facebook-pixel
L
Lunyb

DPC Ireland: How to File a Privacy Complaint (2026 Guide)

L
Lunyb Security Team
··10 min read

If a company has mishandled your personal data, ignored your access request, or kept marketing emails coming after you unsubscribed, you have the right to file a complaint with Ireland's Data Protection Commission (DPC). The DPC is the national supervisory authority for data protection in Ireland and one of the most influential regulators in the EU, given that Dublin hosts the European headquarters of Meta, Google, TikTok, LinkedIn, and many other tech giants.

This guide walks you through exactly how to file a privacy complaint with the DPC, what evidence you need, how long it takes, and what outcomes you can realistically expect in 2026.

What Is the Data Protection Commission (DPC)?

The Data Protection Commission is Ireland's independent national authority responsible for upholding the EU General Data Protection Regulation (GDPR), the Irish Data Protection Act 2018, and the ePrivacy Regulations. It investigates complaints, audits organisations, issues guidance, and can impose administrative fines of up to €20 million or 4% of a company's global annual turnover, whichever is higher.

Because so many multinational technology companies have their EU base in Ireland, the DPC acts as the "lead supervisory authority" for cross-border cases under the GDPR's one-stop-shop mechanism. That means a complaint filed in Dublin can affect users across all 27 EU member states.

What the DPC Can and Cannot Do

The DPC can:

  • Investigate organisations established in Ireland
  • Order a company to comply with your rights (access, deletion, rectification)
  • Issue reprimands, warnings, and binding orders
  • Impose administrative fines
  • Refer cases to other EU regulators

The DPC cannot:

  • Award you personal compensation (you must go to court for damages)
  • Pursue criminal prosecutions (other than specific statutory offences)
  • Force companies outside its jurisdiction to act directly
  • Resolve disputes about contracts, defamation, or content takedowns unrelated to personal data

When You Can File a Complaint With the DPC

You can file a complaint when an organisation has likely breached your data protection rights under the GDPR or Irish law. Common grounds include:

  1. Unanswered access requests: You asked for a copy of your data and the controller did not respond within one month.
  2. Refused erasure ("right to be forgotten"): You requested deletion of your data and were unreasonably refused.
  3. Unlawful processing: A company is using your data without a valid legal basis, such as sending marketing without consent.
  4. Data breaches: Your data was exposed and you were not properly informed.
  5. Excessive data collection: A service collects far more personal information than it needs.
  6. Cookie and tracking violations: A website drops non-essential cookies without your consent.
  7. Profiling and automated decisions: A decision was made about you (credit, insurance, employment) without meaningful human review.

Try the Organisation First

The DPC strongly prefers that you raise the issue with the organisation directly before escalating. Most controllers have a Data Protection Officer (DPO) or privacy contact whose details should appear in their privacy notice. Give them a reasonable opportunity — usually 30 days — to respond. Keep copies of every email; you will need them.

Step-by-Step: How to File a Complaint With the DPC

Step 1: Gather Your Evidence

Before you submit anything, collect:

  • The full name and address of the organisation
  • Copies of any correspondence with them (emails, letters, screenshots)
  • The date you first contacted them and the date of their last reply (or lack thereof)
  • A clear, chronological summary of what happened
  • Any reference numbers, account IDs, or order numbers
  • Screenshots of websites, cookie banners, or marketing messages where relevant

Step 2: Choose How to File

The DPC accepts complaints through three main channels:

MethodBest ForResponse Speed
Online webform (dataprotection.ie)Most individual complaintsAcknowledgement within 1–2 weeks
Email (info@dataprotection.ie)Complex cases with many attachmentsAcknowledgement within 2–3 weeks
Postal letter to 21 Fitzwilliam Square South, Dublin 2Anyone without reliable digital accessSlowest; allow 3–4 weeks

Step 3: Complete the Complaint Form

The online form asks for:

  1. Your name, address, and contact details
  2. The organisation you are complaining about
  3. The nature of the complaint (a dropdown — pick the closest match)
  4. A written description of the issue
  5. Evidence uploads (PDF, JPG, PNG accepted; usually up to 10MB each)
  6. Confirmation that you have already contacted the organisation

Be factual and concise. Avoid emotional language; the case officer needs a clear sequence of events and a clear statement of which right you believe was breached.

Step 4: Receive Acknowledgement

The DPC will send you a written acknowledgement with a case reference number. Save this — you will need it for any future correspondence.

Step 5: Engage With the Case Officer

A case officer is assigned and will usually attempt "amicable resolution" first, meaning they ask the organisation to address your complaint directly. You may be asked for additional information or to clarify what outcome you want. Common outcomes you can request include:

  • Access to your data
  • Erasure of specific records
  • Correction of inaccurate information
  • An end to marketing contact
  • A formal explanation of the legal basis used

Step 6: Formal Investigation (if needed)

If amicable resolution fails, the DPC may open a formal statutory inquiry. This can lead to a binding decision, corrective orders, and in serious cases, fines. You will be informed of the decision and given a copy of the final ruling.

How Long Does a DPC Complaint Take?

Honesty matters here: timescales vary enormously. Straightforward complaints — like an unanswered access request against an Irish SME — can be resolved within 2 to 4 months. Cross-border complaints involving major platforms often take 18 months to several years because of the cooperation procedure with other EU regulators and the European Data Protection Board.

Complaint TypeTypical Timeline
Unanswered access request (Irish SME)2–4 months
Direct marketing / cookie complaint4–9 months
Data breach against domestic controller6–12 months
Cross-border complaint vs. major platform18 months to 4+ years

What Does It Cost?

Filing a complaint with the DPC is free of charge. You do not need a solicitor, although for complex cases — especially if you intend to seek damages later in court — independent legal advice is sensible. Several Irish citizen advice bodies, including Citizens Information and FLAC (Free Legal Advice Centres), can help you draft a complaint at no cost.

Possible Outcomes of a Complaint

The DPC can conclude a case in several ways:

  • Amicable resolution: The organisation does what you asked and the case closes.
  • No infringement found: The DPC decides the controller acted lawfully.
  • Reprimand or warning: A formal notice that the organisation has breached the GDPR.
  • Corrective order: The organisation is ordered to delete data, change a practice, or improve safeguards.
  • Administrative fine: Financial penalties, more common against larger entities.

If you disagree with the outcome, you can appeal to the Circuit Court (for less serious decisions) or the High Court (for inquiry decisions) within 28 days.

Tips to Strengthen Your Complaint

Keep a Paper Trail From Day One

When you first contact a company about your data, do it in writing. If you must phone, follow up by email summarising what was discussed. Without documented evidence, your complaint becomes "he said, she said" — and that almost always loses.

Cite the Right Provisions

You don't need to be a lawyer, but referring to specific GDPR articles helps. For example: Article 15 (access), Article 17 (erasure), Article 21 (objection), Article 6 (lawful basis), Article 7 (consent). The case officer will take you more seriously when you frame the issue in legal terms.

Be Specific About What You Want

"I want them to stop using my data" is vague. "I want all my personal data deleted from their CRM, mailing list, and any third-party processors, and written confirmation within 30 days" is actionable.

Protect Your Identity Online While You Wait

While the DPC investigates, take practical steps to limit further exposure. Use encrypted DNS, switch to a privacy-focused browser, and avoid sharing tracking-heavy links. For sharing links safely with friends or on social media without revealing analytics-stuffed source URLs, a clean shortener like Lunyb can help reduce metadata leakage. See our honest review of Lunyb for context on how it handles user data.

Special Cases: Children, Employees, and Public Bodies

Complaints About Children's Data

The DPC operates the Children's Fundamentals, a set of principles that hold platforms to a higher standard when processing children's data. Parents and guardians can file complaints on behalf of minors, and the DPC has prioritised cases involving age-appropriate design, school apps, and gaming platforms.

Workplace Privacy Complaints

Employees can complain about excessive monitoring, biometric attendance systems, covert CCTV, or misuse of HR records. The DPC has published specific guidance for the workplace context, and these cases often resolve faster because the employer is identifiable and Irish-established.

Complaints Against Public Bodies

You can complain about government departments, the HSE, local authorities, and An Garda Síochána (with some restrictions for law enforcement processing covered by the LED Directive). Public bodies cannot be fined as heavily as private companies, but they can be ordered to change practices.

Alternatives and Parallel Routes

A DPC complaint is not your only option. You can also:

  • Sue in the Circuit or High Court for compensation under Section 117 of the Data Protection Act 2018
  • Report a scam or fraud to An Garda Síochána
  • Contact ComReg for telecoms and ePrivacy-specific issues like unsolicited calls or SMS
  • Use the Press Council or Coimisiún na Meán for media-related complaints
  • Escalate to the European Data Protection Board if a cross-border case stalls

If your broader concern is choosing privacy-respecting tools — for example, link-sharing platforms that don't profile your audience — see our 2026 buyer's guide to URL shorteners for a comparison of how the major providers handle data.

Frequently Asked Questions

Can I file a DPC complaint anonymously?

No. The DPC requires complainants to identify themselves so it can verify the facts and communicate findings. Your identity will normally be disclosed to the organisation being complained about, because they need to investigate the specific incident. The DPC does, however, keep your details confidential from the public.

Can someone outside Ireland file a complaint with the DPC?

Yes. Because so many multinational tech companies are headquartered in Ireland, residents of any EU member state can complain to the DPC if the controller is Irish-established. Non-EU residents can also complain when their data is processed by an Irish controller. Often it is easier to start with your local data protection authority, which will forward the case to Dublin under the GDPR cooperation procedure.

Will the DPC tell me what fine the company received?

Final inquiry decisions, including fine amounts, are usually published on the DPC's website once any appeal period has passed. You will also be sent a copy of the decision as the original complainant. Note that fines are paid to the Irish Exchequer, not to you.

Can I claim compensation through the DPC?

No. The DPC cannot award personal damages. To claim compensation for material or non-material damage (such as distress), you must bring a separate civil action in the Circuit or High Court under Section 117 of the Data Protection Act 2018. A DPC finding in your favour is, however, very useful evidence in those proceedings.

What if the DPC closes my case and I disagree?

You can appeal a statutory decision to the Circuit Court (for most matters) or to the High Court (for major inquiry outcomes) within 28 days of being notified. For less formal closures — for example, a case officer deciding there is no breach to investigate — you can request an internal review or escalate via your TD or the Oireachtas Justice Committee, though neither can overturn a legal decision.

Final Thoughts

Filing a privacy complaint with the DPC is one of the most powerful tools an Irish or EU resident has to enforce their data protection rights, and it costs nothing but time. Be methodical: contact the organisation first, document everything, cite the relevant rights, and be patient with timelines — especially for cross-border cases. Even when individual complaints take years, they contribute to the body of enforcement that has reshaped how global platforms handle personal data. Your complaint matters more than you think.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles

ePrivacy Regulations Ireland: Latest Updates for 2026

Ireland's ePrivacy regulations govern cookies, electronic marketing, and communications confidentiality alongside GDPR. This 2026 guide covers the latest DPC enforcement trends, cookie consent standards, direct marketing rules, and a practical compliance roadmap for Irish businesses.

9 min

GDPR in Ireland: Your Privacy Rights Explained

GDPR gives Irish residents powerful rights over their personal data. This guide explains your eight key privacy rights, how to make a Subject Access Request, how to file a complaint with the Irish DPC, and what businesses must do to stay compliant in 2026.

11 min

Singapore PDPA vs GDPR: Key Differences for Businesses in 2026

Singapore's PDPA and the EU's GDPR both protect personal data, but they differ in scope, consent rules, penalties, and individual rights. This guide compares the two frameworks and helps businesses build a strategy that works across both jurisdictions.

10 min

Singapore Online Safety Act 2026: Complete Guide for Businesses and Users

A complete 2026 guide to the Singapore Online Safety Act: what changed, who must comply, IMDA's powers, penalties, and practical steps for platforms and users. Includes comparisons with UK and EU frameworks plus a compliance checklist.

9 min