DPC Ireland: How to File a Privacy Complaint (2026 Guide)
If you believe an organisation has mishandled your personal data, you have the right to complain to Ireland's Data Protection Commission (DPC). As Ireland's lead supervisory authority under the GDPR, the DPC oversees some of the world's largest technology companies headquartered in Dublin, including Meta, Google, TikTok, LinkedIn and Apple. This makes it one of the most influential data protection regulators in Europe.
This comprehensive guide explains exactly how to file a privacy complaint with the DPC Ireland, what evidence you need, how long the process takes, and what outcomes you can realistically expect.
What Is the Data Protection Commission (DPC)?
The Data Protection Commission is Ireland's independent national authority responsible for upholding the fundamental right of individuals in the EU to have their personal data protected. It enforces the General Data Protection Regulation (GDPR), the Irish Data Protection Act 2018, and the ePrivacy Regulations 2011.
Because many multinational tech companies have their European headquarters in Ireland, the DPC acts as the "lead supervisory authority" for cross-border processing under the GDPR's one-stop-shop mechanism. In practical terms, this means a complaint filed in Dublin can have implications for users across the entire European Economic Area.
What the DPC Can and Cannot Do
The DPC can investigate complaints, issue reprimands, order corrective action, impose administrative fines of up to €20 million or 4% of global annual turnover, and refer cases to the courts. However, the DPC cannot award compensation to individuals — for damages you must pursue a separate civil claim in the Circuit Court or High Court.
When Should You File a Complaint With the DPC?
You should consider filing a complaint when an organisation (called a "data controller" or "data processor") has:
- Refused or ignored a Subject Access Request (SAR)
- Refused to delete your data after a legitimate erasure request
- Suffered a data breach affecting your personal information without notifying you
- Sent unsolicited marketing emails, calls or SMS without consent
- Shared your personal data with third parties without lawful basis
- Used CCTV or workplace monitoring inappropriately
- Refused to correct inaccurate information about you
- Set non-essential cookies without your consent
Try to Resolve It Directly First
The DPC strongly encourages individuals to contact the organisation directly before lodging a formal complaint. Most organisations have a Data Protection Officer (DPO) whose contact details should appear in the privacy policy. Give them a reasonable timeframe — typically 30 days — to respond before escalating.
How to File a Privacy Complaint With the DPC Ireland: Step-by-Step
The DPC accepts complaints through several channels, but the online webform is the fastest and most reliable. Here is the complete process:
- Gather your evidence. Collect copies of all relevant emails, screenshots, letters, contracts and any correspondence with the organisation. Note dates, times and reference numbers.
- Identify the data controller. Find the exact legal name of the company or body that processes your data. This is often listed in the privacy policy.
- Document the issue clearly. Write a short factual summary of what happened, what right was breached (access, erasure, rectification, etc.) and the harm caused.
- Visit the DPC website at dataprotection.ie and navigate to "Contact / Raise a Concern".
- Complete the online webform with your details, the organisation's details, and an explanation of your concern. You can upload supporting documents (PDF, DOC, JPG up to a combined size limit).
- Submit and record your reference number. You will receive an acknowledgement email with a case reference. Save this carefully.
- Respond promptly to DPC follow-ups. The case officer may request additional information or clarification.
Alternative Submission Methods
If you cannot use the online form, you may also contact the DPC by:
- Email: info@dataprotection.ie
- Post: Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland
- Phone: +353 (0)761 104 800 (for general queries; formal complaints should still be in writing)
What Information Should Your Complaint Include?
A well-prepared complaint significantly increases the chance of a swift, favourable outcome. Include the following:
| Section | What to Include |
|---|---|
| Your details | Full name, postal address, email, phone |
| The organisation | Legal name, address, website, DPO contact |
| Nature of complaint | Which GDPR right was breached and how |
| Timeline of events | Dates of incidents, requests sent, replies received |
| Prior contact | Evidence you tried to resolve it directly |
| Desired outcome | What you want the organisation to do |
| Supporting evidence | Emails, screenshots, contracts, breach notices |
What Happens After You Submit Your Complaint?
The DPC follows a structured complaint-handling procedure laid out under Section 109 of the Data Protection Act 2018. Here is what typically happens:
1. Acknowledgement (1–2 Weeks)
You will receive a written acknowledgement confirming the DPC has received your complaint and assigned a case reference.
2. Assessment and Amicable Resolution
A case officer reviews the complaint to determine whether the DPC has jurisdiction and whether the matter could be resolved amicably. The DPC will typically contact the organisation, share your complaint, and invite a response. Many cases are resolved at this stage — for example, the company finally provides the requested data or deletes records as required.
3. Formal Investigation (If Needed)
If amicable resolution fails, the DPC may open a statutory inquiry. This is more formal: the regulator gathers evidence, may issue information notices, and ultimately produces a draft decision. For cross-border cases, the draft decision is circulated to other EU supervisory authorities under the GDPR's cooperation mechanism.
4. Decision and Remedies
The DPC issues a final decision identifying any infringements and imposing corrective measures. Possible outcomes include warnings, reprimands, orders to comply, temporary bans on processing, and administrative fines.
How Long Does a DPC Complaint Take?
Timelines vary widely depending on complexity:
- Simple cases (amicable resolution): 1–4 months
- Standard investigations: 6–12 months
- Complex cross-border inquiries against major platforms: 2–5+ years
The DPC has been criticised in the past for slow handling of high-profile cases, but it has significantly expanded staffing and resources in recent years, and average resolution times for individual complaints have improved.
Your Rights Under the GDPR (Ireland)
It helps to know your specific rights before filing. Under the GDPR you have:
- Right of access — obtain a copy of your personal data
- Right to rectification — correct inaccurate data
- Right to erasure ("right to be forgotten")
- Right to restrict processing
- Right to data portability
- Right to object to processing, including direct marketing
- Rights related to automated decision-making and profiling
Protecting Your Privacy Proactively
Filing a complaint is a reactive measure. Long term, the best protection is reducing how much personal data you expose in the first place. A few proactive habits:
- Use encrypted DNS resolvers (such as Cloudflare 1.1.1.1 or Quad9) to reduce tracking at the network level
- Switch to privacy-focused browsers like Brave or Firefox with strict tracking protection
- Use a dedicated email alias service for sign-ups
- Audit app permissions on your phone every few months
- When sharing links, use a trusted shortener that doesn't profile you. Services like Lunyb let you create short links without invasive tracking — see our honest Lunyb review for details
- Compare reputable link tools in our 2026 URL shortener buyer's guide
What if You're Unhappy With the DPC's Decision?
If you disagree with the outcome of your complaint, you have several options:
- Request a review by writing back to the DPC with new evidence or arguments.
- Appeal to the Circuit Court within 28 days of the decision under Section 150 of the Data Protection Act 2018.
- Pursue civil action against the organisation directly for compensation under Section 117.
- Complain to the European Ombudsman if you believe the DPC failed in its administrative duties (limited scope).
Common Mistakes to Avoid
- Skipping the direct-contact step. The DPC may refuse to investigate until you've given the organisation a chance to respond.
- Vague descriptions. "They have my data" is not enough — specify which data, when collected, and what right was breached.
- Missing evidence. Screenshots and email threads dramatically strengthen your case.
- Filing against the wrong entity. Identify the actual data controller — sometimes it's a parent company, not the brand you interact with.
- Expecting compensation. The DPC cannot award damages; that requires a court case.
Frequently Asked Questions
Is filing a complaint with the DPC Ireland free?
Yes. Submitting a complaint to the Data Protection Commission is entirely free of charge. You do not need a solicitor to file, although you may choose to seek legal advice for complex cases or if you later pursue compensation in court.
Can I file a DPC complaint if I don't live in Ireland?
Yes. If the organisation you are complaining about has its EU main establishment in Ireland (as is the case for many major tech companies), the DPC is the competent lead authority regardless of where you live in the EU. You can also file with your local supervisory authority, which will coordinate with the DPC.
How long do I have to file a complaint?
The GDPR does not set a strict statutory deadline, but you should file as soon as practicable. The DPC may decline to investigate very old matters where evidence is no longer reliable. For civil compensation claims, a six-year limitation period generally applies under Irish law.
Can I file a complaint anonymously?
No. The DPC requires your identity to investigate a complaint, partly because the organisation needs to verify whose data is at issue. However, your identity is handled confidentially in line with data protection principles, and the DPC will not share more information with the controller than necessary.
What happens if the organisation ignores the DPC's decision?
The DPC has enforcement powers including the ability to impose administrative fines (up to €20 million or 4% of global turnover), issue enforcement notices, and refer matters to the Circuit Court or Director of Public Prosecutions. Non-compliance with a DPC decision is a serious matter that can lead to significant penalties.
Final Thoughts
Filing a privacy complaint with the DPC Ireland is one of the most powerful tools EU residents have to hold organisations accountable for how they handle personal data. The process is free, accessible online, and backed by some of the strongest data protection laws in the world. By preparing thoroughly — gathering evidence, attempting direct resolution first, and writing a clear, factual complaint — you maximise the chance of a meaningful outcome.
Whether you've been ignored on a Subject Access Request, hit with unwanted marketing, or affected by a data breach, the DPC exists to defend your fundamental right to privacy. Use it.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
Singapore Online Safety Act 2026: Complete Guide for Businesses and Users
A complete 2026 guide to Singapore's Online Safety Act, covering scope, obligations, penalties, and compliance steps for platforms and businesses. Learn what's new in 2026, how to comply, and what rights users have when facing online harm.
GDPR in Ireland: Your Privacy Rights Explained
Ireland enforces some of the strictest data protection rules in the world through GDPR and the Data Protection Commission. This guide explains your eight core privacy rights, how to file a complaint, and practical steps to protect your personal data online.
ePrivacy Regulations Ireland: Latest Updates for 2026
Ireland's ePrivacy Regulations under SI 336/2011 continue to drive DPC enforcement on cookies, consent, and electronic marketing. This 2026 guide explains the latest updates, compliance requirements, and practical steps Irish businesses need to take.
Singapore PDPA: Your Personal Data Protection Rights Explained
A clear, practical guide to your rights under Singapore's Personal Data Protection Act (PDPA). Learn how to access, correct, and protect your personal data, and what to do when organisations fall short.