Privacy Policy Requirements for Irish Business Websites

Your website collects customer data—email addresses, names, phone numbers, maybe payment details or booking information. Under Irish law, you must have a legally compliant privacy policy. The Data Protection Act 2018 implements GDPR in Ireland, and the Data Protection Commission (DPC) enforces it. The DPC has imposed fines of €1.2 billion on Meta, €405 million on Instagram, and €225 million on WhatsApp for privacy violations. Those weren't accidents. If your privacy policy is missing required information, you're exposed to DPC action, customer complaints, and reputational damage.

What Irish Law Requires

GDPR Article 13 sets out 12 mandatory elements that must appear in your privacy policy. Irish small businesses are subject to the same requirements as large corporations. The DPC, based in Dublin, supervises GDPR compliance across Ireland and is the lead authority for investigations into major tech platforms. This means the DPC takes Irish data protection seriously.

The 12 Required Elements

1. Identity of the Data Controller

You must name yourself (your business) as the controller. If you're a company registered with the Companies Registration Office (CRO), include your CRO number. If you're a sole trader operating under a business name, clarify the legal entity. Example:

"Data Controller: Acme Hotel Group Limited, CRO Number 123456, Dublin, Ireland"

2. Contact Details for the Data Protection Officer (if applicable)

Most Irish small businesses don't need a DPO—only if you're a large public body or handle data processing at scale. If you do have a DPO, provide their contact email.

3. Purpose of Processing

State exactly why you collect data. Different purposes need different legal bases (see below). Examples:

• Contact form: "To respond to your enquiry"
• Newsletter signup: "To send you promotional emails about our products"
• Online booking: "To process your reservation and send confirmation"
• Analytics: "To understand how visitors use our website"

4. Legal Basis for Processing (per purpose)

This is where most Irish businesses fail. GDPR has six possible legal bases. You must state which one applies to each purpose:

• Consent: Customer actively agreed (e.g., checking a newsletter signup box)
• Contract: Processing needed to fulfill a booking or purchase
• Legal obligation: You're required by law (e.g., tax records, VAT compliance)
• Vital interests: Protecting someone's life or health
• Public task: Government or public authority functions
• Legitimate interests: Your business need, balanced against customer privacy

Real Irish example:

"Contact form: Legal basis is Legitimate Interest. We need your email and name to respond to your enquiry. We balance your privacy against our business interest in customer service."

"Newsletter: Legal basis is Consent. We only send emails after you've actively opted in via a checkbox."

5. Recipients of Personal Data

Who else has access to customer data? Examples:

• Your email service (Mailchimp, Klaviyo)
• Hosting provider (Shopify, WordPress.com)
• Payment processor (Stripe, PayPal)
• Analytics tool (Google Analytics)
• Professional advisors (accountant, solicitor)

List them by category:

"Recipients: Your email is shared with our email service provider (Mailchimp) to send newsletters. Payment data is processed by our payment gateway (Stripe). We do not sell or share data with third parties for marketing."

6. International Transfers (if applicable)

If data goes outside the EU/EEA (e.g., to the USA), explain how you protect it. As of 2024, transfers to the USA require Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs). Don't just say "we use Google Analytics"—mention the adequacy decision or SCCs:

"Our analytics tool (Google Analytics) transfers data to the USA under the Google Analytics Data Processing Amendment, which incorporates Standard Contractual Clauses."

7. Retention Periods

How long do you keep data? Be specific. The DPC emphasizes this heavily.

• Contact form data: "6 months after your enquiry is resolved"
• Customer data: "For 6 years after the last transaction (required by tax law) or 3 years if customer relationship ends"
• Newsletter subscribers: "Until you unsubscribe"
• Website analytics: "13 months (Google Analytics default retention)"

8. Customer Rights (Access, Rectification, Erasure, Portability, Objection)

You must inform customers they can:

• Access: Request a copy of their data
• Rectification: Correct inaccurate data
• Erasure: Request deletion (right to be forgotten)
• Portability: Receive data in a portable format
• Objection: Opt out of processing (especially marketing)

Example text:

"You have the right to request access to your personal data, correct inaccurate information, request deletion, or receive your data in a portable format. To exercise these rights, email privacy@yourcompany.ie."

9. Right to Withdraw Consent

If consent is your legal basis, customers must be able to withdraw it easily:

"If we're processing your data on the basis of consent (such as newsletter signup), you can withdraw consent at any time by clicking the unsubscribe link in our emails or emailing privacy@yourcompany.ie."

10. Right to Lodge a Complaint with the DPC

This is mandatory and must name the DPC specifically. Many policies miss this:

"If you believe we've breached your privacy rights, you have the right to lodge a complaint with the Data Protection Commission (DPC). The DPC's contact details are available at www.dataprotection.ie."

11. Whether Provision is Statutory or Contractual

State whether providing data is required by law, required to enter a contract, or optional:

"Providing your name and email address via our contact form is voluntary. However, if you want to make an online booking, we require your email, phone number, and payment details to process the reservation."

12. Automated Decision-Making and Profiling

If you use automated decisions or profiling (including AI scoring), explain it:

"We do not use automated decision-making or profiling on your data."

Or, if you do:

"Our booking system uses automated checks to detect fraudulent bookings. You have the right to human review of this decision. Contact support@yourcompany.ie to request it."

Common Missing Elements in Irish Business Policies

Missing Retention Periods

Many Irish policies say "we keep your data as long as necessary" without specifics. The DPC expects concrete timescales:

• Not acceptable: "We retain data as long as needed for the purpose."
• Acceptable: "Email addresses are deleted 12 months after the last enquiry, unless you subscribe to our newsletter. Newsletter subscribers' data is retained until unsubscribe."

Missing Legal Basis Per Purpose

Policies often list purposes but not legal bases. This is a compliance gap. For each purpose (contact form, booking, newsletter, analytics), state the legal basis explicitly.

Missing DPC Contact Information

Your policy must direct people to the DPC, not a generic supervisory authority. Name them:

"You can lodge a complaint with the Data Protection Commission: www.dataprotection.ie/en/individuals/exercising-your-rights"

Hidden Third-Party Integrations

If you use Google Analytics, Facebook Pixel, or TikTok Pixel, disclose them as recipients. Don't hide them under generic terms like "analytics partners":

"Recipients: We use Google Analytics to track how visitors use our website. Google may use this data for its own purposes. We also use the Facebook Pixel to measure advertising performance."

Irish-Specific Considerations

Sole Traders and Business Names

If you're a sole trader trading under a business name, your privacy policy must clarify:

"Data Controller: John O'Brien, trading as 'O'Brien's Bookkeeping,' sole trader, Dublin, Ireland."

This distinguishes the person (controller) from the business name used.

Companies Registration Office (CRO) Numbers

If you're a company, include your CRO registration number. It's public information:

"Data Controller: Hibernia Digital Services Ltd, CRO Number 987654"

Email Marketing and SI 336 of 2011

Ireland does not use the PECR (Privacy and Electronic Marketing Regulations). Instead, Ireland has the European Electronic Communications Directive (Unsolicited Communications) Regulations 2011 (S.I. 336 of 2011). For B2C email marketing, you must have prior consent. For B2B marketing to established customers, you have more flexibility. Clarify this in your policy:

"We only send marketing emails to customers who have opted in via a newsletter signup form or agreed to receive promotional content."

Real Irish Enforcement Examples

The DPC has taken action on these issues:

• Inadequate retention timescales: A retail website retained customer data indefinitely "to improve service." The DPC required them to delete data 3 years after the last purchase.
• Missing legal basis statements: A Dublin-based B2B service claimed to process data on "legitimate interest" but didn't explain the balancing test or provide details. The DPC required a rewrite.
• Unlisted recipients: A hotel used a third-party booking engine but didn't disclose it as a recipient in their privacy policy. The DPC required transparency.

Privacy Policy Checklist for Irish Websites

Before you publish or update your policy:

• Name your business and CRO number (if company) or full name (if sole trader)
• List the 12 required elements from GDPR Article 13
• State the legal basis for each purpose (consent, contract, legitimate interest, etc.)
• List every third-party recipient (email service, payment processor, analytics tool, CRM)
• Explain international data transfers with SCCs or adequacy decisions
• Give concrete retention periods for each data type
• Include the right to withdraw consent (if applicable)
• Provide the Data Protection Commission contact details by name
• Explain automated decision-making (if any)
• Make it clear how customers can exercise their rights (access, deletion, etc.)
• Use plain English—avoid legal jargon

What to Do Next

Immediate:

• Read your current privacy policy. Does it cover all 12 elements?
• Visit www.dataprotection.ie/en/individuals/exercising-your-rights and bookmark it as your DPC reference
• Check your contact form, newsletter signup, and online booking process. Are you collecting data beyond what you've disclosed?

Short-term:

• Update your privacy policy with concrete retention periods and legal bases
• Add the DPC contact details by name
• List all third-party tools and integrations as recipients
• Have a solicitor review it if you're unsure

Ongoing:

• When you add a new tool (email service, analytics, CRM), update your privacy policy immediately
• Review the privacy policy annually
• Respond promptly to customer data requests (Article 15) and deletion requests (Article 17)
• Monitor DPC guidance at dataprotection.ie for changes

Small Irish businesses that get privacy right gain customer trust, avoid DPC action, and can compete confidently. Your Galway tech startup, Dublin consultancy, or Cork retail business deserves a privacy policy that's both legally compliant and transparent. The DPC is watching, but they also help—start by reading their free SME guidance on dataprotection.ie.