facebook-pixel

GDPR in Ireland: Your Privacy Rights Explained

L
Lunyb Security Team
··11 min read

Ireland occupies a unique position in the European data protection landscape. As the European headquarters for Meta, Google, Apple, Microsoft, TikTok, and countless other tech giants, the Irish Data Protection Commission (DPC) is effectively the lead supervisory authority for a huge portion of the digital services used across the EU. That means understanding your GDPR privacy rights in Ireland is not just a matter of local law — it shapes how billions of people interact with technology every day.

This guide breaks down what the General Data Protection Regulation (GDPR) means for people living in Ireland, what rights you can exercise, how the Irish Data Protection Act 2018 fits in, and what to do if a company mishandles your personal information.

What Is GDPR and How Does It Apply in Ireland?

The General Data Protection Regulation (GDPR) is an EU-wide law that governs how organisations collect, store, use, and share personal data. It came into force on 25 May 2018 and applies directly in Ireland alongside the Data Protection Act 2018, which tailors certain provisions to Irish national context.

GDPR applies to any organisation — public or private, based in Ireland or abroad — that processes the personal data of people located in the EU. "Personal data" is defined broadly: it includes names, email addresses, phone numbers, IP addresses, location data, biometric information, health records, and even online identifiers like cookie IDs.

The Role of the Data Protection Commission (DPC)

Ireland's Data Protection Commission, based in Dublin and Portarlington, is the national supervisory authority responsible for enforcing GDPR. Because so many multinational tech companies have their EU headquarters in Ireland, the DPC often acts as the lead regulator under GDPR's "one-stop-shop" mechanism, coordinating cross-border investigations with other EU data protection authorities.

The DPC has issued some of the largest fines in GDPR history, including a €1.2 billion penalty against Meta in 2023 for unlawful data transfers to the United States and a €345 million fine against TikTok for children's data violations.

Your Eight Core GDPR Rights in Ireland

GDPR grants every person in Ireland eight fundamental rights over their personal data. These rights apply whether the data controller is a small local business, a state body, or a global platform.

1. The Right to Be Informed

Organisations must clearly tell you what personal data they collect, why they collect it, how long they'll keep it, who they share it with, and the legal basis for processing. This is typically delivered through a privacy notice or policy, which should be written in plain language.

2. The Right of Access

You can ask any organisation for a copy of the personal data they hold about you. This is known as a Subject Access Request (SAR). The organisation must respond within one month and in most cases cannot charge a fee.

3. The Right to Rectification

If personal data held about you is inaccurate or incomplete, you can request that it be corrected or updated without undue delay.

4. The Right to Erasure ("Right to Be Forgotten")

You can request deletion of your personal data in certain circumstances — for example, when the data is no longer necessary for the purpose it was collected, when you withdraw consent, or when the data was processed unlawfully.

5. The Right to Restrict Processing

You can ask an organisation to pause processing your data while a dispute is being resolved, such as when you contest the accuracy of the data or object to its use.

6. The Right to Data Portability

You can request your personal data in a structured, commonly used, machine-readable format and transfer it to another service provider. This is especially relevant for switching banks, mobile operators, or social media platforms.

7. The Right to Object

You have the right to object to certain types of processing, particularly direct marketing, profiling, and processing based on legitimate interests or public task.

8. Rights Related to Automated Decision-Making

You have the right not to be subject to purely automated decisions — including profiling — that produce legal or similarly significant effects on you, unless specific safeguards are in place.

Legal Bases for Processing Personal Data

Under GDPR, organisations cannot process your data just because they want to. They must rely on one of six legal bases, and they must tell you which one applies.

Legal BasisWhen It AppliesExample in Ireland
ConsentYou have given clear, freely given permissionSigning up for a newsletter from an Irish retailer
ContractProcessing is necessary to fulfil a contractProviding your address to An Post for delivery
Legal ObligationRequired by Irish or EU lawRevenue Commissioners processing PAYE data
Vital InterestsTo protect someone's lifeSharing medical data in an emergency
Public TaskCarried out in the public interestHSE processing data for public health
Legitimate InterestsNecessary for the organisation's interests, balanced against yoursFraud prevention by an Irish bank

How to Make a Subject Access Request (SAR)

A Subject Access Request is one of the most powerful tools GDPR gives you. Here's how to make one effectively in Ireland:

  1. Identify the data controller. This is the organisation that decides why and how your data is processed — usually the company you interacted with.
  2. Find their contact point. Look for a Data Protection Officer (DPO) or a privacy contact address in the company's privacy policy.
  3. Submit your request in writing. Email is fine. State clearly that you are making a Subject Access Request under Article 15 of GDPR.
  4. Provide proof of identity if requested. The organisation can ask for reasonable verification to prevent data being disclosed to the wrong person.
  5. Wait up to one month. The controller must respond within 30 days. This can be extended by two additional months for complex requests, but they must tell you why.
  6. Review the response. If it's incomplete or refused without valid grounds, you can escalate to the DPC.

Special Categories of Data and Extra Protections

Some categories of personal data are considered particularly sensitive and receive extra protection under GDPR Article 9. These include:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic and biometric data
  • Health data
  • Sex life or sexual orientation

Processing this type of data is prohibited unless a specific exception applies — for example, explicit consent, employment law obligations, or medical necessity. In Ireland, the Data Protection Act 2018 sets out further conditions for processing sensitive data, particularly in the health, employment, and law enforcement contexts.

Children's Data and the Digital Age of Consent

Ireland has set the digital age of consent at 16, which is the highest permitted under GDPR. This means that online services relying on consent as their legal basis must obtain parental authorisation for children under 16.

The DPC has published a Fundamentals for a Child-Oriented Approach to Data Processing, which requires online services likely to be accessed by children to implement age-appropriate design, high default privacy settings, and clear, child-friendly transparency notices. This has been a major focus of enforcement, particularly against social media and gaming platforms.

Data Breaches: What You Should Expect

If an organisation suffers a personal data breach that is likely to result in a risk to your rights and freedoms, they must:

  1. Notify the Data Protection Commission within 72 hours of becoming aware of the breach.
  2. Notify affected individuals without undue delay if the risk is high — for example, if financial data, passwords, or ID documents were exposed.
  3. Document the breach internally, including the facts, effects, and remedial action taken.

If you receive a breach notification, take it seriously: change passwords, enable two-factor authentication, monitor bank statements, and consider what other accounts might be affected by credential reuse.

Filing a Complaint with the Data Protection Commission

If you believe an organisation has mishandled your personal data or failed to respond adequately to a rights request, you can lodge a complaint with the DPC. The process is free and can be done online.

Steps to Filing a Complaint

  1. Try to resolve the issue directly with the organisation first. Keep a written record of your correspondence.
  2. Gather supporting documentation — copies of emails, screenshots, privacy notices, and any responses received.
  3. Submit your complaint via the DPC's online form at dataprotection.ie, or by post to their offices.
  4. The DPC will assess whether to open an inquiry, attempt amicable resolution, or issue a formal decision.

You also have the right to seek a judicial remedy in the Irish courts and can claim compensation for material or non-material damage caused by a GDPR infringement.

Practical Steps to Protect Your Privacy Online

Knowing your rights is only half the battle. Practical everyday habits go a long way toward keeping your personal data safe.

Minimise the Data You Share

Before filling in a form, ask yourself whether every field is truly necessary. Under GDPR's data minimisation principle, organisations should only collect what they need — if a field is optional, consider leaving it blank.

Use Privacy-Focused Tools

Modern privacy hygiene includes encrypted messaging apps, privacy-respecting search engines, encrypted DNS services, and browsers with strong tracker blocking. When sharing links — particularly on social media or in email campaigns — a privacy-conscious URL shortener like Lunyb lets you create clean, trackable short links without embedding invasive third-party analytics on the people who click them. You can learn more in our honest review of Lunyb or compare options in our 2026 URL shortener buyer's guide.

Review App and Cookie Permissions

Cookie banners on Irish websites must offer a genuine choice — "Reject All" should be as easy to click as "Accept All." The DPC has enforced this repeatedly, so exercise your right to refuse non-essential cookies.

Monitor Your Digital Footprint

Periodically search for your own name, review what accounts you have open, and delete services you no longer use. Every dormant account is a potential breach exposure.

GDPR Enforcement Trends in Ireland

Since 2018, the DPC has become one of the most active data protection regulators in Europe, particularly for cross-border cases involving Big Tech. Notable enforcement themes include:

  • International data transfers — particularly EU-US transfers following the Schrems II ruling.
  • Transparency failures — vague or incomplete privacy notices.
  • Children's data — default privacy settings and age assurance.
  • Legal basis for advertising — challenges to "legitimate interests" and "contractual necessity" as bases for personalised ads.

These enforcement actions have real-world impact: they've forced changes to how consent banners work, how data is transferred across borders, and how platforms design services for younger users.

Frequently Asked Questions

Is GDPR still relevant in Ireland after Brexit?

Yes. Brexit affected the UK, not Ireland. Ireland remains a full EU member state, so GDPR applies in exactly the same way it did before 2020. If anything, Ireland's role has grown, since many companies moved their EU operations from London to Dublin.

How much does it cost to make a Subject Access Request or file a DPC complaint?

Both are free. Organisations can only charge a "reasonable fee" for a SAR if the request is manifestly unfounded, excessive, or if you're asking for additional copies. Filing a complaint with the Data Protection Commission is always free.

Can I claim compensation for a GDPR breach in Ireland?

Yes. Article 82 of GDPR allows you to seek compensation for both material damage (financial loss) and non-material damage (distress, anxiety) caused by an infringement. Claims are typically made in the Circuit Court or High Court, depending on the amount sought. Recent Irish case law has clarified that mere annoyance is not enough — you need to demonstrate a genuine impact.

What's the difference between a data controller and a data processor?

The data controller decides why and how personal data is processed and bears primary responsibility under GDPR. A data processor acts on the controller's instructions — for example, a cloud hosting provider storing customer data on behalf of an Irish retailer. Both have obligations, but your rights are usually exercised against the controller.

How long does an organisation have to keep my personal data?

Only as long as necessary for the purpose it was collected, or as required by law. There is no single retention period under GDPR — it depends on the context. Employment records, tax records, and medical records all have different statutory retention periods under Irish law. Organisations must publish their retention policies in their privacy notices.

Conclusion

GDPR gives people in Ireland genuine, enforceable control over their personal data — but those rights only matter if you use them. Whether it's submitting a Subject Access Request, objecting to marketing profiling, rejecting non-essential cookies, or lodging a complaint with the DPC, every action reinforces the culture of accountability that GDPR was designed to build.

Ireland's position as the European regulatory home for the world's largest tech companies means that the decisions made in Dublin ripple across the entire EU. Staying informed about your rights — and exercising them — is one of the most practical contributions you can make to a healthier digital ecosystem.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles