DPC Ireland: How to File a Privacy Complaint (2026 Guide)
If a company has mishandled your personal data, ignored a request to delete your information, or sent you marketing you never agreed to, you have the right to complain to the Data Protection Commission (DPC) of Ireland. The DPC is Ireland's independent supervisory authority for data protection, and because so many global tech companies — Meta, Google, TikTok, Microsoft, Apple — have their European headquarters in Dublin, the DPC is one of the most influential privacy regulators in the world.
This guide explains exactly how to file a privacy complaint with the DPC Ireland, what to include, what timelines to expect, and what outcomes are realistic in 2026.
What Is the DPC and What Does It Do?
The Data Protection Commission (Coimisiún um Chosaint Sonraí) is Ireland's national independent authority responsible for enforcing the General Data Protection Regulation (GDPR), the Data Protection Act 2018, and the ePrivacy Regulations. Its job is to protect the fundamental right of individuals in the EU to have their personal data protected.
The DPC has three core functions:
- Handling complaints from individuals (data subjects) about how organisations process their personal data.
- Investigating potential breaches of data protection law, including large-scale own-volition inquiries.
- Issuing decisions, fines, and corrective orders — the DPC has issued some of the largest GDPR fines in Europe, including a €1.2 billion fine against Meta in 2023.
Because Ireland is the lead supervisory authority for many multinational tech firms under the GDPR's "one-stop-shop" mechanism, complaints filed with the DPC can have effects across the entire EU.
When Should You File a Complaint with the DPC?
You can file a complaint with the DPC if you believe an organisation has breached your data protection rights and you have not been able to resolve the issue directly with the company. Common reasons include:
- Subject access request ignored — you asked for a copy of your data and got no response within one month.
- Right to erasure denied — the company refused to delete your data without a valid legal basis.
- Unsolicited marketing — emails, SMS, or calls you never consented to.
- Data breach — your information was leaked, lost, or accessed by unauthorised parties.
- Excessive data collection — a service is collecting more information than it needs.
- CCTV concerns — improper surveillance by a neighbour, employer, or business.
- Cookie compliance — websites tracking you without valid consent.
- Inaccurate data — the company refuses to correct wrong information about you.
Try Resolving It Directly First
The DPC strongly recommends — and in practice usually requires — that you contact the organisation first and give them a reasonable opportunity (typically one month) to respond. Most companies have a Data Protection Officer (DPO) or a dedicated privacy email address (often privacy@ or dpo@). Keep written records of every email, letter, and reply.
How to File a Privacy Complaint with the DPC: Step-by-Step
The DPC accepts complaints in three ways: through its online webform, by post, or by email. The online webform is the fastest and most reliable method.
Step 1: Gather Your Evidence
Before you start, collect the following documentation:
- Your full name, address, and contact details
- The name and contact details of the organisation you are complaining about
- A clear chronological summary of what happened
- Copies of all correspondence with the organisation (emails, letters, screenshots)
- Any reference numbers or case IDs
- Evidence of harm or distress, if relevant
Step 2: Visit the DPC Website
Go to dataprotection.ie and navigate to "Contact / Make a Complaint." You will find an electronic complaint form (eComplaints portal) that walks you through each section.
Step 3: Complete the Complaint Form
The form will ask for:
- Your identity — the DPC does not accept anonymous complaints because the organisation has a right to respond to a named complainant.
- The respondent — the organisation you are complaining about, including their address.
- The nature of your complaint — which GDPR right you believe has been breached (Articles 12–22 cover most data subject rights).
- What steps you have already taken — proof you contacted the organisation first.
- What outcome you want — deletion, correction, compensation referral, or simply an investigation.
- Supporting documents — upload your evidence as PDF or image files.
Step 4: Submit and Save Your Reference Number
Once you submit, the DPC will issue an acknowledgement with a case reference number, usually within 5–10 working days. Save this number — you will need it for every future enquiry.
Step 5: Cooperate with the Caseworker
A DPC caseworker will be assigned to your file. They may contact you for clarification, additional documents, or to confirm whether you are willing to engage in amicable resolution (a fast-track mediation process).
DPC Complaint Process: Timeline and Stages
The DPC follows a structured handling process under Section 109 of the Data Protection Act 2018.
| Stage | What Happens | Typical Timeframe |
|---|---|---|
| 1. Acknowledgement | DPC confirms receipt and assigns a case number | 5–10 working days |
| 2. Assessment | Caseworker reviews whether the complaint falls within DPC remit | 2–8 weeks |
| 3. Amicable Resolution | DPC tries to mediate between you and the organisation | 1–3 months |
| 4. Formal Investigation | If no resolution, a statutory inquiry is opened | 6 months – 2+ years |
| 5. Draft Decision | Findings issued; both parties can respond | 1–3 months |
| 6. Final Decision | Binding decision, possible fines or orders | Varies |
Simple complaints — such as a company failing to respond to an access request — often resolve at the amicable resolution stage within a few months. Complex cross-border cases involving large platforms can take years, partly due to consultation with other EU supervisory authorities under Article 60 GDPR.
What Outcomes Can You Expect?
The DPC has a broad range of corrective powers under Article 58 of the GDPR. Possible outcomes of a complaint include:
- Warning or reprimand issued to the organisation
- Order to comply — for example, fulfil your access request or delete your data
- Ban on processing in serious cases
- Administrative fine up to €20 million or 4% of global annual turnover
- Public decision on the DPC's website, which can affect the company's reputation
Importantly, the DPC does not award compensation directly. If you want monetary damages for distress or financial loss, you must bring a civil claim in the Circuit Court or High Court under Section 117 of the Data Protection Act 2018. A successful DPC decision can, however, be powerful evidence in such a claim.
What If You're Unhappy with the DPC's Decision?
If you disagree with the outcome, you have two main options:
- Appeal to the Circuit Court within 28 days of the decision. The Circuit Court can affirm, vary, or set aside the DPC's ruling.
- Judicial review in the High Court if you believe the DPC acted unlawfully or unreasonably in handling your case.
You may also escalate concerns to the European Data Protection Board (EDPB) in cross-border cases, although the EDPB does not handle individual complaints directly.
Tips to Strengthen Your Complaint
Caseworkers handle thousands of complaints each year. A well-prepared submission gets attention faster.
Be Specific and Chronological
Use dates, names, and reference numbers. Instead of "they ignored me," write "On 3 March 2026 I emailed dpo@example.ie requesting erasure under Article 17. I received an automated reply but no substantive response by 3 April 2026."
Cite the Relevant GDPR Article
You don't need to be a lawyer, but referencing the specific right (e.g. Article 15 access, Article 17 erasure, Article 21 objection to direct marketing) shows you understand the framework and helps the caseworker triage quickly.
Keep Evidence Organised
Number your attachments (Exhibit 1, Exhibit 2…) and reference them in your narrative. Combine related screenshots into a single PDF where possible.
State What You Want
Be realistic. "I want my data deleted and confirmation in writing" is achievable. "I want the company shut down" is not.
Protecting Your Privacy Going Forward
Filing a complaint is reactive. The best long-term strategy is to limit how much personal data you expose in the first place. Practical steps include using strong unique passwords with a password manager, enabling two-factor authentication, opting out of unnecessary cookies, and being careful where you share your email or phone number.
When sharing links online, consider using a privacy-respecting URL shortener like Lunyb, which doesn't profile users or sell click data to advertisers — a small but meaningful way to reduce the data footprint you leave behind. For a deeper look at how it compares to alternatives, see our Best URL Shorteners Buyer's Guide or our honest Lunyb review.
Common Mistakes That Delay Complaints
- Skipping the company first — the DPC will usually send you back to contact the organisation directly.
- Submitting anonymously — the DPC cannot process anonymous complaints.
- Vague allegations — without dates, evidence, and specifics, the case stalls.
- Wrong jurisdiction — if the company is established only in another EU country, the lead authority may not be the DPC. The DPC can transfer the file, but it adds delay.
- Expecting compensation — remember, monetary damages come from the courts, not the DPC.
Frequently Asked Questions
How much does it cost to file a complaint with the DPC?
Filing a complaint with the Data Protection Commission is completely free. There are no fees at any stage of the DPC process. You only incur costs if you decide to appeal a decision in court or hire a solicitor, which is optional.
How long do I have to file a complaint?
There is no strict statutory time limit, but the DPC recommends complaining as soon as possible. For very old incidents (typically more than 12 months), the DPC may decline to investigate unless you can show good reason for the delay. Civil claims for compensation generally have a six-year limitation period under Irish law.
Can I file a complaint against a company based outside Ireland?
Yes, if the company offers goods or services in Ireland or monitors the behaviour of people in Ireland, the GDPR applies. For companies headquartered elsewhere in the EU, the DPC may transfer the case to the lead supervisory authority under the one-stop-shop mechanism. For non-EU companies (e.g. some US firms), the DPC can still investigate breaches affecting Irish residents.
Will the company find out I complained?
Yes. The DPC must share your complaint with the organisation so they can respond — that is a basic requirement of fair procedures. The DPC cannot process anonymous complaints. However, retaliation against you (e.g. closing your account in revenge) could itself be unlawful, and you can complain again if it happens.
Can the DPC force a company to pay me compensation?
No. The DPC can order a company to comply with the law, issue reprimands, and impose administrative fines (which go to the Irish Exchequer, not to you). To receive personal compensation for distress or financial loss, you need to bring a civil action under Section 117 of the Data Protection Act 2018 in the Circuit Court or High Court. A favourable DPC decision strengthens such a case considerably.
Final Thoughts
Filing a complaint with the DPC Ireland is one of the most powerful tools EU citizens have to enforce their privacy rights — and it costs nothing. The keys to success are simple: contact the organisation first, document everything, be specific, and be patient. While complex cross-border cases can drag on, straightforward complaints often resolve within months and can lead to real change in how companies handle your data.
Privacy is a fundamental right, not a privilege. Whether you're dealing with a stubborn retailer, an oversharing app, or a global platform, the DPC exists to make sure that right is respected.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
Data Protection Act 2018 Ireland: Complete Guide for Businesses
A complete, plain-English guide to the Data Protection Act 2018 Ireland — covering scope, principles, data subject rights, controller obligations, DPC powers, and fines. Learn the practical compliance steps every Irish business needs to take.
Singapore Online Safety Act 2026: Complete Guide for Businesses and Users
Singapore's Online Safety Act 2026 expands platform duties around scams, deepfakes, and child safety, with fines up to S$1 million per breach. This complete guide covers who is in scope, the new obligations, penalties, and a practical compliance checklist for businesses and users.
Singapore PDPA vs GDPR: Key Differences Every Business Must Know
Singapore's PDPA and the EU's GDPR both protect personal data, but they differ in scope, consent rules, penalties, and individual rights. This guide breaks down the key differences for businesses operating in both jurisdictions.
ePrivacy Regulations Ireland: Latest Updates and Compliance Guide 2026
A complete 2026 guide to ePrivacy regulations in Ireland, including the latest DPC enforcement trends, cookie consent rules, direct marketing requirements, and a practical compliance checklist for Irish organisations.