DPC Ireland: How to File a Privacy Complaint (2026 Guide)
If a company has mishandled your personal data — ignored your access request, sent unwanted marketing, exposed your information in a breach, or refused to delete your details — you have a legal right to complain to the Data Protection Commission (DPC), Ireland's independent supervisory authority for data protection. Because most major US tech companies have their EU headquarters in Dublin, the Irish DPC is also one of the most important privacy regulators in the world.
This guide walks you through exactly how to file a complaint with the DPC Ireland, what evidence you need, how long the process takes, and what outcomes are realistic.
What Is the Data Protection Commission (DPC)?
The Data Protection Commission is Ireland's national independent authority responsible for upholding the right of individuals to have their personal data protected. It enforces the EU General Data Protection Regulation (GDPR), the Irish Data Protection Act 2018, and the ePrivacy Regulations 2011 (covering electronic communications and cookies).
The DPC has the power to:
- Investigate complaints from individuals ("data subjects")
- Conduct audits and own-volition inquiries
- Issue reprimands, warnings, and corrective orders
- Impose administrative fines up to €20 million or 4% of global annual turnover
- Act as the lead supervisory authority for many multinational companies with EU headquarters in Ireland (Meta, Google, TikTok, LinkedIn, Microsoft, Apple, X)
When You Can File a Complaint with the DPC
You can file a complaint when you believe an organisation has breached your rights under data protection law. Common grounds include:
- Unanswered subject access request (SAR) — the company didn't respond within one month.
- Refusal to delete data — the controller ignored your right to erasure ("right to be forgotten").
- Excessive data collection — a service is asking for more data than it needs.
- Unlawful direct marketing — unsolicited emails, SMS, or calls without consent.
- Cookies and tracking — websites dropping non-essential cookies without valid consent.
- Data breaches — your data was leaked and the company failed to notify or protect you.
- Inaccurate data — the controller refuses to correct wrong information about you.
- CCTV and workplace surveillance — disproportionate monitoring by employers or neighbours.
Before You Complain: Contact the Organisation First
The DPC generally expects you to raise the issue with the controller first. Most companies have a Data Protection Officer (DPO) or privacy contact listed in their privacy notice. Send a clear written request, give them a reasonable deadline (typically one month under GDPR), and keep all correspondence. If they ignore you or the response is inadequate, you can escalate to the DPC.
Step-by-Step: How to File a Complaint with the DPC
The DPC accepts complaints via its online webform, by email, or by post. The online form is the fastest route. Here is the full process:
- Gather your evidence. Collect copies of correspondence, screenshots, the company's privacy policy, the date of the incident, and any reference numbers.
- Identify the controller. Find the legal entity name and EU establishment. For multinationals, this is often the Irish subsidiary (e.g., "Meta Platforms Ireland Ltd").
- Confirm you contacted them first. Have proof you raised the matter with the organisation and either received no response or an unsatisfactory one.
- Go to the DPC website. Visit dataprotection.ie and navigate to the "Contact / Raise a Concern" section.
- Complete the webform. Provide your full name, contact details, the name of the organisation, a description of the issue, the rights you believe were breached, and what outcome you are seeking.
- Attach supporting documents. Upload your evidence as PDFs or images. Redact information about third parties if appropriate.
- Submit and save the reference. You will receive an acknowledgement with a case reference. Keep it for all future correspondence.
Alternative Channels
- Email: info@dataprotection.ie
- Post: Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland
- Phone: +353 (0)761 104 800 (general queries; complaints must be in writing)
What Information to Include in Your Complaint
A well-structured complaint moves faster. The DPC's case handlers are dealing with a heavy backlog, so clarity helps.
| Section | What to Include |
|---|---|
| Your details | Full name, postal address, email, phone |
| The controller | Legal name, address, website, DPO contact if known |
| Summary of issue | One paragraph: what happened, when, and which right was breached |
| Timeline | Dated list of events and correspondence |
| Legal basis | Reference the GDPR articles (e.g., Art. 15 access, Art. 17 erasure, Art. 6 lawful basis) |
| Evidence | Emails, screenshots, letters, breach notifications |
| Desired outcome | Erasure, compensation referral, reprimand, etc. |
What Happens After You Submit
The DPC's handling of a complaint typically follows four stages:
1. Acknowledgement and Assessment
Within a few weeks, a case officer reviews whether the complaint falls within the DPC's remit. If it concerns another EU member state's lead authority, it may be transferred under the GDPR "one-stop-shop" mechanism.
2. Amicable Resolution
The DPC will often try to resolve the matter informally by contacting the controller on your behalf. Many complaints — especially access and erasure requests — are settled at this stage without a formal investigation.
3. Formal Investigation
If amicable resolution fails, the DPC can open a statutory inquiry under Section 110 of the Data Protection Act 2018. This involves evidence gathering, written submissions from both parties, and a draft decision.
4. Decision and Enforcement
The DPC issues a binding decision which may include a reprimand, an order to comply, a temporary or permanent processing ban, or an administrative fine. In cross-border cases, the decision goes through the GDPR cooperation procedure with other EU regulators.
How Long Does a DPC Complaint Take?
Realistically, timelines vary widely:
- Simple amicable resolutions: 1–3 months
- Standard complaints requiring DPC intervention: 6–12 months
- Cross-border formal inquiries (e.g., against Meta, TikTok): 2–5 years
The DPC has been criticised for slow handling of major Big Tech cases, although recent years have seen a sharp increase in fines and decisions issued.
What Outcomes Can You Expect?
Many complainants overestimate what the DPC can deliver personally. Here is a realistic view:
| You Can Expect | You Cannot Expect |
|---|---|
| An order forcing the controller to comply (e.g., delete your data) | The DPC to award you financial compensation directly |
| A formal finding that your rights were breached | Criminal prosecution of individuals (this is for An Garda Síochána) |
| Reprimands, fines, or processing bans on the company | Immediate action — most cases take months |
| A written decision you can use in civil court for damages | Help with non-GDPR consumer disputes (use CCPC instead) |
If you want monetary compensation, you generally need to bring a separate civil action in the Circuit Court under Section 117 of the Data Protection Act 2018. A favourable DPC decision is strong evidence in such proceedings.
Cross-Border Complaints and the One-Stop-Shop
If you complain about a company with its main EU establishment in Ireland (e.g., Meta, Google, TikTok), the DPC acts as "lead supervisory authority" even if you live in Germany, France, or any other EU country. You can either file directly with the DPC or with your local authority, which will forward it. Other EU regulators participate in the decision through the European Data Protection Board (EDPB), and in some recent high-profile cases the EDPB has overruled the DPC, resulting in larger fines.
Tips for a Stronger Complaint
- Be concise. Case officers read hundreds of complaints. A clear two-page summary beats a 30-page rant.
- Cite the GDPR article. Naming Articles 6, 15, 17, or 21 shows you understand the law.
- Stick to facts. Avoid emotional language; let the evidence speak.
- Track everything. Use a single email thread or numbered correspondence log.
- Mind your own privacy. Don't expose more personal data than necessary, and use a dedicated email if you're worried about retaliation.
Protecting Your Privacy in the Meantime
While your complaint is being processed, take steps to limit further exposure:
- Enable two-factor authentication on important accounts.
- Use a privacy-focused browser and block third-party cookies.
- Turn on encrypted DNS (DNS-over-HTTPS) at the operating system level.
- Use a reputable password manager and unique passwords per service.
- Be careful with link tracking. When sharing links — whether on social media, in newsletters, or with clients — consider a privacy-respecting URL shortener like Lunyb that doesn't profile your recipients or sell click data. (For background, see Is Lunyb Legit? An Honest Review and our 2026 buyer's guide to URL shorteners.)
Common Mistakes to Avoid
- Skipping the controller stage. The DPC will often bounce a complaint back if you haven't tried to resolve it directly first.
- Missing the one-month SAR window. You can only argue non-compliance after the deadline has passed.
- Filing about non-personal data. GDPR only protects data relating to identified or identifiable living individuals.
- Expecting compensation from the DPC. That's a court matter, not a regulator one.
- Going public too soon. Publishing your evidence on social media can complicate the investigation.
Related Reading
- Best URL Shorteners Reviewed and Compared: 2026 Buyer's Guide
- Is Lunyb Legit? An Honest Review of the URL Shortener in 2026
- Rebrandly Review 2026: Is It Worth the Price?
Frequently Asked Questions
Is filing a complaint with the DPC free?
Yes. The DPC does not charge any fee to receive, investigate, or decide on a complaint. You also do not need a solicitor, although legal advice can help in complex or cross-border cases.
Can I file a complaint anonymously?
No. The DPC needs to verify that you are the data subject affected and to communicate with you during the investigation. However, the DPC will not normally share your identity with the controller beyond what is necessary to investigate, and you can request that certain details be withheld.
Can I complain about a non-Irish company?
Yes, if the company processes data in the EU. Under the GDPR one-stop-shop, if the company's main EU establishment is in Ireland, the DPC handles the case. Otherwise the complaint may be transferred to the appropriate EU supervisory authority where the controller is based.
What if I disagree with the DPC's decision?
You have the right to appeal a DPC decision to the Circuit Court within 28 days of being notified. You may also be able to seek judicial review in the High Court on points of law or procedural fairness.
How long do I have to file a complaint?
There is no strict statutory deadline, but the DPC encourages complaints to be made promptly. Civil claims for compensation in the courts are subject to standard limitation periods (typically six years from the breach), so don't delay if you also plan to pursue damages.
Final Thoughts
The Data Protection Commission is a powerful regulator with real enforcement teeth — but it works best when complainants come prepared. Document the issue, contact the controller first, file a clear and evidence-backed complaint, and be patient with the process. Whether you're chasing an ignored access request or holding a Big Tech platform to account, a well-drafted complaint to the DPC is one of the most effective privacy tools an Irish (or EU) resident has.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
UK Online Safety Act: What It Means for Your Privacy
The UK Online Safety Act introduces sweeping new duties for online platforms — and significant privacy trade-offs for British users. This guide breaks down what the Act actually requires, how it affects everyday browsing and messaging, and the practical steps you can take to protect your data in 2026.
Singapore Online Safety Act 2026: Complete Guide for Businesses and Users
A complete 2026 guide to Singapore's Online Safety Act: who is in scope, what content is regulated, penalties, compliance steps, and how it affects businesses, marketers, and everyday users.
OAIC Complaints: How to Report a Privacy Breach in Australia
If an Australian organisation has mishandled your personal information, you can lodge a free complaint with the OAIC. This guide walks through eligibility, evidence, the step-by-step lodgement process, realistic outcomes, and tips for a stronger complaint.
ePrivacy Regulations Ireland: Latest Updates for 2026
Ireland's ePrivacy regulations govern cookies, tracking, and electronic marketing. This 2026 guide covers the latest DPC guidance, enforcement trends, and a practical compliance checklist for businesses operating in Ireland.