Website privacy policy requirements in Ireland: what the DPC expects in 2026

Every commercial website that processes personal data needs a privacy policy. Processing personal data happens faster than most business owners realise: a contact form, an analytics tool, even server logs that capture IP addresses all count. The Data Protection Commission (DPC) in Dublin oversees compliance for Irish data controllers. In 2026, the European Data Protection Board (EDPB) is running a Coordinated Enforcement Framework specifically targeting transparency. All EU supervisory authorities, including the DPC, are simultaneously checking whether privacy policies meet Articles 12-14 of the GDPR.

The 14 mandatory elements under Article 13 GDPR

The GDPR is precise about what belongs in a privacy policy. Article 13 lists 14 information requirements. Here is the full list.

1. Identity and contact details of the controller (Art. 13(1)(a)). Your business name, registered address and contact details. For a sole trader, that includes your own name. Include your CRO number if applicable.

2. Contact details of the data protection officer (Art. 13(1)(b)). Only if you have appointed a DPO. Most Irish SMEs are not required to do so.

3. The purposes of processing (Art. 13(1)(c)). Be specific. Not "we process personal data for our services" but a concrete description for each processing activity.

4. The legal basis for each processing activity (Art. 13(1)(c)). Link each processing activity to a legal basis: consent, contractual necessity, legal obligation or legitimate interest.

5. The specific legitimate interest (Art. 13(1)(d)). This is the element SMEs miss most often. Following the CJEU Mousse ruling (Case C-394/23), it is no longer sufficient to state "legitimate interest". You must name the specific interest. Example: "Our legitimate interest in using analytics cookies without consent is measuring website performance to improve the user experience." Without that specification, the legal basis itself fails.

6. Recipients or categories of recipients (Art. 13(1)(e)). Hosting provider, payment processor, analytics service, email marketing platform, accounting software. Name them by name or category. "Third parties" without further detail is too vague.

7. Transfer to a third country (Art. 13(1)(f)). If you use Google Analytics, Mailchimp, Stripe or any service that processes data outside the EEA, state the country, the safeguard (adequacy decision, standard contractual clauses or BCR) and where a copy can be obtained. This is one of the three most frequently missing elements in SME privacy policies.

8. Retention periods per data category (Art. 13(2)(a)). Give concrete periods. Invoice data: 6 years (tax requirements). Contact form messages: 12 months. Analytics data: 26 months. Newsletter subscribers: until unsubscription plus 30 days. "As long as necessary" is not accepted.

9. The rights of data subjects (Art. 13(2)(b)). Access, rectification, erasure, restriction, portability and objection. State how to exercise these rights (email address or form) and the response deadline (one month).

10. The right to withdraw consent (Art. 13(2)(c)). If any processing is based on consent, inform visitors they can withdraw at any time. Link to your cookie settings and newsletter unsubscribe option.

11. The right to lodge a complaint with the supervisory authority (Art. 13(2)(d)). Refer to the Data Protection Commission: 21 Fitzwilliam Square South, Dublin 2, D02 RD28, or online at dataprotection.ie.

12. Whether providing data is obligatory and consequences of not providing it (Art. 13(2)(e)). Example: "Providing your name and email in the contact form is voluntary. Without these details, we cannot respond to your enquiry."

13. Automated decision-making including profiling (Art. 13(2)(f)). Only relevant if you make automated decisions based on personal data. Most SME websites do not.

14. The source of personal data if not collected from the data subject (Art. 14(2)(f)). Only relevant if you receive data from third parties.

What the DPC expects in Ireland

The DPC describes a privacy policy as a "living document" that should be reviewed and updated regularly. This is not a one-time compliance exercise.

The DPC emphasises that privacy information must be provided in clear, plain language. The GDPR's requirement for transparent communication (Article 12) means that legal jargon does not satisfy the standard. The DPC recommends a layered approach: a concise summary at the top with the key points, followed by the full text.

Your privacy policy must be on a standalone page, accessible via a link in the footer of every page. Burying privacy information inside your terms and conditions does not meet the accessibility requirement.

From 2 August 2026, Article 50 of the AI Act becomes applicable. If you use an AI chatbot on your website, you must inform visitors that they are interacting with an AI system. The DPC has signalled it will enforce this alongside existing GDPR transparency requirements.

Enforcement in practice

LinkedIn received a fine of EUR 310 million from the DPC in October 2024. The decision cited transparency breaches alongside unlawful processing. LinkedIn is not an SME, but the decision is instructive. The DPC assessed each of the Article 13 information requirements and found deficiencies.

For Irish SMEs, the enforcement picture is different. The DPC's SME enforcement is limited and focused primarily on complaint-driven investigations. Most proactive enforcement runs through the One-Stop-Shop mechanism against Big Tech companies headquartered in Dublin. An honest assessment: an Irish SME is unlikely to face a DPC-initiated investigation into its privacy policy. But a customer complaint can trigger one, and an incomplete privacy policy makes a complaint harder to defend.

The greater risk for SMEs is civil. If your privacy policy is incomplete and you rely on legitimate interest, that legal basis can be challenged in court proceedings. No policy, no protection.

How TrustYourWebsite checks for this

Our scanner detects three technical signals: the presence of a privacy policy link in the footer, its accessibility on every page and the presence of minimum required elements in the text (legal basis, retention periods, data subject rights, complaint route).

Scanner findings are technical signals, not legal verdicts. They point to transparency gaps, not legal violations.

Checklist: the 14 mandatory elements

A privacy policy is enforcement surface

The Mousse ruling changed the nature of a privacy policy. It is no longer a legal document you place on your site to satisfy a formal requirement. It is the place where your legal basis stands or falls. If you claim legitimate interest but do not name which interest, the basis itself fails. The practical consequence is that the privacy policy is now enforcement surface, not decoration.

The 14 elements above take an afternoon to complete properly. That afternoon protects you against months of regulatory correspondence. Start with the three items that SMEs miss most: specific legitimate interest, concrete retention periods and international transfer safeguards.

---

This article is technical analysis, not legal advice. Consult a solicitor for advice on your specific situation.