held to account.
Common GDPR Scenarios in Ireland
Cookies and website tracking
Under Irish ePrivacy rules, non-essential cookies (analytics, advertising, social media pixels) require your prior, opt-in consent. Pre-ticked boxes, cookie walls and "reject all" buttons hidden behind extra clicks are non-compliant. You can withdraw consent at any time.
Employer monitoring
Your employer can monitor emails or internet use only if they have a lawful basis, have informed you clearly, and the monitoring is proportionate. Blanket surveillance without notice is not lawful in Ireland.
Direct marketing
Companies must have your consent (or a very narrow "soft opt-in" for existing customers) to send marketing emails or SMS. Every message must contain a working unsubscribe link. Cold-calling residential numbers on the National Directory Database opt-out list is illegal.
Data breaches
If a company suffers a breach that poses a risk to you, they must notify the DPC within 72 hours and, in high-risk cases, notify you directly without undue delay. If you never got notified but suspect a breach, you can complain to the DPC.
Practical Ways to Protect Your Privacy Day to Day
GDPR gives you legal rights, but good personal privacy hygiene reduces how much data ends up in someone else's system in the first place. A few habits go a long way:
- Use privacy-respecting browsers like Firefox or Brave, and enable tracker blocking.
- Switch to encrypted DNS (DNS-over-HTTPS) to stop your ISP from logging every domain you visit.
- Review app permissions on your phone monthly — most apps ask for far more than they need.
- Use unique email aliases for signups so you can trace and cut off leaks.
- Be careful with shortened links. When sharing links on social media or in messages, use a reputable service that doesn't harvest click data unnecessarily. Tools like Lunyb offer link shortening with a privacy-first approach — useful when you don't want tracking pixels baked into every URL you share. For a wider look at options, see our 2026 URL shortener buyer's guide or our honest Lunyb review.
- Enable two-factor authentication on email, banking and social accounts.
- Read privacy notices for services you use most — it's tedious, but it tells you what data leaves your device.
GDPR Enforcement: What Happens When Companies Break the Rules
GDPR fines can reach €20 million or 4% of global annual turnover — whichever is higher. But enforcement is not only about money. The DPC can also order a company to stop processing, delete data or change its practices.
| Notable Irish-Led Case | Year | Fine | Issue |
|---|---|---|---|
| Meta (Facebook) | 2023 | €1.2 billion | Unlawful EU–US data transfers |
| TikTok | 2023 | €345 million | Children's data processing |
| Meta (Instagram) | 2022 | €405 million | Teen accounts default settings |
| 2021 | €225 million | Transparency failures |
Special Considerations: Children and GDPR in Ireland
The digital age of consent in Ireland is 16. Below that, a parent or guardian must consent for online services that rely on consent as the legal basis. The DPC's "Fundamentals for a Child-Oriented Approach to Data Processing" also expects platforms to give children a high default level of protection, clear language and strong safeguards against profiling and targeted advertising.
Frequently Asked Questions
Does GDPR apply to small Irish businesses?
Yes. GDPR applies regardless of company size. However, obligations are proportionate — a sole trader with a mailing list has lighter documentation duties than a multinational. Even so, the eight rights above must be respected by every organisation processing personal data.
How long do I have to make a GDPR complaint to the DPC?
There is no strict statutory deadline, but you should complain as soon as reasonably possible after the issue. Long delays can make investigation harder, and the DPC may decline complaints that are extremely stale without good reason.
Can I be charged a fee to access my data?
No. Subject access requests are free. An organisation can only charge a "reasonable fee" if a request is manifestly unfounded or excessive (for example, repeated identical requests), and it must justify the charge.
Does GDPR cover CCTV in shops, workplaces and apartments?
Yes. CCTV that captures identifiable individuals is personal data processing. Operators must display clear signage, have a lawful basis, limit retention (usually 28 days is a benchmark) and respond to access requests for footage of you.
What if a company outside the EU processes my data?
GDPR still applies if the company offers goods or services to people in Ireland or monitors their behaviour. They must appoint an EU representative and comply with GDPR. You can still complain to the DPC.
Is Brexit relevant to my Irish GDPR rights?
Only if your data flows to the UK. The EU currently recognises the UK as offering "adequate" protection, so transfers are allowed, but your Irish GDPR rights continue to apply to how Irish or EU-based controllers handle your data.
Final Thoughts
GDPR gave people in Ireland some of the strongest privacy rights in the world — but rights are only powerful when they are used. Whether it's a subject access request to your bank, a complaint about intrusive cookies, or asking your employer why they log your keystrokes, exercising your rights is free, straightforward and legally protected.
Combine that legal muscle with sensible daily habits — privacy-focused browsers, minimal data sharing, encrypted DNS, careful link handling — and you have a genuinely strong personal privacy posture. The DPC is there when organisations step over the line, and Irish residents should not hesitate to use it.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
How Canadian Businesses Should Handle Data Privacy in 2026
Canadian businesses face a rapidly evolving privacy landscape shaped by PIPEDA, Quebec Law 25, and pending federal reforms. This comprehensive 2026 guide covers legal obligations, consent, safeguards, breach reporting, and practical steps to build a privacy-first program.
Data Protection Act 2018 Ireland: Complete Guide for Businesses
The Data Protection Act 2018 gives effect to the GDPR in Ireland and sets national rules on consent, enforcement, and sensitive data. This complete guide explains the Act's scope, individual rights, business obligations, and how to stay compliant with the Data Protection Commission in 2026.
ICO Fines 2026: Biggest Data Protection Penalties in the UK
The ICO has issued record-breaking data protection fines in 2026, targeting retailers, adtech firms, healthcare bodies, and public sector organisations. This guide breaks down the biggest penalties, why they were issued, and how UK businesses can stay compliant.
Singapore PDPA: Your Personal Data Protection Rights Explained
A complete guide to your rights under Singapore's Personal Data Protection Act (PDPA) in 2026. Learn how to access, correct, and control your personal data, and what to do when organisations mishandle it.