HomeDocuments
Tenancy Agreement Commercial Lease Freelancer Contract Employment Contract Service Agreement Settlement Agreement NDA Company Constitution Shareholder Agreement Partnership Agreement Board Minutes Director's Loan Loan Agreement Licence Agreement Power of Attorney GDPR Privacy Policy Website T&Cs Data Processing Agreement Will
IndustriesToolsAnalyse ContractsPricingBlogGenerate a Document
HomeBlogGDPR

GDPR Privacy Policy Requirements for Irish Businesses

2026-02-107 min read

Every Irish business that collects personal data - and that includes almost every business with a website - needs a GDPR-compliant privacy policy. The Data Protection Commission (DPC) can impose fines of up to EUR 20 million or 4% of annual global turnover for non-compliance. Here is what your policy must include.

Who Needs a Privacy Policy

If you have a website with a contact form, use Google Analytics, accept online payments, send marketing emails, or employ staff, you are processing personal data. Under the General Data Protection Regulation (EU 2016/679) and the Irish Data Protection Act 2018, you need a privacy policy that accurately describes your data processing activities.

The Seven GDPR Principles

Your privacy policy should demonstrate compliance with all seven principles: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability. Each principle has practical implications for how you collect, use, store, and delete personal data.

Generate a GDPR Privacy PolicyDPC-compliant, cookie policy included, tailored to your business
Generate - €49

What Must Be in Your Privacy Policy

At a minimum, your privacy policy should identify the data controller (your business name, address, and contact details), list the types of personal data you collect, explain the legal basis for processing each type, name every third party you share data with (including analytics, payment processors, and email platforms), describe your data retention periods, explain how individuals can exercise their rights (access, correction, deletion, portability), and include your cookie policy.

Cookie Policy Requirements

Under the ePrivacy Directive (implemented in Ireland through SI 336 of 2011), you must obtain consent before placing non-essential cookies on a visitor's device. Your cookie policy should categorise cookies as strictly necessary, analytics/performance, marketing/advertising, or functional, and explain the purpose and duration of each. A cookie consent banner is required.

Data Subject Access Requests (DSARs)

Individuals have the right to request access to their personal data, and you must respond within one month. Your privacy policy should explain how to make a DSAR and provide a contact email (typically privacy@ or dpo@ your domain). You should also describe how data can be corrected, deleted, or exported.

Get a privacy policy tailored to your toolsCovers Google Analytics, Stripe, Mailchimp, and more
Generate Now

Common Mistakes

The most common mistakes we see: copying a privacy policy from another website (it will not match your actual data processing), using a generic international template (Irish/EU requirements differ from US/UK), failing to update the policy when you add new tools or change processes, and not having a cookie consent mechanism. Each of these could result in a DPC investigation.

How to Stay Compliant

Review your privacy policy at least annually. Update it whenever you add a new analytics tool, change payment processor, start email marketing, or change how you handle employee data. Keep a record of your data processing activities (a requirement under Article 30 of GDPR). And make sure your cookie consent banner actually blocks non-essential cookies until consent is given - many businesses get this wrong.

You Might Also Like

Landlord
Do I Need a Written Tenancy Agreement in Ireland?
Business
NDA vs Confidentiality Agreement in Ireland
Technology
How It Works: How It Works