DPC Ireland: How to File a Privacy Complaint (2026 Guide)
If a company has mishandled your personal data, ignored your access request, or exposed your information in a breach, you have the right to file a complaint with the Data Protection Commission (DPC) Ireland. As Ireland's independent supervisory authority for data protection, the DPC enforces GDPR and the Data Protection Act 2018 — and because most major US tech companies (Meta, Google, TikTok, X, LinkedIn) have their EU headquarters in Dublin, the DPC's reach extends far beyond Ireland.
This comprehensive 2026 guide explains exactly how to file a complaint with the DPC, what evidence to gather, how long the process takes, and what realistic outcomes you can expect.
What Is the DPC and What Does It Do?
The Data Protection Commission (Coimisiún um Chosaint Sonraí) is Ireland's national data protection authority. Established in its current form under the Data Protection Act 2018, the DPC investigates complaints, audits organisations, issues fines, and acts as the lead supervisory authority for many global tech companies under the GDPR's "one-stop-shop" mechanism.
The DPC's core powers include:
- Investigating complaints from individuals (data subjects)
- Issuing administrative fines up to €20 million or 4% of global turnover
- Ordering corrective actions such as deletion of data or changes to processing
- Publishing guidance for controllers and processors
- Cooperating with other EU regulators through the European Data Protection Board (EDPB)
In 2024 alone, the DPC issued over €3.5 billion in fines across cases involving Meta, TikTok, and LinkedIn — making it one of the most consequential privacy regulators in the world.
When Should You File a Complaint With the DPC?
You can file a complaint when an organisation has breached your rights under the GDPR or Irish data protection law. Common grounds include:
- Ignored access requests (DSAR) — the company didn't respond to your Subject Access Request within one month
- Unlawful processing — your data was used without a valid legal basis
- Failure to delete data — your right to erasure ("right to be forgotten") was refused without justification
- Marketing without consent — unsolicited emails, SMS, or calls (also covered by ePrivacy Regulations 2011)
- Data breaches — your information was exposed and you weren't properly notified
- Excessive data collection — a controller is collecting more data than necessary
- Inaccurate data — your data is wrong and the controller refuses to correct it
- Cookie violations — websites tracking you without proper consent
Before complaining to the DPC, you generally must contact the organisation's Data Protection Officer (DPO) first and give them a reasonable chance to resolve the issue.
What the DPC Cannot Do
The DPC does not award compensation. If you want financial damages for a privacy violation, you must pursue a separate civil claim in the Circuit Court or High Court under Section 117 of the Data Protection Act 2018. The DPC also cannot intervene in disputes that are purely contractual or unrelated to personal data.
Step-by-Step: How to File a DPC Complaint
Step 1: Contact the Organisation First
The DPC expects you to have raised your concern directly with the controller before complaining. Send a written request (email is fine) clearly stating:
- Who you are and how to identify your records
- What right you are exercising (access, erasure, objection, etc.)
- What you want them to do
- A deadline (one month is the GDPR standard)
Keep copies of everything. If they refuse or ignore you, you have grounds for a DPC complaint.
Step 2: Gather Your Evidence
Strong complaints succeed; vague ones get rejected. Before contacting the DPC, collect:
- Copies of all correspondence with the organisation (emails, letters, chat logs)
- Screenshots showing the issue (e.g., a website still emailing you after unsubscribe)
- Dates and times of relevant events
- Names of any staff you spoke to
- Copies of privacy notices or terms that are relevant
- Any breach notification you received
Step 3: Submit Your Complaint
You can file a complaint with the DPC in several ways:
- Online webform — via dataprotection.ie (fastest, recommended)
- Email — info@dataprotection.ie
- Post — Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28
- Phone (general queries only) — +353 (0)761 104 800
There is no fee for filing a complaint.
Step 4: What to Include in Your Complaint
A well-structured complaint contains:
- Your details — name, address, contact details
- The organisation complained about — full legal name and address
- A clear summary — what happened, in chronological order
- The right being breached — cite the GDPR article if you can (e.g., Article 15 for access, Article 17 for erasure)
- Evidence attachments — labelled clearly
- Outcome sought — what you want the DPC to make the organisation do
- Confirmation that you contacted the organisation first
What Happens After You File?
Here is the typical DPC complaint process:
| Stage | Typical Timeframe | What Happens |
|---|---|---|
| Acknowledgement | 1–4 weeks | DPC confirms receipt and assigns a case reference |
| Initial assessment | 1–3 months | Caseworker reviews and may request more information |
| Amicable resolution | 2–6 months | DPC contacts the organisation to seek a quick fix |
| Formal investigation | 6 months – 3+ years | If unresolved, a statutory inquiry begins |
| Decision | End of inquiry | Findings, corrective orders, possibly a fine |
| Appeal window | 28 days | Either party can appeal to the Circuit Court |
Most straightforward complaints — like an unanswered access request — are resolved through the amicable resolution stage within a few months. Complex cross-border cases involving Big Tech can take years.
Cross-Border Complaints and the One-Stop-Shop
Because Meta, Google, Apple, TikTok, Microsoft, LinkedIn, and X have their EU headquarters in Ireland, the DPC is the lead supervisory authority for complaints against them — even if you live in France, Germany, or Spain.
If you're an EU resident outside Ireland, you can still:
- File the complaint with your local DPA, which will forward it to the DPC
- File directly with the DPC in English
The DPC will coordinate with other EU regulators through the EDPB consistency mechanism. Decisions in cross-border cases are binding across the entire EU.
Common Mistakes That Get Complaints Rejected
1. Skipping the Direct Contact Step
The DPC will usually return your complaint and ask you to first try to resolve it with the organisation. Always exhaust the internal route first.
2. Vague or Emotional Complaints
"They are evil and stole my data" goes nowhere. Stick to facts, dates, and specific GDPR rights.
3. Wrong Regulator
The DPC handles personal data. For nuisance phone calls about goods/services that aren't really privacy-based, ComReg may be more appropriate. For consumer issues, contact the CCPC.
4. No Evidence
Always include screenshots, emails, and timestamps. The DPC cannot act on your word alone.
5. Filing Too Late
While there's no strict statutory deadline, complaints filed years after the event are harder to investigate.
Pros and Cons of Filing With the DPC
Pros
- Free of charge — no legal fees required
- Strong enforcement powers including significant fines
- Binding decisions across the EU for major tech firms
- Independent and well-resourced regulator
- Clear procedural rights for complainants
Cons
- Cannot award you compensation
- Investigations can be slow, especially cross-border
- Limited communication during long inquiries
- Outcomes may not match your specific desired remedy
Protecting Your Privacy Going Forward
Filing a complaint is reactive. Better is preventing data exposure in the first place. Consider:
- Using privacy-respecting tools for everyday browsing — see our guide to the top privacy tools for Ireland in 2026
- Reviewing how your business handles links and tracking with a GDPR-compliant URL shortener like Lunyb, which keeps analytics on EU infrastructure
- Staying informed about recent Irish data breaches so you know when your data may be at risk
- Checking QR code security practices if you run a small business
- Comparing link management platforms that respect data protection by default
For Irish SMEs, choosing tools built with GDPR in mind — like Lunyb's URL shortener with EU-based hosting and minimal data collection — reduces your own compliance risk and prevents you from becoming the subject of someone else's DPC complaint.
What If You're Unhappy With the DPC's Decision?
If the DPC dismisses your complaint or you disagree with the outcome, you have options:
- Appeal to the Circuit Court within 28 days of the decision
- Judicial review in the High Court if you believe the DPC acted unlawfully or unreasonably
- Civil claim under Section 117 of the Data Protection Act 2018, where you can seek compensation directly from the controller
- Complain to the Ombudsman if you experienced poor administration by the DPC itself
Frequently Asked Questions
How long do I have to file a complaint with the DPC?
There is no rigid statutory time limit, but the DPC encourages complaints as soon as possible after the incident. In practice, complaints made within 6–12 months of the event are easier to investigate. Civil compensation claims under Section 117 generally have a six-year limitation period.
Can I file a DPC complaint anonymously?
No. The DPC requires your name and contact details to investigate properly and to communicate findings. However, your details are not shared with the organisation until necessary, and the DPC handles your information confidentially. You can submit anonymous tips, but they are treated as intelligence rather than formal complaints.
Will the company I complain about know it was me?
In most cases, yes — particularly where the complaint relates to your specific data or rights request. The organisation needs to identify your records to respond. If you have safety concerns, raise them with the caseworker early.
Can non-Irish residents file with the DPC?
Yes. Anyone in the EU/EEA can file a complaint with the DPC, especially against companies headquartered in Ireland. You can also file with your own national DPA, which will transfer the case to Ireland under the GDPR's one-stop-shop mechanism.
What is the maximum fine the DPC can issue?
Under GDPR, the maximum administrative fine is €20 million or 4% of the organisation's global annual turnover, whichever is higher. The DPC has issued several fines exceeding €1 billion against major US tech companies for breaches involving children's data, transatlantic data transfers, and behavioural advertising.
Final Thoughts
Filing a complaint with the DPC Ireland is one of the strongest tools EU citizens have for enforcing their privacy rights. The process is free, the regulator is empowered, and decisions can have global consequences. Your best chance of success comes from being methodical: contact the organisation first, gather solid evidence, cite the specific rights involved, and clearly state the outcome you want.
Privacy is a right, not a privilege — and Ireland's DPC exists to make sure it stays that way.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
Data Protection Act 2018 Ireland: The Complete 2026 Guide
A complete 2026 guide to the Data Protection Act 2018 in Ireland: how it works with the GDPR, your rights as a data subject, business obligations, penalties, and a practical compliance checklist. Updated with the latest DPC enforcement trends and EU developments.
Singapore Online Safety Act 2026: Complete Guide for Businesses and Users
Singapore's Online Safety Act 2026 expands content regulation to cover AI deepfakes, scams, and child safety with penalties up to S$1 million. This complete guide explains compliance requirements, enforcement powers, and practical steps for businesses and users.
Singapore PDPA vs GDPR: Key Differences for Businesses in 2026
Singapore's PDPA and the EU's GDPR both protect personal data, but they differ in scope, breach timelines, DPO requirements, and fines. This guide compares both laws side-by-side and shows how Singapore businesses can achieve dual compliance in 2026.
ePrivacy Regulations Ireland: Latest Updates and Compliance Guide 2026
A complete 2026 guide to ePrivacy Regulations in Ireland, covering cookie consent, direct marketing rules, DPC enforcement, and the upcoming ePrivacy Regulation. Learn exactly what Irish businesses must do to stay compliant and avoid multi-million euro fines.