Data & Privacy ยท Ireland
Data protection & GDPR compliance in Ireland (2026)
Ireland shaded by its data & privacy status
Data protection in Ireland: comprehensive law, under EU General Data Protection Regulation (GDPR) as given further effect by the Data Protection Act 2018; supervised and enforced by the Data Protection Commission (DPC).
As an EU member state, Ireland applies the directly-effective GDPR as its comprehensive personal-data protection baseline, supplemented nationally by the Data Protection Act 2018, which gives further effect to the GDPR and transposes the EU Law Enforcement Directive into Irish law. The independent Data Protection Commission, established on 25 May 2018, is the national supervisory authority and also enforces the ePrivacy Regulations 2011. Because many global tech companies have their EU headquarters in Ireland, the DPC acts as the EU Lead Supervisory Authority for them and is one of the most active enforcers in Europe.
GDPR & data protection in Ireland
In Ireland, data protection is governed by the EU General Data Protection Regulation (GDPR), which applies directly and is enforced by the Data Protection Commission (DPC).
- Framework
- the GDPR (Regulation (EU) 2016/679) plus the national data-protection act
- Supervisory authority
- the Data Protection Commission (DPC)
- Applies to
- any organisation processing the personal data of people in Ireland, wherever the organisation is based
- Maximum fine
- โฌ20 million or 4% of global annual turnover, whichever is higher
- Breach notification
- within 72 hours of becoming aware, to the supervisory authority
- DPO
- required for large-scale monitoring or large-scale special-category processing
The GDPR is bloc-wide; Ireland supplements it with a national data-protection act and its own supervisory authority.
GDPR in Ireland: FAQ
Yes. As an EU/EEA member, Ireland applies the GDPR (Regulation (EU) 2016/679) directly, enforced by the Data Protection Commission (DPC).
The Data Protection Commission (DPC).
Up to โฌ20 million or 4% of global annual turnover, whichever is higher.
A DPO is required where you carry out large-scale monitoring or process special-category data at scale.
Personal-data breaches must be notified to the supervisory authority within 72 hours of becoming aware.
Key points
The GDPR applies directly in Ireland and is the comprehensive, omnibus data-protection law. The Data Protection Act 2018 gives it further effect domestically, legislating on the areas where the GDPR allows national derogations.
The Data Protection Commission (DPC), established under the Data Protection Act 2018 (in force 25 May 2018), is Ireland's independent national supervisory authority responsible for upholding individuals' data-protection rights and enforcing GDPR.
The Act also transposes the EU Law Enforcement Directive (LED) into Irish law, governing personal-data processing for the prevention, investigation, detection or prosecution of criminal offences, where the GDPR does not apply.
Electronic communications privacy and cookies are governed by S.I. No. 336/2011 (the ePrivacy Regulations), also enforced by the DPC. Cookies generally require GDPR-standard consent unless strictly necessary to deliver a user-requested service (Reg. 5(3) and 5(5)).
Under Article 56 GDPR's one-stop-shop, the DPC is the Lead Supervisory Authority for many major tech firms headquartered in Ireland, coordinating cross-border enforcement with peer EU/EEA authorities and the EDPB.
The DPC has imposed major fines, including โฌ530m on TikTok (May 2025) for unlawful EEA-to-China data transfers under Art. 46(1)/Art. 13(1)(f), โฌ310m on LinkedIn (Oct 2024) and โฌ251m and โฌ91m on Meta (Dec/Sep 2024).
Timeline - major decisions & events
The DPC fined TikTok โฌ530m and ordered corrective measures for unlawfully transferring EEA user data to China without ensuring EU-equivalent protection; TikTok appealed and the High Court stayed the decision on 2025-11-14 pending the outcome.
Data Protection Commission โThe DPC launched a Section 110 inquiry into X Internet Unlimited Company over whether EU/EEA users' public posts were lawfully processed to train its Grok LLMs, a landmark probe of generative-AI training data.
Data Protection Commission โThe DPC concluded inquiries into the September 2018 'View As' token breach affecting ~29 million accounts globally, fining Meta โฌ251m for security and breach-notification failings under the GDPR.
Data Protection Commission โFollowing a 2019 inquiry, the DPC fined Meta โฌ91m for storing user passwords in plaintext, breaching GDPR obligations on technical/organisational security measures and confidentiality.
Data Protection Commission โThe DPC issued the largest-ever GDPR fine, โฌ1.2bn, plus suspension and cessation orders against Meta for transferring EU data to the US under SCCs that failed the Schrems II standard.
Data Protection Commission โAfter an EDPB binding decision overrode the DPC's draft, Meta was fined โฌ390m for unlawfully relying on 'contract' as the legal basis for behavioural advertising on Facebook and Instagram, breaching Article 6 GDPR.
Data Protection Commission โThe DPC's then-largest fine penalised Meta's Instagram for exposing children's email addresses/phone numbers via business accounts and public-by-default settings for teen accounts.
Data Protection Commission โArising from a complaint to the Irish DPC, the CJEU invalidated the EU-US Privacy Shield and tightened conditions on Standard Contractual Clauses, reshaping how Ireland-based tech firms transfer data abroad.
Data Protection Commission โSigned into law to give further effect to the GDPR (applicable 25 May 2018) and transpose the Law Enforcement Directive, the Act replaced the Data Protection Commissioner with the multi-member Data Protection Commission.
Irish Statute Book โFollowing Max Schrems' complaint to the Irish Data Protection Commissioner over Facebook transfers, the CJEU struck down the EU-US Safe Harbour framework, establishing Ireland as the front line of transatlantic data-transfer disputes.
CJEU โTransposed the 1995 EU Data Protection Directive into Irish law, modernising the 1988 regime with eight core principles covering fair processing, purpose limitation, security and data-subject access.
Irish Statute Book โIreland's foundational data-protection statute, enabling ratification of the Council of Europe Convention 108, introducing data-handling principles and creating the Office of the Data Protection Commissioner (1989).
Irish Statute Book โIreland - other topics
Data & Privacy in other countries
Last verified 5/23/2026 ยท Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite ยท Explore the full world map โ