Your data rights
If your personal data is held by an Irish or EU organisation — a state department, a bank, an employer, a website — you have a set of rights under the General Data Protection Regulation (GDPR) and the Irish Data Protection Act 2018. These rights are real, enforceable, and free to exercise. This page is the overview; each sub-page covers a specific right with the steps and templates you need.
Your eight rights, in plain English
| Right | What it lets you do |
|---|---|
| Right of access | Demand a copy of all the personal data an organisation holds about you, plus information about how and why they process it. Free. They must respond within one month. |
| Right to rectification | Require an organisation to correct inaccurate or incomplete personal data about you. |
| Right to erasure (the "right to be forgotten") | Require deletion of your personal data in specific circumstances (e.g. you withdraw consent and there's no other lawful basis). |
| Right to restrict processing | Require an organisation to stop processing (but not necessarily delete) your data in certain circumstances. |
| Right to data portability | Receive your data in a portable format and have it sent directly to another organisation. |
| Right to object | Object to processing based on legitimate interests, direct marketing, or processing for research/statistics. |
| Rights related to automated decision-making | Require human review of decisions made about you by automated systems alone (including profiling), where the decision has significant effects. |
| Right to complain to the DPC | If an organisation breaches your rights or your data protection rights more generally, file a complaint with the Data Protection Commission. |
What to use these rights for
Three common scenarios:
- You want to see what a company knows about you. File a Subject Access Request. Even routine SARs reveal more than people expect.
- A company keeps emailing you after you opted out. File a request to restrict processing for direct marketing. If they ignore it, complain to the DPC.
- Your data was in a breach. You have notification rights, and (if loss was caused) potential civil claims. See breach response.
Sub-pages
Subject Access Request
The full template, free to copy. How to file, what they must send back, what to do when they fail to respond.
DPC complaints
How to file a complaint with the Data Protection Commission. What the DPC will and won't do, and how to follow up.
Right to be forgotten
When you can require erasure, the limits, and the template. Coming soon.
Breach notifications
What organisations must tell you when your data is in a breach, and what you can do. Coming soon.
If your data has been in a publicised breach
- The organisation should notify you directly. If they haven't, ask them (in writing) what happened, what data was affected, and what steps they're taking.
- Change passwords on the breached account and any account with the same password.
- Watch for follow-on phishing — breach victims are targeted with personalised social-engineering for months afterwards.
- If actual financial loss occurred, see first 24 hours.
- If you want to pursue accountability, file a complaint with the DPC.
What MyID cannot do
- We don't file requests on your behalf. The right has to be exercised by the data subject (you).
- We don't give legal advice. The templates here are starting points; complex matters need a solicitor.
- We don't act as intermediary between you and the DPC.