Your Rights Under GDPR and the Data Protection Act 2018 — Ireland

Q: What's the difference between DPC complaint and FSPO complaint?

DPC — data-protection-specific complaint about how a controller handled your personal data. FSPO — financial-services dispute resolution about a bank / insurer / fund's conduct toward you as a customer. For banking-related data issues, both can run in parallel. FSPO deals with the financial-service-conduct dimension; DPC deals with the data-protection dimension.

Researched by A. R. Alsaedi, Head Researcher

Primary sources cited; not legal advice.

Source: EU General Data Protection Regulation (Regulation 2016/679); Data Protection Act 2018; ePrivacy Regulations 2011 (S.I. 336/2011); Data Protection Commission (DPC).

Sourced from Irish Acts of the Oireachtas, statutory instruments, and official guidance. Written in plain language for general understanding — this is educational content, not legal advice. Our editorial standards

Irish National Law

What is this right?

Ireland operates under the EU General Data Protection Regulation (GDPR) as supplemented by the Data Protection Act 2018. Data-subject rights: access (Article 15), rectification (16), erasure / right to be forgotten (17), restriction (18), portability (20), objection (21), and not to be subject to automated decision-making (22). The regulator is the Data Protection Commission (DPC) — one of the most active GDPR regulators in the EU and lead supervisory authority for many US tech multinationals headquartered in Dublin (Meta, Google, TikTok, Microsoft, Apple).

Administrative fines: up to €20 million or 4% of annual global turnover, whichever is higher (GDPR Article 83). The DPC has imposed multi-hundred-million-euro fines under GDPR.

When does it apply?

A company in Ireland or processing your data refuses to disclose, correct, or delete it.
You withdraw consent but processing continues.
You are a victim of a data breach.
A bank, telecom, hospital, or public body discloses your personal data without lawful basis.
You receive direct marketing without consent (ePrivacy Regulations 2011).
You wish to object to profiling or automated decision-making.

Using Your Rights Under GDPR

Send a written subject access request (SAR) or other rights request to the controller. One-month response window under GDPR Article 12.
If the controller refuses or doesn't respond, complain to the DPC at dataprotection.ie. Free; the DPC can investigate and impose corrective measures.
For banking data, parallel an FSPO complaint. Both routes can run in parallel.
For damages, civil litigation under GDPR Article 82. Compensation for material and non-material damage.

What should you NOT do?

Don't skip the controller's internal channel. The DPC expects you to have raised the matter with the controller first.
Don't provide more identifying information than necessary.
Don't pay 'GDPR-removal services' upfront. Statutory channels are free.
Don't miss the controller's one-month response window — escalate to DPC when it expires.

About Data Privacy & Digital Rights in Ireland

Ireland's data-protection framework is the EU General Data Protection Regulation (GDPR) as supplemented by the Data Protection Act 2018. The regulator is the Data Protection Commission (DPC) at dataprotection.ie — one of the most active GDPR regulators in the EU due to the concentration of US tech multinationals headquartered in Dublin.

For non-consensual intimate imagery (NCII), Ireland enacted the Harassment, Harmful Communications and Related Offences Act 2020 ("Coco's Law") in February 2021. Section 2 criminalises distribution / publication / threats to distribute intimate images without consent — up to 7 years' imprisonment. Section 3 (lesser offence — without intent to cause harm) carries up to 12 months' summary conviction. Investigation runs through An Garda Síochána, typically the GNCCB or local Garda. Victims should also use StopNCII.org (18+) or takeitdown.ncmec.org (under-18s) — both free.

Common Questions

What's the DPC's response time?

The Data Protection Commission's complaint-handling timeline depends on case complexity. Initial acknowledgment is typically within 30 days; full investigation can take months for complex cases. For breaches involving cross-border processing (where Ireland is the lead supervisory authority for the EU), the One-Stop-Shop mechanism applies and timelines can extend significantly.

Can I claim compensation for a data breach?

Yes — Article 82 GDPR gives any person who has suffered material or non-material damage as a result of a GDPR infringement the right to receive compensation from the controller or processor. Damages claims proceed via the civil courts. The Court of Justice of the EU has clarified in recent rulings that non-material damage (distress, loss of control over data) is compensable but requires actual damage to be proven.

What's the difference between DPC complaint and FSPO complaint?

DPC — data-protection-specific complaint about how a controller handled your personal data. FSPO — financial-services dispute resolution about a bank / insurer / fund's conduct toward you as a customer. For banking-related data issues, both can run in parallel. FSPO deals with the financial-service-conduct dimension; DPC deals with the data-protection dimension.

Does GDPR apply to small Irish businesses?

Yes — GDPR applies to any controller or processor of personal data in the EU regardless of size. Some obligations have proportionality features (e.g., Data Protection Officer requirements depend on core activities) but the data-subject rights apply universally. Small businesses processing your data must respond to access requests, allow erasure, etc.

What is the your rights under gdpr and the data protection act 2018 right in Ireland?

Ireland operates under the EU General Data Protection Regulation (GDPR) as supplemented by the Data Protection Act 2018. Data-subject rights: access (Article 15), rectification (16), erasure / right to be forgotten (17), restriction (18), portability (20), objection (21), and not to be subject to automated decision-making (22). The regulator is the Data Protection Commission (DPC) — one of the most active GDPR regulators in the EU and lead supervisory authority for many US tech multinationals headquartered in Dublin (Meta, Google, TikTok, Microsoft, Apple).Administrative fines: up to €20 milli...

When does it apply — your rights under gdpr and the data protection act 2018?

A company in Ireland or processing your data refuses to disclose, correct, or delete it.You withdraw consent but processing continues.You are a victim of a data breach.A bank, telecom, hospital, or public body discloses your personal data without lawful basis.You receive direct marketing without consent (ePrivacy Regulations 2011).You wish to object to profiling or automated decision-making.

What rights do I have under GDPR in Ireland?

Send a written subject access request (SAR) or other rights request to the controller. One-month response window under GDPR Article 12.If the controller refuses or doesn't respond, complain to the DPC at dataprotection.ie. Free; the DPC can investigate and impose corrective measures.For banking data, parallel an FSPO complaint. Both routes can run in parallel.For damages, civil litigation under GDPR Article 82. Compensation for material and non-material damage.

What should you NOT do — your rights under gdpr and the data protection act 2018?

Don't skip the controller's internal channel. The DPC expects you to have raised the matter with the controller first.Don't provide more identifying information than necessary.Don't pay 'GDPR-removal services' upfront. Statutory channels are free.Don't miss the controller's one-month response window — escalate to DPC when it expires.