In late 2025, the Data Protection Commissioner of Ireland (DPC) began a regulatory assessment focused on location data obtained from commercial data brokers. The DPC bases its assessment on the findings of the RTE Prime Time Programme (RTE).  The RTE’s investigation concluded that it was possible to single out and identify specific people in Ireland from a commercial dataset it obtained from a data broker.  Data about individuals included their home and work addresses.  The RTE also found that data sets included precise location data that tracked the movement of specific people at high security institutions and other sensitive locations, such as health clinics and mental health facilities.

The DPC recently wrote to inform data controllers who may be in receipt of or sharing location data that it has initiated the regulatory assessment.  It also notified organizations linked to those whose activities are the subject of the DPC assessment and stressed that failure to meet statutory obligations pertaining to processing of location data will result in regulatory action.

In its communication to relevant parties, the DPC highlighted several points relevant tothe risks raised by precise location data and data controllers’ obligations under the General Data Protection Regulation (GDPR).

Significant Risks Associated with Location Data

While location data can enable and enhance online services enjoyed by individuals, it can also reveal sensitive information about a person’s health or private life.  It can raise significant risks to their security and wellbeing.  The DPC identified location information as inherently sensitive and that emphasized that its use could result in significant risk and possible harm to vulnerable people.  It noted that any misuse of such data risks interfering with their fundamental rights and freedoms arising from the Charter of Fundamental Rights of the European Union and those set forth in the GDPR.

GDPR Obligations when Using Location Data

The DPC also noted a data controller’s GDPR obligations when processing location data, including the requirement that controllers assess their GDPR compliance, taking into account the source of the personal data, the risks posed by the processing, and whether the data was obtained in compliance with the GDPR.

It underscored the requirements for lawful processing of location data, including an individual’s freely given, specific, informed and unambiguous consent to processing.  It further noted requirements for transparent processing of such data, and obligations with respect to data minimization, purpose limitation and implementing measures related to data protection design and default.

‍‍

If your organisation processes location data or shares it with third parties, our team can conduct a focused review to help identify risk areas, strengthen governance, and provide assurance to regulators, stakeholders, and boards.

‍