facebook-pixel

DPC Ireland: How to File a Privacy Complaint (2026 Guide)

L
Lunyb Security Team
··9 min read

If an organisation has mishandled your personal data, ignored a subject access request, or refused to delete information you're entitled to remove, you have the right to complain to Ireland's Data Protection Commission (DPC). As the lead supervisory authority for many of the world's largest tech companies headquartered in Dublin, the DPC plays a central role in enforcing the General Data Protection Regulation (GDPR) across the EU.

This guide walks you through exactly how to file a privacy complaint with the DPC in 2026, what evidence to gather, what timelines to expect, and how to escalate your case if you're not satisfied with the outcome.

What Is the Data Protection Commission (DPC)?

The Data Protection Commission is Ireland's national independent authority responsible for upholding the fundamental right of individuals in the EU to have their personal data protected. It enforces the GDPR, the Irish Data Protection Act 2018, and the ePrivacy Regulations.

Because many multinational technology companies — including Meta, Google, TikTok, Microsoft and LinkedIn — have their EU headquarters in Ireland, the DPC often acts as the "lead supervisory authority" for cross-border complaints under the GDPR's one-stop-shop mechanism. This means an Irish resident's complaint about a global platform may result in decisions that affect users right across the European Economic Area.

What the DPC Can and Cannot Do

The DPC can investigate organisations, issue reprimands, impose fines of up to €20 million or 4% of global annual turnover, order data to be deleted, and suspend data transfers. It cannot, however, award you personal compensation — for that, you must bring a civil claim in the Irish courts.

When You Can File a Complaint With the DPC

You can lodge a complaint with the DPC if you believe your rights under the GDPR or Irish data protection law have been breached. Common grounds include:

  • Unlawful processing: An organisation processed your data without a valid legal basis.
  • Failure to respond to a subject access request (SAR): You asked for a copy of your data and were ignored or refused unlawfully.
  • Refusal to delete data: An organisation would not honour your right to erasure ("right to be forgotten").
  • Data breaches: Your data was exposed or lost due to inadequate security.
  • Unwanted marketing: Continued emails, SMS or calls after you opted out.
  • Excessive data collection: An organisation asked for more information than was necessary.
  • Cookies and tracking: Non-compliant cookie banners or covert tracking.
  • CCTV and surveillance: Disproportionate monitoring in workplaces, apartments or public spaces.

Try to Resolve It Directly First

The DPC strongly encourages complainants to raise the issue with the organisation first. In most cases, you should contact the company's Data Protection Officer (DPO) in writing and give them a reasonable period — typically one month — to respond. If they refuse, ignore you, or their answer is unsatisfactory, then the DPC will accept your complaint.

How to File a Privacy Complaint With the DPC: Step-by-Step

Filing a complaint is free and can be done entirely online. Here is the process in 2026:

  1. Gather your evidence. Collect emails, screenshots, timestamps, copies of your original request to the organisation, and any responses (or proof they never replied).
  2. Identify the correct organisation. Note the exact legal name of the data controller. For large platforms, this is often the Irish subsidiary (e.g., "Meta Platforms Ireland Limited").
  3. Draft a clear summary. In one or two paragraphs, describe what happened, when it happened, and which of your rights you believe were breached.
  4. Visit the DPC website. Go to dataprotection.ie and open the "Contact / Raise a Concern" section. Choose "Make a Complaint".
  5. Complete the online webform. Provide your contact details, the organisation's details, a description of the complaint, and upload supporting documents (PDF, DOC, JPG, PNG accepted).
  6. Submit and save the reference number. You will receive an automated acknowledgement with a case reference. Keep this for all future correspondence.
  7. Respond promptly to follow-ups. A DPC caseworker may ask for clarifications or further evidence. Delays on your side can slow the process significantly.

Alternative Ways to Submit

If you cannot use the webform, you can post a written complaint to: Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland. You can also email info@dataprotection.ie, though the webform is preferred because it captures structured information.

What Information Your Complaint Should Contain

A well-prepared complaint is far more likely to be handled quickly. Include:

  • Your full name, address, email and phone number.
  • The name and contact details of the organisation.
  • A concise chronological summary of events with dates.
  • Which GDPR right or article you believe has been breached (e.g., Article 15 — right of access; Article 17 — right to erasure).
  • Copies of correspondence with the organisation.
  • The outcome you are seeking (e.g., deletion, correction, an explanation, a fine).

DPC Complaint Process: What Happens Next

Once your complaint is submitted, it typically moves through several defined stages:

StageWhat HappensTypical Timeframe
1. AcknowledgementAutomated confirmation and case reference issued.Within 1–3 working days
2. AssessmentDPC reviews whether the complaint falls within its remit.4–8 weeks
3. Amicable resolutionDPC contacts the organisation to seek a voluntary fix.1–3 months
4. Formal investigationStatutory inquiry launched if no resolution or serious breach.6 months – 2+ years
5. DecisionBinding decision issued, with sanctions if applicable.Variable
6. AppealEither party may appeal to the Circuit Court or High Court.28-day window

Amicable Resolution vs Formal Investigation

The vast majority of complaints are resolved amicably — the DPC facilitates a solution between you and the organisation, such as deleting your data, providing the access you were owed, or ceasing marketing contact. Formal statutory inquiries are reserved for more serious, systemic or cross-border matters.

Cross-Border Complaints and the One-Stop-Shop

If your complaint concerns a company headquartered in another EU country, you don't need to file in that country. You can complain to the DPC and, under the one-stop-shop mechanism, it will forward your case to the correct lead supervisory authority. Similarly, if you're an EU resident outside Ireland complaining about an Irish-based multinational, your local regulator will pass the case to the DPC.

Practical Privacy Tips While Your Complaint Is Ongoing

Waiting for a regulator's decision can take months. In the meantime, it's worth tightening your own privacy hygiene:

  • Audit your accounts. Delete dormant accounts and remove personal data you no longer need to share.
  • Use privacy-respecting tools. Consider encrypted DNS resolvers, tracker-blocking browsers like Brave or Firefox with strict mode, and disposable email aliases.
  • Be careful with shared links. When posting URLs on social media or in messages, avoid links that leak referrer information or attach identifying query strings. A privacy-focused URL shortener like Lunyb can strip tracking parameters and produce clean, minimal links — useful when you don't want to expose analytics data to third parties. You can read more in our honest review of Lunyb or compare alternatives in our 2026 URL shortener buyer's guide.
  • Enable multi-factor authentication on any account tied to the complaint.
  • Keep a privacy diary. Log every new incident — it strengthens future complaints.

If You Are Unhappy With the DPC's Decision

You have several routes if you disagree with the outcome:

  1. Ask for internal review. Request that a senior DPC officer re-examine your case.
  2. Appeal to the courts. Under Section 150 of the Data Protection Act 2018, you can appeal a legally binding decision to the Circuit Court (or High Court for larger matters) within 28 days.
  3. Bring a civil action for compensation. Under Section 117 of the Act, you can sue the controller directly in the Irish courts for material or non-material damages.
  4. Complain to the Ombudsman. If your issue is about how the DPC handled your case (rather than the substantive decision), the Office of the Ombudsman may review the administrative process.

Common Mistakes to Avoid

  • Skipping the direct-contact step. The DPC will often bounce your complaint back if you haven't given the organisation a chance to respond.
  • Providing vague evidence. Screenshots without dates, or summaries without documents, weaken your case.
  • Missing the one-year window. While there is no strict statutory deadline, the DPC prefers complaints raised within 12 months of the incident.
  • Confusing consumer complaints with data protection issues. Billing disputes, poor service, or contract issues should go to the CCPC or a sector regulator, not the DPC.
  • Expecting compensation from the DPC. Remember: only the courts can award damages.

Frequently Asked Questions

How much does it cost to file a complaint with the DPC?

Nothing. Filing a privacy complaint with Ireland's Data Protection Commission is entirely free, whether you submit it via the webform, email, or by post. You do not need a solicitor, although you may choose to instruct one for complex or high-value cases.

How long does a DPC complaint take to resolve?

Simple complaints resolved amicably often conclude in 3–6 months. Formal statutory inquiries — especially cross-border cases involving large tech platforms — can take one to three years, sometimes longer if appealed to the courts or referred to the European Data Protection Board.

Can I complain anonymously to the DPC?

You can raise a concern anonymously, and the DPC may still act on the information (for example, opening its own inquiry). However, a formal complaint that triggers your individual rights under Article 77 GDPR requires you to identify yourself, because the DPC must be able to communicate the outcome to you and verify your standing.

Can I complain about a company based outside the EU?

Yes, if that company offers goods or services to people in Ireland or the EU, or monitors their behaviour, it falls within the territorial scope of the GDPR (Article 3). The DPC can investigate and, where necessary, coordinate with other authorities. Enforcement against non-EU entities can be slower, however.

Do I need a solicitor to file a DPC complaint?

No. The DPC's process is designed to be accessible to ordinary members of the public without legal representation. Most complainants complete the webform themselves. You may want legal advice if you're considering a parallel court claim for compensation, or if the case involves complex commercial or employment issues.

Final Thoughts

The Data Protection Commission is one of the most influential privacy regulators in the world, and Irish residents benefit from direct access to it. Filing a complaint is free, largely digital, and doesn't require legal expertise — but preparation matters. Give the organisation a fair chance to fix the problem, gather clean evidence, cite the specific GDPR rights involved, and be patient with the process.

Whether the outcome is an amicable resolution or a headline-grabbing multi-million-euro fine, every complaint helps enforce the standards that protect everyone's personal data across Ireland and the EU.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles