DPC Ireland: How to File a Privacy Complaint (2026 Guide)
If an organisation has mishandled your personal data, you have the right to complain to Ireland's Data Protection Commission (DPC). As the lead regulator for many of the world's biggest tech companies under the GDPR's one-stop-shop mechanism, the DPC is one of the most influential privacy authorities in Europe. This guide explains exactly how to file a privacy complaint with the DPC in Ireland, what evidence to gather, what timelines to expect, and how to maximise the chance of a useful outcome.
What Is the Data Protection Commission (DPC)?
The Data Protection Commission is Ireland's national independent authority responsible for upholding the fundamental right of individuals in the EU to have their personal data protected. It enforces the General Data Protection Regulation (GDPR), the Irish Data Protection Act 2018, and the ePrivacy Regulations 2011.
Because Ireland hosts the European headquarters of companies such as Meta, Google, TikTok, Apple, LinkedIn, and X, the DPC frequently acts as the lead supervisory authority for cross-border investigations affecting hundreds of millions of users across the EU and EEA.
What the DPC Can and Cannot Do
The DPC can investigate alleged GDPR breaches, issue reprimands, order corrective action, and impose administrative fines of up to €20 million or 4% of global annual turnover. It cannot, however, award you personal compensation — that requires a separate civil claim in the Circuit Court or High Court.
When Should You File a Complaint With the DPC?
You should consider filing a complaint with the DPC when you believe an organisation (a "data controller" or "processor") has breached your data protection rights and has either refused to resolve the issue or failed to respond adequately. Typical scenarios include:
- Subject access request ignored: You asked for a copy of your personal data and the organisation didn't respond within one month.
- Unauthorised disclosure: Your data was shared with a third party without a legal basis.
- Data breach: Your information was leaked, lost, or stolen and you weren't properly notified.
- Excessive data collection: A company collected more data than necessary for its stated purpose.
- Refusal to delete: You exercised your right to erasure and were refused without valid grounds.
- Unsolicited marketing: You receive repeated emails, SMS, or calls despite opting out.
- Cookies and tracking: A website set non-essential cookies without proper consent.
Step 1: Try to Resolve the Issue Directly First
Before contacting the DPC, you are generally expected to raise the issue with the organisation itself. The DPC will often ask whether you've done this, and most complaints can be resolved faster at source.
- Identify the data controller. Check the company's privacy policy for contact details and the name of the Data Protection Officer (DPO), if any.
- Submit a written request. Email is best because it creates a record. Clearly state which right you are exercising (access, erasure, rectification, objection, restriction, portability).
- Cite the GDPR article. For example, "I am making a request under Article 15 of the GDPR for a copy of all personal data you process about me."
- Set a deadline. Remind them they have one calendar month to respond (Article 12(3)).
- Keep all correspondence. Save emails, screenshots, and any postal receipts.
If the organisation refuses, ignores you, or provides an unsatisfactory response, you can escalate to the DPC.
Step 2: Gather Your Evidence
A well-evidenced complaint is far more likely to result in action. Before filing, compile the following:
- The full name and registered address of the organisation you are complaining about.
- A clear chronological timeline of events.
- Copies of all correspondence with the organisation (emails, letters, chat logs).
- Screenshots of relevant web pages, settings, consent banners, or marketing messages.
- Any reference numbers, account IDs, or case numbers.
- An explanation of how the alleged breach affects you personally.
Be specific. Vague complaints like "they have my data and I don't like it" tend to be closed without investigation. Concrete claims tied to specific GDPR articles get traction.
Step 3: Submit the Complaint to the DPC
The DPC accepts complaints through several channels. The most efficient is the online webform on the DPC website, but postal and email options are also available.
Filing Options
| Channel | How to Use It | Best For |
|---|---|---|
| Online webform | Available at dataprotection.ie under "Contact / Raise a Concern" | Most individuals — fastest acknowledgement |
| info@dataprotection.ie | Complaints with large attachments | |
| Post | Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28 | People without reliable internet access |
| Phone | +353 (0)761 104 800 | Initial queries, not formal complaints |
What to Include in Your Submission
- Your full name and contact details.
- The name of the organisation and, if known, its DPO contact.
- A clear summary of what happened and when.
- Which of your rights you believe were infringed.
- What steps you've already taken to resolve it.
- What outcome you are seeking (e.g., access to data, deletion, an apology, a change in practice).
- All supporting evidence as attachments.
Step 4: Understand What Happens Next
Once your complaint is received, the DPC will issue an acknowledgement, usually within a few working days. After that, the process typically follows this path:
- Assessment: A case officer reviews whether the DPC has jurisdiction and whether the complaint discloses a potential infringement.
- Amicable resolution: Under Section 109(2) of the Data Protection Act 2018, the DPC will usually first try to mediate between you and the organisation.
- Formal handling: If amicable resolution fails or is inappropriate, the DPC may launch a formal inquiry under Section 110 or Section 113.
- Decision: The DPC issues a decision that may include findings, reprimands, corrective orders, or fines.
- Appeal: Decisions can be appealed to the Circuit Court within 28 days.
Realistic Timelines
Simple complaints (e.g., an ignored access request) are sometimes resolved in two to four months. Complex cross-border cases involving large platforms can take several years. The DPC publishes annual reports showing average handling times — manage your expectations accordingly.
Step 5: Know Your Other Options
The DPC is not your only avenue. Depending on your situation, you may also consider:
- Civil litigation: Article 82 of the GDPR allows you to claim material and non-material damages directly in court.
- Another EU supervisory authority: Under Article 77, you can complain to the authority in your country of habitual residence, place of work, or where the alleged infringement occurred.
- The European Data Protection Board (EDPB): Relevant when cross-border one-stop-shop disputes arise.
- Sectoral regulators: ComReg for electronic communications, the Press Council for media issues.
Common Mistakes to Avoid
Even strong complaints fail when they're poorly presented. Avoid these pitfalls:
- Skipping direct contact with the controller. The DPC may refuse to act until you've tried.
- Submitting emotional, unstructured narratives. Stick to facts, dates, and GDPR articles.
- Demanding compensation from the DPC. Only courts can award it.
- Filing about non-personal data. GDPR only protects information about identifiable individuals.
- Missing the limitation period. Complaints should generally be filed within a reasonable time after you became aware of the issue.
Reducing the Need to Complain in the First Place
The best privacy complaint is the one you never have to file. Practical steps to lower your exposure include:
- Use disposable email aliases when signing up for services you don't fully trust.
- Review and revoke third-party app permissions on Google, Microsoft, and Apple accounts every few months.
- Prefer browsers and search engines that minimise tracking by default.
- Use encrypted DNS (DNS over HTTPS or DNS over TLS) so your network provider cannot easily log your browsing.
- When sharing links publicly — for social posts, QR codes, or marketing — use a privacy-respecting link manager such as Lunyb, which lets you shorten and brand URLs without exposing unnecessary tracking parameters. See our honest Lunyb review or compare alternatives in our 2026 buyer's guide.
Special Cases: Marketing, Cookies, and Breaches
Unsolicited Electronic Marketing
Complaints about spam emails, SMS, or marketing calls fall under the ePrivacy Regulations (S.I. 336/2011), which the DPC also enforces. These cases are typically handled faster than general GDPR complaints and can result in prosecution in the District Court.
Cookie Banners and Tracking
If a site sets non-essential cookies before you consent, or makes "reject all" harder than "accept all", that may breach the DPC's 2020 Cookies Guidance. Include screenshots of the banner and the cookies actually loaded (you can inspect them in your browser's developer tools).
Data Breach Notifications
If you've been told your data was involved in a breach but feel the notification was inadequate or delayed beyond the 72-hour controller-to-DPC window, you can complain directly. Keep the breach notification letter or email as evidence.
How the DPC Compares With Other Regulators
| Feature | DPC (Ireland) | ICO (UK) | CNIL (France) |
|---|---|---|---|
| Online complaint form | Yes | Yes | Yes |
| Lead authority for Big Tech EU HQ | Yes (most) | No (post-Brexit) | No |
| Maximum fine | €20m / 4% turnover | £17.5m / 4% turnover | €20m / 4% turnover |
| Awards compensation | No | No | No |
| Average handling time (simple) | 2–4 months | 1–3 months | 2–4 months |
Pros and Cons of Filing With the DPC
Pros
- Free of charge.
- Independent statutory authority with real enforcement powers.
- Strong jurisdiction over global platforms with Irish HQs.
- Can trigger EU-wide regulatory consequences.
- Online process is accessible without legal representation.
Cons
- No personal compensation awarded.
- Complex cases can take years.
- Limited individual feedback during investigations.
- Outcome often depends on the DPC's enforcement priorities.
Frequently Asked Questions
How much does it cost to file a complaint with the DPC?
Nothing. Filing a privacy complaint with the Data Protection Commission is completely free. You do not need a solicitor, although legal advice can help in complex matters.
How long do I have to file a complaint?
There is no strict statutory deadline, but the DPC expects complaints to be made within a reasonable time after you become aware of the issue. Long delays may make investigation difficult and could lead the DPC to decline to act.
Can I complain to the DPC if I don't live in Ireland?
Yes, if the organisation is established in Ireland or if Ireland is the lead supervisory authority for that controller under the one-stop-shop. Otherwise, you may be redirected to the data protection authority in your own EU country.
Will the company know I complained?
Generally yes. The DPC will usually share the substance of your complaint with the organisation so it can respond. If you have safety concerns, raise them with the DPC in writing when you submit the complaint.
Can I get compensation through the DPC?
No. The DPC cannot award damages. To claim compensation for material or non-material harm under Article 82 GDPR, you must bring a civil action in the Circuit Court or High Court, typically with the help of a solicitor.
Final Thoughts
Filing a complaint with the DPC is one of the most powerful tools an individual has under EU data protection law. Done well — with clear evidence, specific GDPR references, and a documented attempt to resolve the issue directly — it can produce real change, not just for you but for everyone affected by the same practice. Done poorly, it gets closed in a single line. Take the time to prepare your submission, manage your expectations on timelines, and remember that good privacy hygiene in the first place is always the strongest defence.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
Singapore PDPA vs GDPR: Key Differences for Businesses in 2026
Singapore's PDPA and the EU's GDPR both protect personal data, but they differ significantly in scope, consent rules, penalties, and individual rights. This guide breaks down the key differences and shows businesses how to stay compliant with both frameworks.
Privacy Rights in Canada 2026: Your Complete Guide to PIPEDA, Bill C-27 and Digital Protections
Privacy rights in Canada are evolving fast in 2026, with Bill C-27, the CPPA, AIDA, and Quebec's Law 25 reshaping how personal data is protected. This guide explains your rights, how to exercise them, and practical steps to protect your digital privacy.
Australian Data Breach Notification Scheme: Complete 2026 Compliance Guide
Australia's Notifiable Data Breaches scheme imposes strict assessment, notification, and reporting duties on organisations handling personal information. This guide explains who must comply, what triggers notification, the 30-day timeline, penalties up to AUD $50 million, and how to build a response playbook.
UK Online Safety Act: What It Means for Your Privacy
The UK Online Safety Act 2023 reshapes how platforms moderate content, verify ages, and handle private messages. Here's what it really means for your privacy in 2026 — from mandatory age checks to encrypted messaging risks — and the practical steps you can take to protect your data.