DPC Ireland: How to File a Privacy Complaint (Complete 2026 Guide)
The Data Protection Commission (DPC) is Ireland's national authority responsible for upholding the fundamental right of individuals to have their personal data protected. If a company, public body, or organisation has mishandled your personal data, you have a statutory right under the GDPR and the Irish Data Protection Act 2018 to lodge a complaint with the DPC. This guide walks you through exactly how to file a privacy complaint with the DPC Ireland, what evidence you need, how long it takes, and what outcomes you can realistically expect.
What Is the DPC and What Does It Do?
The Data Protection Commission (Coimisiún um Chosaint Sonraí) is Ireland's independent statutory body responsible for enforcing data protection law. Because many of the world's largest technology companies — including Meta, Google, TikTok, Apple, and Microsoft — have their European headquarters in Dublin, the DPC also acts as the lead supervisory authority for these firms across the entire European Union under the GDPR's One-Stop-Shop mechanism.
The DPC has the power to:
- Investigate complaints from individuals (data subjects)
- Issue legally binding decisions and corrective orders
- Impose administrative fines of up to €20 million or 4% of global annual turnover
- Suspend or ban data processing activities
- Refer matters to the Circuit Court or High Court
When Should You File a Complaint with the DPC?
You can file a complaint with the DPC Ireland whenever you believe an organisation has breached your data protection rights under the GDPR or the Data Protection Act 2018. Common grounds for complaints include:
Common Reasons to Complain
- Unanswered Subject Access Request (SAR): You asked a company for a copy of your personal data and they ignored you or refused without a valid reason.
- Unlawful processing: An organisation is using your data without a valid legal basis (consent, contract, legal obligation, etc.).
- Unsolicited marketing: You keep receiving emails, SMS, or calls after withdrawing consent or opting out.
- Data breach: Your data has been exposed in a breach and the controller didn't notify you appropriately.
- Refusal to delete data: You exercised your right to erasure (right to be forgotten) and the company refused.
- Inaccurate data: A controller refuses to correct inaccurate information about you.
- CCTV and surveillance issues: Excessive monitoring at work, in apartments, or by neighbours.
- Cookie and tracking violations: Websites setting non-essential cookies without consent.
Before You File: Contact the Organisation First
The DPC strongly recommends — and in practice almost always requires — that you contact the organisation directly before lodging a formal complaint. This is not a legal prerequisite, but the DPC will usually ask whether you have already raised the issue with the controller's Data Protection Officer (DPO).
Steps to Take Before Complaining
- Identify the Data Protection Officer (DPO) or privacy contact on the company's website (usually in the privacy policy).
- Write a clear, dated request stating exactly what you want (access, erasure, correction, etc.) and cite the relevant GDPR article.
- Keep written evidence — send by email or registered post so you have proof.
- Wait one calendar month. Controllers have 30 days to respond to most requests (extendable to 90 days for complex cases).
- Save the response (or lack of one) as evidence for your DPC complaint.
How to File a Privacy Complaint with the DPC Ireland: Step-by-Step
Step 1: Gather Your Evidence
Before you start, collect everything relevant to your complaint:
- Copies of correspondence with the organisation
- Screenshots of the offending content, emails, or website behaviour
- Dates and times of incidents
- Names of any employees you dealt with
- Your original request and the controller's response (or proof of non-response)
Step 2: Choose Your Filing Method
The DPC accepts complaints through three channels:
| Method | Best For | Contact Details |
|---|---|---|
| Online webform | Most individuals — fastest option | forms.dataprotection.ie |
| Complex cases with many attachments | info@dataprotection.ie | |
| Postal mail | Those without internet access | 21 Fitzwilliam Square South, Dublin 2, D02 RD28 |
Step 3: Complete the Complaint Form
The DPC's online complaint form will ask you for:
- Your personal details — name, address, email, phone number. Anonymous complaints are generally not accepted.
- The organisation you are complaining about — full legal name and address if possible.
- A clear description of the issue — what happened, when, and which GDPR rights you believe were breached.
- Steps you have already taken — when you contacted the controller and what response you received.
- The outcome you are seeking — e.g. access to your data, deletion, correction, or an investigation.
- Supporting documents — uploads of emails, screenshots, and the controller's response.
Step 4: Submit and Receive Acknowledgement
After submission you should receive an acknowledgement email within a few working days, typically with a case reference number. Keep this number safe — you will need it for all future correspondence.
Step 5: Engage with the DPC's Caseworker
A caseworker from the DPC's Information & Assessment Unit will review your complaint. They may:
- Ask you for additional information or clarification
- Contact the controller for their version of events
- Attempt amicable resolution between you and the controller
- Escalate the matter to a formal statutory inquiry if amicable resolution fails
What Happens After You File?
The Amicable Resolution Stage
The DPC's first preference is to resolve complaints amicably. In many cases — particularly subject access request delays or marketing opt-out failures — the controller will comply once contacted by the DPC. This typically takes 1–3 months.
Formal Statutory Inquiry
If amicable resolution fails or the issue is serious (large-scale breach, systemic violation, big-tech case), the DPC may open a formal inquiry under Section 110 of the Data Protection Act 2018. Inquiries can take 12 months to several years, especially for cross-border cases involving multinationals.
Possible Outcomes
- Complaint upheld: The DPC issues a decision, possibly with a corrective order or fine.
- Complaint rejected: No breach found — you can appeal to the Circuit Court within 28 days.
- Amicable settlement: The controller fixes the issue and the case is closed.
- Withdrawal: You can withdraw your complaint at any stage.
Realistic Timelines: How Long Does It Take?
| Stage | Typical Duration |
|---|---|
| Acknowledgement of complaint | 1–2 weeks |
| Initial assessment by caseworker | 1–3 months |
| Amicable resolution attempt | 3–6 months |
| Formal statutory inquiry (domestic) | 9–18 months |
| Cross-border inquiry (big tech) | 2–5+ years |
If you are unhappy with how slowly your complaint is progressing, you have the right under Article 78 GDPR to seek a judicial remedy against the DPC for failing to act within three months.
Your Rights Throughout the Process
As a data subject, you are entitled to:
- Be kept informed of the progress and outcome of your complaint
- Receive a reasoned decision in writing
- Appeal an adverse decision to the Circuit Court (Section 150 of the Data Protection Act 2018)
- Seek compensation through the civil courts under Section 117 — separately from the DPC process
- Lodge a complaint with another EU supervisory authority where you live, work, or where the breach occurred
Tips to Strengthen Your Complaint
- Be specific. Vague complaints get vague outcomes. Quote the exact GDPR articles you believe were breached (e.g. Article 15 for access, Article 17 for erasure).
- Stick to the facts. Emotional language weakens your case. Present a chronological timeline.
- Provide documentary evidence. Screenshots, emails, and timestamps carry more weight than recollections.
- State your desired remedy clearly. Do you want your data deleted? Access granted? Marketing stopped? Make it explicit.
- Don't file multiple parallel complaints about the same issue — it slows everyone down.
Protecting Your Privacy Proactively
Filing a complaint is a reactive step — but you can prevent many privacy problems by being proactive. When sharing links online, for example, using a privacy-respecting URL shortener like Lunyb can help you avoid exposing tracking parameters that leak personal data. Read our honest Lunyb review to see how it compares to others, or check our 2026 buyer's guide to URL shorteners for a broader comparison.
Other proactive steps include reviewing the privacy settings on your accounts, regularly submitting subject access requests to companies that hold your data, and reading privacy policies before signing up to new services.
Common Mistakes That Sink Complaints
- Skipping the controller contact stage — the DPC will usually refer you back to them.
- Complaining about non-GDPR matters — consumer disputes, defamation, or harassment may fall under other regulators (CCPC, Garda Síochána).
- Complaining about journalism or artistic expression — these are largely exempt under Section 43 of the Data Protection Act 2018.
- Filing against the wrong entity — make sure you identify the actual data controller, not a processor.
- Missing deadlines for appeals — you only have 28 days to appeal a DPC decision to the Circuit Court.
Cross-Border Complaints and the One-Stop-Shop
Because the DPC is the lead supervisory authority for many global tech firms, complaints from people across the EU often end up in Dublin. If you live outside Ireland but want to complain about an Irish-headquartered company, you can:
- File with your own national data protection authority — they will forward it to the DPC
- File directly with the DPC if you prefer
- Communicate in any official EU language
Frequently Asked Questions
Is there a fee to file a complaint with the DPC?
No. Filing a complaint with the Data Protection Commission Ireland is completely free of charge. You also do not need a solicitor, although you may engage one if your case is complex.
Can I file a complaint anonymously?
Generally no. The DPC requires your identity to investigate properly and to communicate the outcome to you. However, the DPC will not disclose your identity to the organisation you are complaining about without your consent in most circumstances, and your details are protected under the DPC's own privacy notice.
What if I'm not happy with the DPC's decision?
You can appeal a legally binding decision of the DPC to the Circuit Court within 28 days under Section 150 of the Data Protection Act 2018. You may also seek separate compensation through the civil courts under Section 117, independent of the DPC complaint outcome.
Can I claim compensation through the DPC?
No. The DPC cannot award damages or compensation. To seek financial compensation for material or non-material damage caused by a GDPR breach, you must bring a separate civil action in the Circuit Court or High Court under Article 82 GDPR and Section 117 of the Irish Data Protection Act 2018.
How long do I have to file a complaint?
There is no strict statutory deadline for filing a complaint with the DPC, but you should file as soon as reasonably possible after the issue occurs. Long delays can make it harder for the DPC to investigate and for the controller to retrieve relevant records. Civil compensation claims, however, are subject to a six-year limitation period under the Statute of Limitations.
What if the company is based outside the EU?
The GDPR applies to any organisation processing the personal data of people in the EU, regardless of where the company is based. If the organisation has an EU representative, you can complain via the DPC. If not, enforcement may be more difficult but the DPC can still investigate and impose fines.
Final Thoughts
Filing a privacy complaint with the DPC Ireland is a straightforward but sometimes slow process. The keys to success are: contacting the controller first, gathering solid documentary evidence, being precise about which GDPR rights you believe were breached, and stating clearly what remedy you want. While timelines can be frustrating — especially for cross-border cases against multinational tech firms — the DPC has the power to impose serious sanctions, and a well-prepared complaint genuinely makes a difference.
If you have been the victim of poor data handling, don't hesitate. Your complaint not only protects your own rights — it helps build the body of enforcement that keeps every Irish and European citizen safer online.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
GDPR After Brexit: What Changed for UK Businesses in 2026
Brexit transformed UK data protection law, creating the UK GDPR alongside the EU regime. This guide explains the key changes, international transfer rules, ICO enforcement, and what British businesses must do to stay compliant in 2026.
Australia Privacy Act 2026: Your Rights Explained
The Australia Privacy Act 2026 transforms data protection across the country with new individual rights, a statutory tort for privacy invasions, and penalties up to $50 million. This guide explains what's changed, how to exercise your new rights, and what businesses must do to comply.
Data Protection Act 2018 Ireland: Complete Guide for Businesses
A complete, practical guide to Ireland's Data Protection Act 2018 — covering key provisions, business obligations, DPC enforcement, fines, and a compliance checklist. Essential reading for any organisation handling personal data in Ireland.
Singapore Online Safety Act 2026: Complete Guide for Businesses and Users
Singapore's Online Safety Act 2026 introduces sweeping new obligations for online platforms, intermediaries, and advertisers. This complete guide explains who is in scope, the new rules on AI content and scam links, penalties of up to 10% of turnover, and a practical 10-step compliance checklist.