What is a subject access request under Irish GDPR law?

A subject access request (SAR) is an individual's formal request to an organisation (the 'data controller') under Article 15 of the GDPR (Regulation (EU) 2016/679), as implemented in Ireland by the Data Protection Act 2018, to receive a copy of all personal data held about them and information about how that data is being processed. The right of access is one of the fundamental rights of data subjects under the GDPR. When a valid SAR is received, the data controller must: (1) confirm whether personal data is being processed; (2) provide a copy of the personal data (a 'data subject access response'); (3) supply supplementary information including the purposes of processing, the categories of data, the recipients or categories of recipients to whom the data has been or will be disclosed, the retention period, the right to request rectification or erasure, the right to lodge a complaint with the Data Protection Commission (DPC), and information about the source of the data if not collected from the data subject. The GDPR grants this right to all natural persons (individuals), regardless of nationality, whose personal data is processed by an organisation subject to GDPR jurisdiction. In Ireland, the DPC is the supervisory authority responsible for enforcing the GDPR and handling complaints about non-compliance with subject access rights.

What is the deadline for responding to a subject access request in Ireland?

Under Article 12(3) of the GDPR, a data controller in Ireland must respond to a subject access request without undue delay and in any event within one month of receipt of the request. The one-month period runs from the day the request is received. If necessary, this period may be extended by a further two months where the request is complex or the controller has received a high volume of requests, but the controller must notify the data subject of the extension (and the reasons for it) within one month of receipt of the request. The information must be provided free of charge. Where a controller fails to respond within the required time, or refuses a request, the data subject has the right to: (1) lodge a complaint with the Data Protection Commission (DPC) under Article 77 GDPR, which has the power to investigate and impose administrative fines of up to €20 million or 4% of annual global turnover for serious infringements; (2) seek a judicial remedy in the Circuit Court or High Court under Article 79 GDPR; and (3) claim compensation for material or non-material damage suffered as a result of the infringement under Article 82 GDPR.

Can an Irish organisation charge a fee or refuse a subject access request?

Under Article 12(5) of the GDPR, information provided in response to a subject access request must generally be provided free of charge. However, where requests from a data subject are 'manifestly unfounded or excessive, in particular because of their repetitive character', the controller may: (a) charge a reasonable fee taking into account the administrative costs of providing the information; or (b) refuse to act on the request. The burden of demonstrating that a request is manifestly unfounded or excessive lies with the controller. The Data Protection Commission (DPC) has published guidance indicating that a high threshold must be met before a controller can legitimately refuse or charge for a SAR. Common legitimate grounds for refusing to supply specific information in a SAR response include: the information relates to or would disclose information about another identifiable individual (third-party information); the data is legally privileged (e.g. legal advice); or the provision of the information would adversely affect the rights and freedoms of others. Blanket refusals to respond to SARs, or demands for excessive identification documents, are likely to be investigated by the DPC and may result in enforcement action.

What should I do if an organisation ignores my subject access request in Ireland?

If an organisation in Ireland fails to respond to your subject access request within one month (or the extended three-month period in complex cases), or provides an inadequate response, you have several options. First, send a follow-up letter or email to the organisation's data protection officer (DPO) or privacy contact, drawing attention to the legal obligation to respond and setting a short further deadline (e.g. 7 days). Second, lodge a complaint with the Data Protection Commission (DPC), the Irish supervisory authority responsible for enforcing the GDPR. Complaints can be made online at the DPC website (dataprotection.ie) or in writing to DPC, 21 Fitzwilliam Square South, Dublin 2, D02 RD28. The DPC will investigate your complaint and has the power to require the organisation to comply, impose fines, issue reprimands, and make enforcement orders. Third, take a judicial remedy: under Article 79 GDPR and s.117 of the Data Protection Act 2018, you may apply to the Circuit Court for an order requiring compliance with your subject access rights. You may also be entitled to compensation for any material or non-material damage (including distress) suffered as a result of the breach under Article 82 GDPR and s.117 of the Data Protection Act 2018.

Do I need a lawyer to create a Subject Access Request (Ireland) in Ireland?

A Subject Access Request (Ireland) does not legally require a lawyer in Ireland, and individuals and businesses may draft and execute the document independently. The Freedom of Information Act 2014 does not mandate legal representation for the creation or signing of this type of document. However, seeking independent legal advice from a qualified Ireland lawyer is recommended for transactions involving substantial financial value, complex regulatory requirements, or cross-border elements where multiple legal jurisdictions may apply. A lawyer can verify that the document complies with all applicable statutory requirements, identify potential risks specific to the transaction, and confirm that the terms adequately protect the interests of all parties involved. The High Court of Ireland has jurisdiction over disputes arising from this type of document, and Companies Registration Office (CRO) may impose additional compliance obligations depending on the nature of the underlying transaction. Professional legal review is particularly advisable where the document will be submitted to government agencies or used as evidence in legal proceedings.

Subject Access Request (Ireland)

SUBJECT ACCESS REQUEST

General Data Protection Regulation (EU) 2016/679 — Article 15 | Data Protection Acts 1988–2018

[Request Date]

[DPO Name]

[Organisation Name]

[Organisation Address]

Dear [DPO Name] / Data Protection Officer,

I am writing to exercise my right of access under Article 15 of the General Data Protection Regulation (EU) 2016/679 (GDPR) and Section 91 of the Data Protection Acts 1988–2018.

MY DETAILS

Name: [Requester Name]

Address: [Requester Address], [Requester Eircode]

Email: [Requester Email]

Phone: [Requester Phone]

Account / Reference: [Account Reference]

DATA REQUESTED

I request a copy of all personal data you hold about me, specifically: [Data Description].

The request covers the following period: [Date Period].

YOUR OBLIGATIONS

Under GDPR Article 12, you are required to respond to this request without undue delay and in any event within one month of receipt. In complex cases, you may extend this period by a further two months, but you must notify me of any extension within one month and explain the reasons for the delay.

You must provide the information free of charge unless the request is manifestly unfounded or excessive. If you refuse to act on this request, you must inform me of your reasons and my right to lodge a complaint with the Data Protection Commission (DPC) at dataprotection.ie, and to seek a judicial remedy under GDPR Article 79.

I am providing the following identity document to verify my identity: [Identity Document].

I look forward to receiving your response. Please acknowledge receipt of this request.

Yours faithfully,

[Requester Name]

Data Subject

________________

Signature

Date: ________________

Maintained by Vladislav Sergienko, Founder·Template last modified: 2026-06-23·Report an error

What Is a Subject Access Request (Ireland)?

A Subject Access Request in Ireland makes a formal application or declaration to the relevant authority and sets out the particulars it requires to decide or record the matter, and takes its legal force from the Freedom of Information Act 2014.

The legal framework governing the Subject Access Request (Ireland) in Ireland draws on several key statutes and regulatory bodies. Under the Freedom of Information Act 2014, public bodies must respond within 20 working days. Section 13 of the Freedom of Information Act 2014 governs access requests. The Data Protection Act 2018 and GDPR Article 15 provide complementary access rights. The Office of the Information Commissioner reviews FOI decisions on appeal. Revenue Commissioners and the Companies Registration Office (CRO) handle government compliance obligations. Parties executing a Subject Access Request (Ireland) in Ireland should confirm the document reflects current Irish law, including any amendments enacted since the original drafting date. The Freedom of Information Act 2014 sets the foundational requirements, while secondary legislation and statutory instruments may impose additional obligations depending on the specific circumstances of the transaction. Under Section 67 of the Land and Conveyancing Law Reform Act 2009 and the Registration of Title Act 1964, property-related elements must comply with the Property Registration Authority (PRA) requirements. The Competition and Consumer Protection Commission (CCPC) enforces the Consumer Rights Act 2022 in consumer-facing transactions. The Companies Act 2014, Section 169, and the Employment Equality Acts 1998-2015 impose non-discrimination obligations on all commercial agreements executed in Ireland.

When Do You Need a Subject Access Request (Ireland)?

A subject access request is needed when an individual wishes to find out what personal data an organisation holds about them, how it is used, and to whom it has been disclosed. Common scenarios include: reviewing data held by a former employer; checking data held by a financial institution; investigating potential GDPR breaches; or obtaining data for legal proceedings. The Data Protection Commission (DPC) at dataprotection.ie can be contacted if a controller fails to comply.

Parties in Ireland should prepare a Subject Access Request (Ireland) proactively rather than waiting for a dispute to arise. Irish courts, including the District Court, Circuit Court, and High Court of Ireland, interpret agreements based on the written terms rather than oral representations. Under the Freedom of Information Act 2014, public bodies must respond within 20 working days. Section 13 of the Freedom of Information Act 2014 governs access requests. The Data Protection Act 2018 and GDPR Article 15 provide complementary access rights. The Office of the Information Commissioner reviews FOI decisions on appeal. Revenue Commissioners and the Companies Registration Office (CRO) handle government compliance obligations. Where the transaction involves regulated activities, prior approval from the relevant authority — such as the Central Bank of Ireland, Companies Registration Office (CRO), or Data Protection Commission (DPC) — may be required before execution. Consulting a qualified Irish solicitor confirms all regulatory steps are completed in the correct order. Under Section 67 of the Land and Conveyancing Law Reform Act 2009 and the Registration of Title Act 1964, property-related elements must comply with the Property Registration Authority (PRA) requirements. The Competition and Consumer Protection Commission (CCPC) enforces the Consumer Rights Act 2022 in consumer-facing transactions. The Companies Act 2014, Section 169, and the Employment Equality Acts 1998-2015 impose non-discrimination obligations on all commercial agreements executed in Ireland.

What to Include in Your Subject Access Request (Ireland)

A valid Irish subject access request should include: the data subject's full name, address, email, and phone number; account or reference number; a clear description of the personal data requested; the date range (if applicable); the legal basis (GDPR Article 15); identity document for verification (if required); a request for processing purposes, retention periods, and recipients; reference to the one-month response deadline; and the right to complain to the Data Protection Commission (DPC). The forms-legal.com Subject Access Request (Ireland) template covers the mandatory elements under Freedom of Information Act 2014.

Additional compliance elements for a Subject Access Request (Ireland) used in Ireland include: Data Protection — the Data Protection Act 2018 and GDPR Article 6 require a lawful basis for processing personal data; Governing Law — specify Irish law and the jurisdiction of Irish courts; Dispute Resolution — parties may refer disputes to the Workplace Relations Commission (WRC) for employment matters or initiate proceedings in the Circuit Court or High Court of Ireland for civil claims. Under the Freedom of Information Act 2014, public bodies must respond within 20 working days. Section 13 of the Freedom of Information Act 2014 governs access requests. The Data Protection Act 2018 and GDPR Article 15 provide complementary access rights. The Office of the Information Commissioner reviews FOI decisions on appeal. Revenue Commissioners and the Companies Registration Office (CRO) handle government compliance obligations. Revenue Commissioners require appropriate tax treatment of payments made under the agreement, including VAT under the Value-Added Tax Consolidation Act 2010 where applicable. Under Section 67 of the Land and Conveyancing Law Reform Act 2009 and the Registration of Title Act 1964, property-related elements must comply with the Property Registration Authority (PRA) requirements. The Competition and Consumer Protection Commission (CCPC) enforces the Consumer Rights Act 2022 in consumer-facing transactions. The Companies Act 2014, Section 169, and the Employment Equality Acts 1998-2015 impose non-discrimination obligations on all commercial agreements executed in Ireland.

Sources & Citations

Statutory citations link to official government sources.

GDPR Article 15EU – GDPR
GDPR Article 6EU – GDPR

Cite this page

Reference this free template in an article, syllabus, or research note:

APA

Forms Legal. (2026). Subject Access Request (Ireland) (Ireland) [Legal document template]. Forms Legal. https://forms-legal.com/ireland/government/court-forms/subject-access-request-ireland

MLA

"Subject Access Request (Ireland) (Ireland)." Forms Legal, 2026, https://forms-legal.com/ireland/government/court-forms/subject-access-request-ireland.

BibTeX

@misc{formslegal-subject-access-request-ireland,
  author       = {{Forms Legal}},
  title        = {Subject Access Request (Ireland) (Ireland)},
  year         = {2026},
  howpublished = {\url{https://forms-legal.com/ireland/government/court-forms/subject-access-request-ireland}},
  note         = {Free legal document template. Based on Freedom of Information Act 2014}
}

Also available for these jurisdictions:

Frequently Asked Questions

Based on Freedom of Information Act 2014 — Template last modified June 2026Verify the source →

This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer

Found an error? Let us know