DPC Ireland: How to File a Privacy Complaint (2026 Guide)

If an Irish company, public body, or any organisation operating in Ireland has mishandled your personal data, you have the right to complain to the Data Protection Commission (DPC). The DPC is Ireland's national supervisory authority for data protection and the lead regulator for many of the world's largest tech companies headquartered in Dublin, including Meta, Google, TikTok, and LinkedIn. This guide walks you through exactly how to file a privacy complaint with the DPC in 2026, what evidence you need, and what happens after you submit.

What Is the Data Protection Commission (DPC)?

The Data Protection Commission is Ireland's independent authority responsible for upholding the fundamental right of individuals in the EU to have their personal data protected. It enforces the General Data Protection Regulation (GDPR), the Irish Data Protection Act 2018, and the ePrivacy Regulations 2011.

Because Ireland hosts the European headquarters of many multinational technology companies, the DPC acts as the "lead supervisory authority" under the GDPR's One-Stop-Shop mechanism for cross-border cases affecting EU residents. This means complaints lodged with the DPC can have continent-wide consequences.

Key Powers of the DPC

• Investigate complaints from individuals (data subjects)
• Conduct own-volition inquiries into suspected breaches
• Issue reprimands, warnings, and corrective orders
• Impose administrative fines up to €20 million or 4% of global annual turnover
• Suspend international data transfers
• Prosecute offences under Irish data protection law

When Can You File a Complaint with the DPC?

You can lodge a complaint with the DPC Ireland if you believe an organisation has infringed your data protection rights under the GDPR or Irish law. Common grounds include:

• Unlawful processing – your data was used without a valid legal basis
• Access request ignored – the controller failed to respond to a Subject Access Request (SAR) within one month
• Erasure refused – your right to be forgotten was denied without justification
• Data breach – your data was exposed and you were not notified properly
• Direct marketing – unsolicited emails, SMS, or calls after you opted out
• Cookies and tracking – non-compliant cookie banners or tracking without consent
• Excessive CCTV – disproportionate surveillance by a neighbour, landlord, or employer
• International transfers – your data was sent outside the EEA without adequate safeguards

Try the Organisation First

The DPC strongly encourages individuals to raise the issue directly with the organisation before complaining. Contact their Data Protection Officer (DPO) in writing, set out the problem clearly, and give them a reasonable opportunity to respond — usually one month. Keep a copy of every email; you will need this paper trail later.

How to File a Privacy Complaint with the DPC: Step by Step

Filing a complaint with the Data Protection Commission Ireland is free and can be done entirely online. Here is the process from start to finish.

1. Gather your evidence. Collect emails, screenshots, contracts, privacy notices, the original SAR you sent, the controller's response (or lack of), and any correspondence with the DPO.
2. Identify the controller. Note the full legal name, registered address, and (if known) the contact details of the data protection officer. For multinationals, use the Irish entity name (e.g., "Meta Platforms Ireland Limited").
3. Visit the DPC website. Go to dataprotection.ie and select "Contact Us" → "Raise a Concern".
4. Use the webform or email. The DPC accepts complaints via its dedicated webform or by emailing info@dataprotection.ie. Postal complaints to 21 Fitzwilliam Square South, Dublin 2, D02 RD28 are also accepted.
5. Describe the issue clearly. Explain what happened, when, which right you believe was infringed, and what outcome you are seeking (e.g., erasure, access, compensation referral).
6. Attach supporting documents. Upload PDFs or images of your evidence. Redact unrelated personal data of third parties where possible.
7. Confirm your identity. The DPC will only act on complaints from identified individuals. Provide your full name, postal address, and a contact email.
8. Submit and save the reference number. You will receive an acknowledgement, usually within 5–10 working days, with a case reference.

What Information Should Your Complaint Include?

A well-prepared complaint dramatically increases the chance of a swift and favourable resolution. The DPC handles thousands of complaints each year, so clarity matters.

Section	What to Include
Your details	Full name, address, email, phone (optional)
Controller details	Legal name, address, DPO contact, website
Nature of complaint	Which GDPR article or right you believe was breached
Timeline	Dates of the incident, your contact with the controller, deadlines missed
Evidence	Emails, screenshots, SAR letters, privacy policy excerpts
Desired outcome	Access, erasure, rectification, cessation of processing
Prior contact	Proof you tried to resolve it with the organisation first

What Happens After You File?

Once your complaint is lodged, the DPC follows a structured handling process. Timelines vary significantly depending on complexity, but here is the typical journey.

Stage 1: Acknowledgement and Assessment

Within roughly two weeks the DPC will confirm receipt and assign your case to a case officer. They will assess whether your complaint falls within the DPC's remit and whether enough information has been provided. You may be asked for clarifications.

Stage 2: Amicable Resolution

Under Section 109 of the Data Protection Act 2018, the DPC must first attempt to resolve complaints amicably. The case officer contacts the controller, sets out the issue, and invites them to engage. Many complaints — especially access and erasure requests — are resolved at this stage within 1–3 months.

Stage 3: Formal Inquiry

If amicable resolution fails or the complaint raises systemic issues, the DPC may launch a formal statutory inquiry. This is a quasi-judicial process involving submissions from both sides, draft decisions, and ultimately a binding decision by the Commissioners. Formal inquiries can take 12–36 months, particularly for cross-border cases.

Stage 4: Decision and Remedies

The DPC may issue a reprimand, order corrective action, impose a fine, or dismiss the complaint. You will be notified of the outcome and have a right to appeal to the Circuit Court within 28 days.

Cross-Border Complaints and the One-Stop-Shop

If your complaint concerns a company with its EU main establishment in Ireland (such as Meta, Google, Apple, X, TikTok, or LinkedIn), the DPC will normally act as the lead supervisory authority for the entire EU. You can still file the complaint with your local authority — for example, if you live in France you can complain to the CNIL — and they will forward it to the DPC.

Decisions taken by the DPC in cross-border cases are subject to the cooperation and consistency mechanism under Articles 60–65 of the GDPR. Other concerned authorities can object, and disputes are escalated to the European Data Protection Board (EDPB) for a binding decision.

Common Mistakes to Avoid

Reviewing thousands of published DPC case studies and annual reports reveals the same pitfalls again and again. Avoiding them gives your complaint the best chance.

• Skipping direct contact with the controller. The DPC will often pause your case until you have tried this.
• Being vague. "They misused my data" is not enough. Cite specific dates, communications, and rights.
• Missing deadlines. Complaints about old incidents (more than a year) may be deprioritised unless there is ongoing harm.
• Submitting anonymously. The DPC cannot act on anonymous complaints.
• Asking for compensation. The DPC does not award damages — that is a matter for the Circuit Court.
• Overloading with irrelevant material. Keep evidence focused on the alleged infringement.

Protecting Your Data Going Forward

Filing a complaint addresses a past wrong, but preventing the next one is equally important. Practical steps include using strong, unique passwords with a password manager, enabling two-factor authentication, reviewing the cookie settings on the sites you visit, and being selective about which services receive your real email address.

For everyday link sharing — especially on social media or in marketing campaigns — using a privacy-respecting short link service such as Lunyb helps reduce the amount of tracking data exposed to third parties. You can read our honest review of Lunyb or compare alternatives in our 2026 buyer's guide to URL shorteners. Choosing tools that minimise data collection is a quiet but powerful form of self-protection.

Other Options if You Are Not Satisfied

If you disagree with how the DPC handled your complaint, several routes are open to you:

1. Internal review – ask the DPC to reconsider, citing new information.
2. Appeal to the Circuit Court – within 28 days of a legally binding decision.
3. Judicial review – challenge procedural fairness in the High Court.
4. Civil action – sue the controller directly under Section 117 of the Data Protection Act for compensation.
5. Complaint to the Ombudsman – for maladministration by the DPC itself (limited scope).

Frequently Asked Questions

How long does the DPC take to resolve a complaint?

Straightforward complaints handled through amicable resolution typically conclude within 1–3 months. Formal statutory inquiries — particularly cross-border cases involving large tech companies — can take 12–36 months or longer. The DPC publishes annual reports with average timelines.

Does it cost anything to complain to the DPC Ireland?

No. Filing a complaint with the Data Protection Commission is completely free for individuals. There are no application fees, hearing costs, or charges for the investigation. You only incur costs if you separately pursue civil action in court.

Can I file a DPC complaint if I do not live in Ireland?

Yes. If the organisation you are complaining about is established in Ireland (or has its EU main establishment there), the DPC has jurisdiction regardless of where you live. EU residents can also complain to their local data protection authority, which will cooperate with the DPC under the One-Stop-Shop mechanism.

Will my identity be shared with the organisation I am complaining about?

In most cases, yes. To investigate properly, the DPC normally needs to share your identity and the substance of the complaint with the controller. If you have specific concerns about retaliation — for instance, in employer-related complaints — raise this with the case officer at the outset.

Can the DPC force a company to pay me compensation?

No. The DPC can issue reprimands, corrective orders, and administrative fines payable to the Irish state, but it cannot award compensation to individuals. If you have suffered material or non-material damage, you must pursue a civil claim under Section 117 of the Data Protection Act 2018 in the Circuit or High Court.

Final Thoughts

The right to complain to a supervisory authority is one of the most important tools the GDPR gives every individual in the EU. The Data Protection Commission Ireland is well-resourced, free to use, and increasingly assertive — particularly against the global tech giants headquartered in Dublin. Prepare your evidence carefully, engage the organisation first, write clearly, and you stand an excellent chance of vindicating your rights. Privacy is a right worth defending, and the DPC is there to help you do exactly that.