DPC Ireland: How to File a Privacy Complaint (2026 Guide)

If a company has mishandled your personal data, ignored your access request, or sent you marketing you never agreed to, you have the right to complain to Ireland's Data Protection Commission (DPC). As the lead supervisory authority for many of the world's largest tech firms — including Meta, Google, TikTok, LinkedIn, and Apple, all of which have their EU headquarters in Dublin — the DPC plays an outsized role in shaping how the GDPR is enforced across Europe.

This guide explains exactly how to file a privacy complaint with the DPC Ireland, what evidence you need, how long it takes, and what outcomes you can realistically expect in 2026.

What Is the Data Protection Commission (DPC)?

The Data Protection Commission is Ireland's independent national authority responsible for upholding the EU General Data Protection Regulation (GDPR), the Irish Data Protection Act 2018, and the ePrivacy Regulations. It investigates complaints, audits organisations, issues fines, and provides guidance on data protection law.

Because Ireland hosts the EU headquarters of most major US tech companies, the DPC acts as the "lead supervisory authority" for cross-border cases under the GDPR's one-stop-shop mechanism. This means a complaint filed in Dublin can affect users across all 27 EU member states.

What the DPC Can Do

Investigate complaints from individuals (data subjects)
Order organisations to comply with the GDPR
Issue reprimands, warnings, and corrective orders
Impose administrative fines (up to €20 million or 4% of global turnover)
Refer matters to the European Data Protection Board (EDPB)

What the DPC Cannot Do

Award you financial compensation (you must go to court for that)
Resolve purely contractual or consumer disputes
Act as a criminal prosecutor

When Should You File a Complaint?

You can file a complaint with the DPC whenever you believe an organisation has breached your data protection rights under the GDPR or Irish law. Common grounds include:

Ignored or refused Subject Access Request (SAR): The organisation did not respond within one month or provided an incomplete copy of your data.
Unlawful processing: Your data was collected or used without a valid legal basis.
Direct marketing without consent: Unsolicited emails, SMS, or calls in breach of the ePrivacy Regulations 2011.
Failure to delete data: The controller ignored your erasure (right to be forgotten) request.
Data breach: Your data was exposed in a leak that was poorly handled or not disclosed to you.
Excessive CCTV or workplace monitoring
Inaccurate data that the controller refused to correct.

Before You File: Contact the Organisation First

The DPC strongly recommends — and in practice often requires — that you first try to resolve the matter directly with the organisation's Data Protection Officer (DPO). This is not just a formality; it dramatically improves your chances of a quick resolution and is evidence the DPC will look for.

Steps to Take First

Find the DPO contact: Check the organisation's privacy policy, usually linked in the website footer.
Send a written request: Clearly state what right you are exercising (access, erasure, objection, etc.) and ask for a formal response.
Give them one month: The GDPR allows controllers up to 30 calendar days to reply, extendable by two months for complex requests.
Keep every email and letter: You will need this paper trail when you escalate.

If you receive no reply, an inadequate reply, or a flat refusal, you are then in a strong position to escalate to the DPC.

How to File a Complaint with the DPC: Step-by-Step

The DPC offers two main channels for lodging a complaint: an online webform and a downloadable PDF form submitted by email or post. There is no fee.

Step 1: Choose Your Submission Method

Online webform — available at dataprotection.ie under "Contact / Raise a Concern". This is the fastest route.
Email — send your completed complaint form to info@dataprotection.ie.
Post — Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28.

Step 2: Gather Your Evidence

A complete file makes the difference between a swift investigation and months of back-and-forth. Prepare:

Your full name, postal address, email, and phone number
The name and address of the organisation you are complaining about
A clear chronology of events with dates
Copies of any access requests, erasure requests, or objections you sent
The organisation's responses (or proof of non-response)
Screenshots, marketing emails, headers, contracts, or letters
A statement of what outcome you are seeking

Step 3: Describe the Issue Clearly

Use plain language. Identify which GDPR article you believe has been breached if you can (for example, Article 15 for access, Article 17 for erasure, Article 6 for lawful basis). You do not have to cite the law perfectly — the DPC's case officers will assess it — but a focused complaint moves faster.

Step 4: Submit and Receive Acknowledgement

You should receive an automated acknowledgement within a few working days, followed by a case reference number once your complaint has been allocated to a case officer. Keep this reference number for all future correspondence.

What Happens After You File

Below is a simplified overview of the DPC's typical complaint-handling process.

Stage	What Happens	Typical Timeframe
1. Acknowledgement	DPC confirms receipt and opens a case file	1–2 weeks
2. Assessment	Case officer reviews jurisdiction and merit	4–8 weeks
3. Amicable resolution	DPC contacts the organisation to seek a fix	2–6 months
4. Formal investigation	If unresolved, statutory inquiry begins	6–24 months
5. Decision	Findings, corrective orders, possible fines	Varies; cross-border cases longer
6. Appeal	Decision can be appealed to the Circuit Court	28 days to appeal

Many complaints are resolved at the "amicable resolution" stage when the organisation agrees to fix the issue — for example, by completing the access request or deleting your data. Only the more serious or systemic cases proceed to a full statutory inquiry.

Cross-Border Complaints and the One-Stop-Shop

If your complaint is about a company headquartered in another EU country (say, a French airline or a German bank), the DPC will normally transfer it to that country's regulator under the one-stop-shop mechanism. Conversely, complaints against Dublin-based multinationals from any EU resident land at the DPC.

You do not have to be Irish or live in Ireland to complain about a company whose EU establishment is in Ireland. A user in Spain unhappy with Meta can complain directly to the DPC, to their local Spanish authority (AEPD), or both — the regulators coordinate behind the scenes.

What You Can and Cannot Expect

Realistic Outcomes

The organisation provides the data, deletes the data, or stops the unlawful processing.
The DPC issues a reprimand or corrective order.
In serious cases, a fine is imposed (paid to the Irish Exchequer, not to you).
The organisation updates its policies or notices.

What the DPC Will Not Deliver

Compensation: Under Article 82 GDPR and Section 117 of the Data Protection Act 2018, you can sue for material and non-material damages — but only through the Circuit or High Court, not the DPC.
Speed in cross-border cases: Large tech inquiries routinely take 2–4 years.
Confidentiality from the respondent: Your complaint and identity are normally shared with the organisation being investigated.

Tips to Strengthen Your Complaint

Be specific. "On 4 March 2026 I requested erasure under Article 17; on 8 April I received no reply" beats "they kept ignoring me".
Attach evidence as PDFs with descriptive filenames (e.g., "01-Access-Request-04Mar2026.pdf").
State the right you exercised and the response (or lack of it).
Keep your tone professional. Case officers are more responsive to clear, factual complaints.
Follow up politely every 6–8 weeks if you hear nothing.

Reducing the Need to Complain: Everyday Privacy Hygiene

Formal complaints are powerful but slow. The best protection is to minimise the personal data you leak in the first place. A few simple habits help:

Use a private browser with tracker blocking and encrypted DNS (DNS-over-HTTPS).
Use email aliases when signing up to newsletters or new services.
Review app permissions monthly on your phone.
Use short, branded links when sharing content publicly so you can revoke or audit them later. Tools like Lunyb let you shorten and manage links with click analytics — useful if you need to demonstrate or track how a link was shared. (See our honest review of Lunyb or compare options in our 2026 buyer's guide.)
Exercise your access rights once a year with services you no longer use — and ask them to delete you.

What If You Disagree with the DPC's Decision?

If the DPC dismisses your complaint or issues a decision you believe is wrong, you have two main options:

Appeal to the Circuit Court within 28 days of the decision under Section 150 of the Data Protection Act 2018.
Judicial review in the High Court for procedural unfairness — strict time limits apply.

You may also bring a separate civil claim for compensation under Article 82 GDPR, independently of any DPC decision.

FAQ

How much does it cost to file a complaint with the DPC Ireland?

Nothing. Filing a complaint with the Data Protection Commission is completely free, whether you submit online, by email, or by post. You only incur costs if you choose to appeal a decision to the courts or to instruct a solicitor.

How long does a DPC complaint take to resolve?

Straightforward complaints — like a missed access request — are often resolved amicably within 2 to 6 months. Complex or cross-border cases against large multinationals can take 1 to 4 years, particularly when other EU regulators are consulted under the one-stop-shop mechanism.

Can I file a complaint anonymously?

No. The DPC requires your identity to investigate, and your name will normally be shared with the organisation you are complaining about so it can respond. If you want to flag a concern without triggering a full investigation, you can contact the DPC's information line for general guidance instead.

Can the DPC force a company to pay me compensation?

No. The DPC can order a company to comply with the GDPR and can impose administrative fines payable to the State, but it cannot award you personal compensation. For damages — including for distress — you must bring a civil claim in the Circuit or High Court under Article 82 GDPR and Section 117 of the Data Protection Act 2018.

Do I have to be living in Ireland to complain to the DPC?

No. Anyone in the EU (and in many cases beyond) can complain to the DPC if the organisation involved has its main EU establishment in Ireland. This is why the DPC handles complaints against companies like Meta, Google, TikTok and LinkedIn from users across all member states.

Final Thoughts

The DPC is far from perfect — it has been criticised for slow inquiries and large backlogs — but it remains one of the most consequential privacy regulators on the planet. A well-prepared complaint, backed by a clear paper trail and a specific legal ask, genuinely can change how a company handles your data, and often the data of millions of other people too.

Start with a written request to the organisation, give them their statutory month, and if they fail you, escalate to the DPC with evidence in hand. It is one of the most powerful free tools European residents have — and using it makes the system work better for everyone.