GDPR Enforcement
Why Does GDPR Matter?
The General Data Protection Regulation (“GDPR”) is arguably the most powerful human rights legislation ever enacted. Amongst other things, controllers must protect people from risk to their rights and freedoms such as those granted under the European Convention on Human Rights (“ECHR”) and the EU Charter of Fundamental Rights (“the Charter”).
For example, recital 75 GDPR clarifies that a risk to a person’s rights and freedoms may result from personal data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to:
- discrimination,
- identity theft,
- fraud,
- financial loss,
- damage to the reputation,
- loss of confidentiality of personal data protected by professional secrecy,
- unauthorised reversal of pseudonymisation, or
- any other significant economic or social disadvantage.
- Where a person might be deprived of their rights and freedoms (e.g., under the ECHR or the Charter) or prevented from exercising control over their personal data.
- Where processing involves a large amount of personal data and affects a large number of people.
- Where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures.
- Where personal aspects are evaluated, in particular analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles.
- Where personal data of vulnerable natural persons, in particular of children, are processed.
Of importance, the GDPR legal burden sits with the controller (not the person) to prove, through its documentary evidence of GDPR compliance, how it effectively protected people from risks such as those described above. If the controller cannot demonstrate its compliance with the GDPR, for example, to protect people from risk, then a person is entitled,
- to recover compensation for the material and non-material damages they have suffered, and
- to an effective judicial (court) remedy to correct the non-compliance. For example, to have a court order the controller to stop doing the thing which is causing the person to suffer damages.
GDPR Representation
Article 80(1) GDPR grants people a right to mandate a specialist GDPR not-for-profit like Riar Ceartais to represent them to protect their interests or rights and freedoms. Amongst other things the Representation Mandate empowers Riar Ceartais to exercise various rights on a person’s behalf such as
- their Article 77 GDPR right to lodge a complaint with a supervisory authority like the Data Protection Commission (“DPC”),
- their Article 79 GDPR right to an effective judicial remedy before the courts, and
- their Article 82 GDPR right to recover compensation for material or non-material damages that they have suffered.
GDPR Enforcement Procedure
The first step in any GDPR enforcement procedure involves Riar Ceartais writing to the controller to set out the issue and give them an opportunity to address their GDPR non-compliance by correcting the problem. This initial correspondence usually involves Riar Ceartais exercising one or more of the person’s Article 15 to 22 GDPR rights. For example, their
- Article 15 GDPR right of access,
- Article 16 GDPR right to rectification,
- Article 17 GDPR right to erasure,
- Article 18 GDPR right to restriction of processing, and
- Article 21 GDPR right to object.
GDPR gives controllers one month to facilitate the exercise of a person’s data protection rights. If after expiry of the one month deadline the controller has not facilitated the exercise of the person’s rights or has not addressed their GDPR non-compliance to the satisfaction of Riar Ceartais, Riar Ceartais may lodge a complaint with the DPC on behalf of the person. While lodging a DPC complaint is one option, Riar Ceartais will more likely exercise the person’s Article 79 GDPR right to an effective judicial remedy by instructing solicitors to bring court proceedings against the controller seeking suitable Orders to compel GDPR compliance.
Should proceedings issue, it is standard procedure for Riar Ceartais to seek Orders imposing two administrative fines on the controller; one fine under Article 83(4) GDPR and a second fine under Article 83(5) GDPR. Administrative fines could, for example, take the form of daily, weekly or monthly recurring fines for an ongoing failure by the controller to bring its processing into compliance with the GDPR. Depending on the circumstances, proceedings may also seek to recover compensation for a person’s material and non-material damages suffered as a result from the controller’s unfair, risky, unnecessary or unlawful processing.
GDPR Class Actions
When Riar Ceartais bring court proceedings on behalf of a person it represents, Riar Ceartais is the plaintiff in the proceedings (not the person). Where a group of people are affected by the same controller’s GDPR non-compliance, each person in that group can provide Riar Ceartais with an Article 80(1) GDPR representation mandate authorising Riar Ceartais to represent each of them. As there are no limits on the number of people that Riar Ceartais can represent in any given action, this becomes for all intent and purposes a GDPR class action. The only difference between this and a traditional US style class action is that each member of a GDPR representation action is named in the representation mandates, whereas a traditional class action is taken on behalf of an unnamed class of people.
Strategic Class Actions
The Riar Ceartais vision is to use strategic GDPR class actions to tackle significant societal issues that are affecting many ordinary people arising from unlawful or unfair public or private sector practises or corruption. Put simply, we’re focused on tackling big issues that are causing many people to suffer significant distress, pain, harm or financial loss. Unfortunately this means Riar Ceartais may not be able to help every individual who may request its help.
Current and Upcoming Class Actions
Riar Ceartais has a number of active unlawful mortgage transfer class actions before the courts seeking to enforce vulture fund GDPR compliance and to recover damages for class action members.
In January 2026 Riar Ceartais announced its intention to open a class action challenging the Irish Government’s insecure digital identity plans; particularly the Government’s unlawful plan to mandate ‘social media’ age checks on the entire population of Ireland.
A further class action is planned to hold Irish State bodies accountable and liabile for the Government’s unlawful policy of evicting tens of thousands of people into homelessness.
Contact us for help with GDPR issues
If you have experienced what you believe is unfair, unjust or corrupt treatment that affects a large number of people please use the link below to Contact Us.