Skip to content
GDPR by Law

European Union · updated 2026-06-15

Ireland

Conditional

Ireland is lead authority for most US tech giants' EU operations, so DPC decisions (Meta's €1.2B transfer fine) set the rules everyone else follows. If you incorporate your EU entity here, the DPC becomes your one-stop-shop regulator.

Law:
GDPR + Data Protection Act 2018 + ePrivacy Regulations 2011
Regulator:
Data Protection Commission (DPC)

Cookie consent

Opt-in required

Breach deadline

72 hours

DPA with vendors

Required

Max fine

€20,000,000 or 4% of global annual revenue, whichever is higher

What Ireland requires

Compliance items with their statutory basis. Stamps mark whether each applies to every business or only above certain thresholds.

  1. Privacy policy

    Art. 13–14 GDPR

    English-language privacy notice covering identity, purposes, legal bases, recipients, retention, transfers, and rights, naming the DPC as complaint authority.

    How to implement Ireland is the easiest EU jurisdiction for anglophone startups: one clear English policy at /privacy satisfies the transparency duty. Follow the DPC's transparency guidance on layering.

    Required
  2. Cookie consent banner

    S.I. 336/2011

    Prior opt-in consent for analytics and marketing cookies, with rejection available and tags blocked until consent.

    How to implement The DPC's 2020 sweep found 90%+ of Irish sites non-compliant and published exactly what it checks: pre-ticked boxes, implied consent, and missing reject options. Configure your CMP against that list.

    Required
  3. Records of processing (ROPA)

    Art. 30 GDPR

    Register of processing activities; the first artefact requested in a DPC inquiry.

    How to implement Maintain per-product ROPA entries. If Ireland is your EU main establishment, your ROPA underpins the one-stop-shop claim — keep it audit-ready.

    Required
  4. Data protection officer

    Art. 37 GDPR

    Mandatory at GDPR-baseline thresholds; notify the DPC of the appointment.

    How to implement File the DPO notification form on dataprotection.ie and publish contact details in your policy.

    Conditional
  5. Breach notification process

    Art. 33–34 GDPR

    72-hour DPC notification plus individual notification for high-risk breaches.

    How to implement The DPC's online form asks for containment measures and affected-user counts — keep an incident template with those fields pre-structured.

    Required
  6. Children's data safeguards

    DPC Fundamentals 2021

    Ireland's 'Fundamentals for a Child-Oriented Approach' impose design duties when a service is likely accessed by under-18s. Digital age of consent is 16.

    How to implement If minors plausibly use your product, default to high privacy settings, avoid profiling children, and verify age proportionately — the Instagram and TikTok fines both started here.

    Conditional

The details

Cookie consent
S.I. 336/2011 (ePrivacy Regulations) requires opt-in consent for non-essential cookies. The DPC's 2020 cookie guidance requires prior blocking, no pre-ticked boxes, and rejects implied consent from banners like 'by continuing you agree'.
Data Protection Officer
GDPR baseline thresholds. The DPC expects appointment for large-scale tracking or health data, and runs a DPO notification form on its website.
Processing agreements
Art. 28 GDPR processor contracts required. DPC inquiries into platforms routinely examine the full processor chain, so keep your vendor DPA inventory current.
Breach notification
Notify the DPC via its web form within 72 hours of awareness; the DPC publishes breach statistics and treats repeated late filing as an aggravating factor.
Enforcement in practice
The DPC fined Meta €1.2B in 2023 over EU-US data transfers — the largest GDPR fine ever — plus €405M against Instagram over children's data.

Data subject rights

What users can demand from you in Ireland, and the engineering that satisfies each right.

Right to access

Art. 15 GDPR

Copy of personal data and processing details within one month.

Access requests are the DPC's largest complaint category. Track deadlines; one extension of two months is allowed for complex requests if you notify the requester within the first month.

Right to erasure

Art. 17 GDPR

Deletion when data is no longer necessary or consent withdrawn.

Cover production, backups, and processors; Irish company law requires 6-year retention of accounting records — document the exemption.

Right to data portability

Art. 20 GDPR

Machine-readable export of user-provided data.

JSON/CSV export endpoint for consent- and contract-based data.

Right to rectification

Art. 16 GDPR

Correction of inaccurate personal data.

Self-service edits plus a support path.

Right to restrict processing & to object

Art. 18, 21 GDPR

Freeze during disputes; absolute objection to direct marketing.

Immediate suppression for marketing objections; Ireland also has S.I. 336/2011 rules on unsolicited email requiring opt-in or existing-customer soft opt-in.

Automated decision-making

Art. 22 GDPR

Protection against solely automated significant decisions.

Disclose automated logic in your policy and provide a human-review channel; DPC platform inquiries examine ad-targeting and feed-ranking under this lens.

Tools that cover Ireland

Services we'd shortlist for this jurisdiction. Links may be affiliate links.

  • compliance suite

    OneTrust

    Widely used by Irish-headquartered tech companies for consent, ROPA, and DPIA workflows at scale.

    Visit OneTrust →
  • cookie consent

    Cookiebot

    CMP preset matching DPC cookie guidance, including prior blocking and granular toggles.

    Visit Cookiebot →
  • privacy policy

    iubenda

    English-language policy generator with DPC-appropriate transparency layering.

    Visit iubenda →

Frequently asked questions

If my EU entity is in Ireland, do other EU regulators leave me alone?

Mostly, for GDPR matters — the one-stop-shop makes the DPC your lead authority, provided Ireland is genuinely your main establishment (real decision-making, not a mailbox). But cookie/ePrivacy enforcement stays national: France's CNIL can still fine you directly over your banner.

What is Ireland's digital age of consent?

16 — the GDPR maximum. Consent-based services need parental consent for under-16s, and the DPC's children's Fundamentals apply whenever minors are likely users.

Is Ireland a lenient regulator?

Not anymore. After early criticism, the DPC has issued several of the largest fines in GDPR history (Meta €1.2B, Instagram €405M, WhatsApp €225M). For startups its approach is guidance-first, but ignoring an inquiry escalates quickly.

Does Irish law add anything on top of GDPR I should know?

The Data Protection Act 2018 sets the digital age of consent at 16, creates offences for re-identifying de-identified data, and gives the DPC broad inquiry powers. For most SaaS teams the practical add-on is the children's Fundamentals guidance.

Similar jurisdictions

Free download

Get GDPR updates for Ireland

A one-page privacy audit checklist covering the requirements that regulators actually fine for — cookie consent, breach runbooks, DPAs, and data subject request handling. We email occasional updates when the law changes; unsubscribe anytime.

No spam. Unsubscribe anytime — we practice what we document.