European Union · updated 2026-06-15
Ireland
Ireland is lead authority for most US tech giants' EU operations, so DPC decisions (Meta's €1.2B transfer fine) set the rules everyone else follows. If you incorporate your EU entity here, the DPC becomes your one-stop-shop regulator.
- Law:
- GDPR + Data Protection Act 2018 + ePrivacy Regulations 2011
- Regulator:
- Data Protection Commission (DPC)
Cookie consent
Opt-in required
Breach deadline
72 hours
DPA with vendors
Required
Max fine
€20,000,000 or 4% of global annual revenue, whichever is higher
What Ireland requires
Compliance items with their statutory basis. Stamps mark whether each applies to every business or only above certain thresholds.
-
Privacy policy
Art. 13–14 GDPREnglish-language privacy notice covering identity, purposes, legal bases, recipients, retention, transfers, and rights, naming the DPC as complaint authority.
How to implement Ireland is the easiest EU jurisdiction for anglophone startups: one clear English policy at /privacy satisfies the transparency duty. Follow the DPC's transparency guidance on layering.
Required -
Cookie consent banner
S.I. 336/2011Prior opt-in consent for analytics and marketing cookies, with rejection available and tags blocked until consent.
How to implement The DPC's 2020 sweep found 90%+ of Irish sites non-compliant and published exactly what it checks: pre-ticked boxes, implied consent, and missing reject options. Configure your CMP against that list.
Required -
Records of processing (ROPA)
Art. 30 GDPRRegister of processing activities; the first artefact requested in a DPC inquiry.
How to implement Maintain per-product ROPA entries. If Ireland is your EU main establishment, your ROPA underpins the one-stop-shop claim — keep it audit-ready.
Required -
Data protection officer
Art. 37 GDPRMandatory at GDPR-baseline thresholds; notify the DPC of the appointment.
How to implement File the DPO notification form on dataprotection.ie and publish contact details in your policy.
Conditional -
Breach notification process
Art. 33–34 GDPR72-hour DPC notification plus individual notification for high-risk breaches.
How to implement The DPC's online form asks for containment measures and affected-user counts — keep an incident template with those fields pre-structured.
Required -
Children's data safeguards
DPC Fundamentals 2021Ireland's 'Fundamentals for a Child-Oriented Approach' impose design duties when a service is likely accessed by under-18s. Digital age of consent is 16.
How to implement If minors plausibly use your product, default to high privacy settings, avoid profiling children, and verify age proportionately — the Instagram and TikTok fines both started here.
Conditional
The details
- Cookie consent
- S.I. 336/2011 (ePrivacy Regulations) requires opt-in consent for non-essential cookies. The DPC's 2020 cookie guidance requires prior blocking, no pre-ticked boxes, and rejects implied consent from banners like 'by continuing you agree'.
- Data Protection Officer
- GDPR baseline thresholds. The DPC expects appointment for large-scale tracking or health data, and runs a DPO notification form on its website.
- Processing agreements
- Art. 28 GDPR processor contracts required. DPC inquiries into platforms routinely examine the full processor chain, so keep your vendor DPA inventory current.
- Breach notification
- Notify the DPC via its web form within 72 hours of awareness; the DPC publishes breach statistics and treats repeated late filing as an aggravating factor.
- Enforcement in practice
- The DPC fined Meta €1.2B in 2023 over EU-US data transfers — the largest GDPR fine ever — plus €405M against Instagram over children's data.
Data subject rights
What users can demand from you in Ireland, and the engineering that satisfies each right.
Right to access
Art. 15 GDPRCopy of personal data and processing details within one month.
Access requests are the DPC's largest complaint category. Track deadlines; one extension of two months is allowed for complex requests if you notify the requester within the first month.
Right to erasure
Art. 17 GDPRDeletion when data is no longer necessary or consent withdrawn.
Cover production, backups, and processors; Irish company law requires 6-year retention of accounting records — document the exemption.
Right to data portability
Art. 20 GDPRMachine-readable export of user-provided data.
JSON/CSV export endpoint for consent- and contract-based data.
Right to rectification
Art. 16 GDPRCorrection of inaccurate personal data.
Self-service edits plus a support path.
Right to restrict processing & to object
Art. 18, 21 GDPRFreeze during disputes; absolute objection to direct marketing.
Immediate suppression for marketing objections; Ireland also has S.I. 336/2011 rules on unsolicited email requiring opt-in or existing-customer soft opt-in.
Automated decision-making
Art. 22 GDPRProtection against solely automated significant decisions.
Disclose automated logic in your policy and provide a human-review channel; DPC platform inquiries examine ad-targeting and feed-ranking under this lens.
Tools that cover Ireland
Services we'd shortlist for this jurisdiction. Links may be affiliate links.
-
compliance suite
OneTrust
Widely used by Irish-headquartered tech companies for consent, ROPA, and DPIA workflows at scale.
Visit OneTrust → -
cookie consent
Cookiebot
CMP preset matching DPC cookie guidance, including prior blocking and granular toggles.
Visit Cookiebot → -
privacy policy
iubenda
English-language policy generator with DPC-appropriate transparency layering.
Visit iubenda →
Frequently asked questions
If my EU entity is in Ireland, do other EU regulators leave me alone?
Mostly, for GDPR matters — the one-stop-shop makes the DPC your lead authority, provided Ireland is genuinely your main establishment (real decision-making, not a mailbox). But cookie/ePrivacy enforcement stays national: France's CNIL can still fine you directly over your banner.
What is Ireland's digital age of consent?
16 — the GDPR maximum. Consent-based services need parental consent for under-16s, and the DPC's children's Fundamentals apply whenever minors are likely users.
Is Ireland a lenient regulator?
Not anymore. After early criticism, the DPC has issued several of the largest fines in GDPR history (Meta €1.2B, Instagram €405M, WhatsApp €225M). For startups its approach is guidance-first, but ignoring an inquiry escalates quickly.
Does Irish law add anything on top of GDPR I should know?
The Data Protection Act 2018 sets the digital age of consent at 16, creates offences for re-identifying de-identified data, and gives the DPC broad inquiry powers. For most SaaS teams the practical add-on is the children's Fundamentals guidance.
Similar jurisdictions
Free download
Get GDPR updates for Ireland
A one-page privacy audit checklist covering the requirements that regulators actually fine for — cookie consent, breach runbooks, DPAs, and data subject request handling. We email occasional updates when the law changes; unsubscribe anytime.
No spam. Unsubscribe anytime — we practice what we document.