DPC Ireland: How to File a Privacy Complaint (2026 Guide)
If a company, public body, or website has mishandled your personal data, you have a legal right to complain to Ireland's Data Protection Commission (DPC). As the lead supervisory authority for many of the world's largest technology companies headquartered in Dublin, the DPC handles thousands of complaints each year — from cookie banner abuses and unwanted marketing emails to serious data breaches involving health, financial, or biometric data.
This guide explains exactly how to file a privacy complaint with the DPC in Ireland, what evidence you need, how long the process takes, and what outcomes you can realistically expect under the General Data Protection Regulation (GDPR) and the Irish Data Protection Act 2018.
What Is the Data Protection Commission (DPC)?
The Data Protection Commission is Ireland's independent national authority responsible for upholding the fundamental right of individuals in the EU to have their personal data protected. It enforces the GDPR, the Data Protection Act 2018, the ePrivacy Regulations 2011, and the Law Enforcement Directive.
Because companies such as Meta, Google, TikTok, Microsoft, LinkedIn, and Apple have their EU headquarters in Ireland, the DPC acts as the lead supervisory authority for most cross-border complaints in Europe under the GDPR's one-stop-shop mechanism. This makes it one of the most influential privacy regulators in the world.
Who Can File a Complaint?
Any individual (a "data subject") whose personal data is being processed in a way they believe breaches data protection law can file a complaint. You do not need to be an Irish citizen or resident — if the organisation you are complaining about has its EU main establishment in Ireland, the DPC may handle your case regardless of where you live in the EU/EEA.
When Should You Complain to the DPC?
You should consider lodging a complaint with the DPC when an organisation has failed to handle your personal data lawfully and has not resolved the issue after you contacted them directly. Common grounds include:
- Unlawful processing: The organisation has no valid legal basis (consent, contract, legal obligation, vital interests, public task, or legitimate interests).
- Subject Access Request (SAR) ignored: You requested a copy of your data and received nothing within one month, or received an incomplete response.
- Right to erasure refused: You asked for your data to be deleted and were unjustifiably refused.
- Unwanted direct marketing: Emails, texts, or calls you did not consent to, or that continue after you unsubscribed.
- Cookie consent violations: Websites tracking you without valid consent or with deceptive cookie banners.
- Data breaches: Your information was leaked, lost, or accessed by unauthorised parties.
- CCTV misuse: Excessive surveillance by employers, neighbours, or businesses.
- Inaccurate data: Refusal to correct incorrect personal information.
Try to Resolve It Directly First
The DPC strongly encourages — and in most cases requires — that you first contact the organisation's Data Protection Officer (DPO) or privacy contact and give them a reasonable opportunity to respond. Most large companies must respond within one calendar month under Article 12 GDPR. Keep written records of all correspondence, as you will need to attach this to your complaint.
How to File a Privacy Complaint with the DPC: Step-by-Step
Filing a complaint is free of charge, and you do not need a solicitor. Here is the full process:
- Identify the data controller. Determine the exact legal entity processing your data. Check the company's privacy policy — for Meta products, for example, this is Meta Platforms Ireland Limited.
- Contact the organisation directly. Send a written request (email is acceptable) outlining your concern and what remedy you want. Wait at least one month for a response.
- Gather your evidence. Save copies of emails, screenshots, marketing messages, cookie banners, breach notifications, and any other supporting documents.
- Complete the DPC complaint form. Download the "Individual Complaint Form" from dataprotection.ie, or use the webform under the "Contact Us" / "Raise a Concern" section.
- Submit your complaint. You can submit by post to 21 Fitzwilliam Square South, Dublin 2, D02 RD28, or by email/webform. Postal submissions are recommended for serious cases as you receive a stamped acknowledgement.
- Receive acknowledgement. The DPC will issue a reference number, usually within 5–10 working days.
- Engage with the case officer. A handling officer may contact you for clarification or additional documents.
- Receive the outcome. The DPC will either dismiss, mediate, or formally investigate. Decisions can result in reprimands, compliance orders, or fines.
What to Include in Your Complaint
A strong, well-evidenced complaint is far more likely to be investigated. Include:
- Your full name, address, and contact details
- The name and contact details of the organisation
- A clear, chronological summary of what happened
- Copies of correspondence with the organisation
- The specific GDPR articles or Data Protection Act sections you believe were breached (helpful but not mandatory)
- The outcome you are seeking (e.g., deletion, correction, compensation, an investigation)
DPC Complaint Channels Compared
The DPC offers several routes for raising concerns. Choosing the right one speeds up handling.
| Channel | Best For | Response Time | Formality |
|---|---|---|---|
| Webform ("Raise a Concern") | Quick queries, minor issues | 2–4 weeks | Low |
| Individual Complaint Form (email) | Standard GDPR complaints | 4–8 weeks acknowledgement | Medium |
| Postal Complaint Form | Serious or complex cases | 4–8 weeks acknowledgement | High |
| Breach Notification Portal | Controllers reporting a breach | 72-hour rule | N/A for individuals |
| Phone (info line) | General guidance only | Same day | Informal |
What Happens After You File?
Once your complaint is received, the DPC follows a structured handling process governed by Section 109 of the Data Protection Act 2018.
1. Assessment Phase
A case officer reviews whether your complaint falls within the DPC's remit and whether you have first attempted to resolve it with the organisation. If it is out of scope (for example, a workplace grievance unrelated to data protection), you will be redirected.
2. Amicable Resolution
Under Section 109(2), the DPC must first try to facilitate an amicable resolution. The case officer contacts the organisation, sets out your concerns, and seeks a remedy such as data deletion, an apology, or process changes. Around 70% of complaints are closed at this stage.
3. Statutory Inquiry
If amicable resolution fails or the matter is of significant public interest, the Commissioner may open a formal statutory inquiry. This can lead to:
- A finding of infringement
- A reprimand
- An order to bring processing into compliance
- An administrative fine of up to €20 million or 4% of global annual turnover
- A ban on processing
4. Cross-Border Cases
If your complaint involves a company operating across the EU, it goes through the one-stop-shop mechanism. The DPC, as lead authority, consults with other concerned supervisory authorities under Article 60 GDPR. This can extend timelines significantly — sometimes 18 months or more.
How Long Does a DPC Complaint Take?
Timelines vary widely depending on complexity:
| Complaint Type | Typical Duration |
|---|---|
| Unwanted marketing (ePrivacy) | 2–6 months |
| Subject Access Request refusal | 3–9 months |
| CCTV / employer monitoring | 6–12 months |
| Cross-border Big Tech complaint | 18 months – several years |
| Data breach involving sensitive data | 6–18 months |
Your Rights If You Disagree With the Outcome
If you are unhappy with the DPC's decision, you have two main routes:
- Statutory appeal: Under Section 150 of the Data Protection Act 2018, you can appeal a legally binding decision to the Circuit Court or High Court within 28 days.
- Judicial review: If you believe the DPC failed to handle your complaint properly, you may apply to the High Court for judicial review.
You also retain the right to seek compensation directly from the controller in the civil courts under Article 82 GDPR, independent of any DPC process.
Protecting Your Privacy Day-to-Day
Filing complaints is reactive — but proactive privacy hygiene reduces how often you'll need to. Practical steps include using a privacy-respecting browser, enabling encrypted DNS (such as DNS-over-HTTPS), blocking third-party trackers, using disposable email aliases for sign-ups, and choosing services that minimise data collection.
For link sharing, avoid shorteners that monetise click data or attach invasive tracking pixels. Privacy-first shorteners such as Lunyb minimise data collection and let you share links without exposing recipients to extensive profiling. You can read more in our honest review of Lunyb or compare options in the 2026 URL shortener buyer's guide.
Common Mistakes to Avoid
- Skipping the direct contact step. The DPC will usually return your complaint if you have not first written to the organisation.
- Vague descriptions. "They have my data" is not enough — specify what data, when, and why it is unlawful.
- Missing evidence. Always attach screenshots and email threads.
- Complaining to the wrong regulator. If the controller's EU main establishment is not in Ireland, complain to your local authority (e.g., CNIL in France, ICO in the UK for non-EU matters).
- Expecting compensation from the DPC. The DPC does not award damages — only courts can.
Special Cases
Children's Data
The DPC takes complaints involving children under 18 extremely seriously, particularly under the Fundamentals for a Child-Oriented Approach to Data Processing. Flag clearly if the complaint concerns a minor.
Journalistic, Academic, or Artistic Processing
Section 43 of the Data Protection Act 2018 contains exemptions for journalism and free expression. Complaints in this area are weighed against Article 10 ECHR rights.
Public Sector Bodies
Complaints against An Garda Síochána, the HSE, Revenue, or local authorities follow the same process but may engage the Law Enforcement Directive instead of GDPR for policing matters.
FAQ
Is there a fee to file a complaint with the DPC?
No. Filing a complaint with the Data Protection Commission is completely free, and you do not need legal representation. You only incur costs if you choose to appeal a decision through the courts.
How long do I have to file a complaint?
There is no strict statutory deadline, but the DPC may decline to investigate stale complaints. As a rule of thumb, file within 12 months of becoming aware of the issue. Civil compensation claims under Article 82 GDPR are generally subject to a six-year limitation period in Ireland.
Can I file a complaint anonymously?
No. The DPC requires your identity to process a formal complaint, as the organisation has a right to know who is complaining and what data is at issue. However, you can raise general concerns or tip-offs anonymously, which the DPC may use to launch an own-volition inquiry.
What if the company is based outside Ireland?
If the company has its EU main establishment in Ireland, the DPC handles it via the one-stop-shop. If the company is based in another EU country, complain to that country's data protection authority. For non-EU companies offering services to EU residents, you can still complain to the DPC or your local authority.
Can the DPC force a company to pay me compensation?
No. The DPC can issue reprimands, compliance orders, and administrative fines paid to the State, but it cannot award personal compensation. To claim damages for material or non-material harm (such as distress), you must bring a separate civil action under Article 82 GDPR, typically in the Circuit Court.
Final Thoughts
Filing a privacy complaint with the DPC is one of the most powerful tools EU residents have to hold organisations accountable for how they handle personal data. The process is free, accessible, and — particularly for clear-cut cases like unwanted marketing or ignored access requests — surprisingly effective. Document everything, give the organisation a fair chance to respond first, and submit a clear, evidence-backed complaint. Combined with good day-to-day privacy habits, it puts the balance of power back where the GDPR intended: with you.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
Singapore Online Safety Act 2026: Complete Guide for Businesses and Users
Singapore's Online Safety Act 2026 reshapes how platforms, marketers, and users handle harmful online content. This complete guide explains the scope, obligations, penalties, and practical compliance steps every Singapore-facing business should take this year.
Data Protection Act 2018 Ireland: The Complete Guide for Businesses
A complete plain-English guide to Ireland's Data Protection Act 2018: how it works with the GDPR, the rights it gives individuals, the obligations it places on businesses, and how to stay compliant in 2026.
OAIC Complaints: How to Report a Privacy Breach in Australia
A complete guide to lodging a privacy breach complaint with Australia's OAIC, including the mandatory first step of complaining to the organisation, evidence requirements, timeframes and likely outcomes. Learn how to build a complaint that gets results under the Privacy Act 1988.
ePrivacy Regulations Ireland: Latest Updates and Compliance Guide
A practical 2026 guide to Ireland's ePrivacy Regulations, covering the latest DPC enforcement, cookie consent rules, electronic marketing requirements, and how ePrivacy interacts with the GDPR. Includes a compliance checklist and sector-specific guidance for Irish businesses.