Skip to content
World Watch/Ireland/Data & Privacy

Data & Privacy ยท Ireland

Data protection & GDPR compliance in Ireland (2026)

Comprehensive lawEU General Data Protection Regulation (GDPR) as given further effect by the Data Protection Act 2018; supervised and enforced by the Data Protection Commission (DPC)Country index 89 ยท A

Ireland shaded by its data & privacy status

Data protection in Ireland: comprehensive law, under EU General Data Protection Regulation (GDPR) as given further effect by the Data Protection Act 2018; supervised and enforced by the Data Protection Commission (DPC).

As an EU member state, Ireland applies the directly-effective GDPR as its comprehensive personal-data protection baseline, supplemented nationally by the Data Protection Act 2018, which gives further effect to the GDPR and transposes the EU Law Enforcement Directive into Irish law. The independent Data Protection Commission, established on 25 May 2018, is the national supervisory authority and also enforces the ePrivacy Regulations 2011. Because many global tech companies have their EU headquarters in Ireland, the DPC acts as the EU Lead Supervisory Authority for them and is one of the most active enforcers in Europe.

GDPR & data protection in Ireland

In Ireland, data protection is governed by the EU General Data Protection Regulation (GDPR), which applies directly and is enforced by the Data Protection Commission (DPC).

Framework
the GDPR (Regulation (EU) 2016/679) plus the national data-protection act
Supervisory authority
the Data Protection Commission (DPC)
Applies to
any organisation processing the personal data of people in Ireland, wherever the organisation is based
Maximum fine
โ‚ฌ20 million or 4% of global annual turnover, whichever is higher
Breach notification
within 72 hours of becoming aware, to the supervisory authority
DPO
required for large-scale monitoring or large-scale special-category processing

The GDPR is bloc-wide; Ireland supplements it with a national data-protection act and its own supervisory authority.

GDPR in Ireland: FAQ

Does the GDPR apply in Ireland?

Yes. As an EU/EEA member, Ireland applies the GDPR (Regulation (EU) 2016/679) directly, enforced by the Data Protection Commission (DPC).

Who enforces data protection law in Ireland?

The Data Protection Commission (DPC).

What are the GDPR fines in Ireland?

Up to โ‚ฌ20 million or 4% of global annual turnover, whichever is higher.

Do you need a Data Protection Officer in Ireland?

A DPO is required where you carry out large-scale monitoring or process special-category data at scale.

How quickly must a data breach be reported in Ireland?

Personal-data breaches must be notified to the supervisory authority within 72 hours of becoming aware.

Key points

Comprehensive GDPR regime

The GDPR applies directly in Ireland and is the comprehensive, omnibus data-protection law. The Data Protection Act 2018 gives it further effect domestically, legislating on the areas where the GDPR allows national derogations.

Supervisory authority

The Data Protection Commission (DPC), established under the Data Protection Act 2018 (in force 25 May 2018), is Ireland's independent national supervisory authority responsible for upholding individuals' data-protection rights and enforcing GDPR.

Law Enforcement Directive transposed

The Act also transposes the EU Law Enforcement Directive (LED) into Irish law, governing personal-data processing for the prevention, investigation, detection or prosecution of criminal offences, where the GDPR does not apply.

ePrivacy / cookies rules

Electronic communications privacy and cookies are governed by S.I. No. 336/2011 (the ePrivacy Regulations), also enforced by the DPC. Cookies generally require GDPR-standard consent unless strictly necessary to deliver a user-requested service (Reg. 5(3) and 5(5)).

EU Lead Supervisory Authority role

Under Article 56 GDPR's one-stop-shop, the DPC is the Lead Supervisory Authority for many major tech firms headquartered in Ireland, coordinating cross-border enforcement with peer EU/EEA authorities and the EDPB.

Active enforcement record

The DPC has imposed major fines, including โ‚ฌ530m on TikTok (May 2025) for unlawful EEA-to-China data transfers under Art. 46(1)/Art. 13(1)(f), โ‚ฌ310m on LinkedIn (Oct 2024) and โ‚ฌ251m and โ‚ฌ91m on Meta (Dec/Sep 2024).

Timeline - major decisions & events

May 2, 2025enforcementofficial
DPC fines TikTok โ‚ฌ530 million over EEA data transfers to China

The DPC fined TikTok โ‚ฌ530m and ordered corrective measures for unlawfully transferring EEA user data to China without ensuring EU-equivalent protection; TikTok appealed and the High Court stayed the decision on 2025-11-14 pending the outcome.

Data Protection Commission โ†—
Apr 11, 2025enforcementofficial
DPC opens inquiry into X over Grok AI training

The DPC launched a Section 110 inquiry into X Internet Unlimited Company over whether EU/EEA users' public posts were lawfully processed to train its Grok LLMs, a landmark probe of generative-AI training data.

Data Protection Commission โ†—
Dec 17, 2024enforcementofficial
DPC fines Meta โ‚ฌ251 million over 2018 Facebook breach

The DPC concluded inquiries into the September 2018 'View As' token breach affecting ~29 million accounts globally, fining Meta โ‚ฌ251m for security and breach-notification failings under the GDPR.

Data Protection Commission โ†—
Sep 27, 2024enforcementofficial
DPC fines Meta โ‚ฌ91 million over insecure password storage

Following a 2019 inquiry, the DPC fined Meta โ‚ฌ91m for storing user passwords in plaintext, breaching GDPR obligations on technical/organisational security measures and confidentiality.

Data Protection Commission โ†—
May 22, 2023enforcementofficial
DPC fines Meta โ‚ฌ1.2 billion and halts US data transfers

The DPC issued the largest-ever GDPR fine, โ‚ฌ1.2bn, plus suspension and cessation orders against Meta for transferring EU data to the US under SCCs that failed the Schrems II standard.

Data Protection Commission โ†—
Jan 4, 2023decisionofficial
DPC fines Meta โ‚ฌ390 million over ad legal basis

After an EDPB binding decision overrode the DPC's draft, Meta was fined โ‚ฌ390m for unlawfully relying on 'contract' as the legal basis for behavioural advertising on Facebook and Instagram, breaching Article 6 GDPR.

Data Protection Commission โ†—
Sep 15, 2022enforcementofficial
DPC fines Instagram โ‚ฌ405 million over children's data

The DPC's then-largest fine penalised Meta's Instagram for exposing children's email addresses/phone numbers via business accounts and public-by-default settings for teen accounts.

Data Protection Commission โ†—
Jul 16, 2020decisionofficial
CJEU Schrems II judgment (C-311/18)

Arising from a complaint to the Irish DPC, the CJEU invalidated the EU-US Privacy Shield and tightened conditions on Standard Contractual Clauses, reshaping how Ireland-based tech firms transfer data abroad.

Data Protection Commission โ†—
May 24, 2018lawofficial
Data Protection Act 2018 enacted; DPC established

Signed into law to give further effect to the GDPR (applicable 25 May 2018) and transpose the Law Enforcement Directive, the Act replaced the Data Protection Commissioner with the multi-member Data Protection Commission.

Irish Statute Book โ†—
Oct 6, 2015decisionofficial
CJEU Schrems I invalidates Safe Harbour (C-362/14)

Following Max Schrems' complaint to the Irish Data Protection Commissioner over Facebook transfers, the CJEU struck down the EU-US Safe Harbour framework, establishing Ireland as the front line of transatlantic data-transfer disputes.

CJEU โ†—
Apr 10, 2003lawofficial
Data Protection (Amendment) Act 2003

Transposed the 1995 EU Data Protection Directive into Irish law, modernising the 1988 regime with eight core principles covering fair processing, purpose limitation, security and data-subject access.

Irish Statute Book โ†—
Jul 13, 1988lawofficial
Data Protection Act 1988, Ireland's first privacy law

Ireland's foundational data-protection statute, enabling ratification of the Council of Europe Convention 108, introducing data-handling principles and creating the Office of the Data Protection Commissioner (1989).

Irish Statute Book โ†—

Ireland - other topics

Data & Privacy in other countries

Last verified 5/23/2026 ยท Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite ยท Explore the full world map โ†’