facebook-pixel
L
Lunyb

DPC Ireland: How to File a Privacy Complaint (2026 Guide)

L
Lunyb Security Team
··10 min read

If a company has mishandled your personal data, ignored your access request, or refused to delete information you have a right to remove, you can file a formal complaint with the Data Protection Commission (DPC) of Ireland. The DPC is the supervisory authority responsible for upholding the General Data Protection Regulation (GDPR) and the Irish Data Protection Act 2018, and because so many global technology companies have their European headquarters in Dublin, the DPC is one of the most influential privacy regulators in the world.

This guide explains, in plain language, how to prepare and submit a privacy complaint to the DPC Ireland, what evidence to gather, what timelines to expect, and what happens after you file. It is written for individuals (data subjects), not for businesses responding to investigations.

What Is the Data Protection Commission (DPC)?

The Data Protection Commission is Ireland's independent national authority responsible for enforcing data protection law. It investigates complaints from individuals, audits organisations, issues fines, and works alongside other European Data Protection Authorities under the European Data Protection Board (EDPB).

Because companies such as Meta, Google, TikTok, LinkedIn, X, and Apple have their EU headquarters in Ireland, the DPC frequently acts as the "lead supervisory authority" for cross-border cases under the GDPR's one-stop-shop mechanism. That means an Irish complaint can have implications across the entire European Economic Area (EEA).

What the DPC Can Do

  • Investigate complaints against data controllers and processors.
  • Order organisations to comply with your rights (access, erasure, rectification, objection).
  • Impose administrative fines of up to €20 million or 4% of global annual turnover.
  • Refer matters for prosecution where criminal offences are suspected.
  • Issue reprimands, bans on processing, or corrective orders.

What the DPC Cannot Do

  • Award you financial compensation (you must go to court for damages).
  • Resolve purely contractual or consumer disputes unrelated to personal data.
  • Act as your personal lawyer or represent you in litigation.

When Should You File a Complaint With the DPC?

You can file a complaint with the DPC whenever you believe an organisation has breached your data protection rights under the GDPR or the Irish Data Protection Act 2018. Common scenarios include:

  1. Ignored Subject Access Request (SAR): You asked a company for a copy of your data and they did not respond within one month, or refused without valid reason.
  2. Refused erasure ("right to be forgotten"): You requested deletion of your personal data and the request was denied or ignored.
  3. Unlawful marketing: You keep receiving emails, SMS, or calls despite unsubscribing or never consenting.
  4. Data breach: A company exposed your personal data and failed to notify you appropriately.
  5. Excessive data collection: An organisation collected more information than necessary for the stated purpose.
  6. CCTV or workplace monitoring: An employer or business is recording you without proper legal basis or notice.
  7. Inaccurate data: You asked for incorrect information to be corrected and the controller refused.

Try to Resolve the Issue Directly First

The DPC strongly prefers that you contact the organisation directly before escalating. Under GDPR, the controller must respond to your rights request within one calendar month (extendable by two further months for complex requests, with notice). Only after that window has expired, or after you have received an inadequate response, should you escalate to the DPC.

Keep a paper trail. Every email, screenshot, postal receipt, or chat transcript becomes potential evidence. If you need to share long evidence URLs with the DPC or with the company, you can tidy them up using a reputable short-link service such as Lunyb so your complaint document stays readable.

Step-by-Step: How to File a Complaint With DPC Ireland

The DPC accepts complaints via online webform, email, and post. The online webform is the fastest and most reliable route. Here is the full process from start to finish.

Step 1: Gather Your Evidence

Before opening the form, collect everything in one folder:

  • The name and contact details of the organisation (the data controller).
  • Your original request or correspondence (with dates).
  • The organisation's response (or proof that none was received).
  • Screenshots, emails, letters, or contracts that support your claim.
  • Any reference numbers or case IDs the controller assigned.
  • Identification documents if requested (a redacted copy is usually acceptable).

Step 2: Identify the Correct Legal Basis

You do not need to be a lawyer, but it helps to know which right you are exercising. The main GDPR articles include:

  • Article 15 – Right of access
  • Article 16 – Right to rectification
  • Article 17 – Right to erasure
  • Article 18 – Right to restriction of processing
  • Article 20 – Right to data portability
  • Article 21 – Right to object (including direct marketing)
  • Article 22 – Rights relating to automated decision-making and profiling

Step 3: Submit the Complaint

Go to the DPC website (dataprotection.ie) and open the "Lodge a Complaint" section. You will be asked to provide:

  1. Your full name and contact details.
  2. The name of the organisation you are complaining about.
  3. A clear description of the issue (keep it factual and chronological).
  4. What right you believe has been breached.
  5. What outcome you are seeking (deletion, access, halt to processing, etc.).
  6. Uploaded evidence files.

Alternatively, you can email info@dataprotection.ie or write to: Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland.

Step 4: Acknowledge and Follow Up

The DPC will issue an acknowledgement, usually within a few business days, including a case reference number. Save that number — you will need it for every future communication.

What Happens After You File?

The DPC handles complaints in stages. The exact timeline depends on the complexity of the case and whether it is cross-border.

StageWhat HappensTypical Timeframe
1. AcknowledgementDPC confirms receipt and assigns a case officer.3–10 business days
2. Amicable ResolutionDPC contacts the organisation to seek a quick fix.1–3 months
3. Formal InvestigationIf unresolved, a statutory inquiry is opened under Section 110 of the 2018 Act.6 months – 2+ years
4. Draft DecisionDPC issues findings; in cross-border cases, other EU DPAs are consulted.Varies
5. Final DecisionBinding decision, possible fines, corrective orders, or dismissal.Varies

Amicable Resolution

The DPC is required under Irish law to attempt amicable resolution where appropriate. In practice, this means the case officer will contact the organisation, summarise your complaint, and invite them to remedy the situation. Many complaints — especially access and erasure cases — are resolved at this stage without a formal inquiry.

Formal Statutory Inquiry

If amicable resolution fails, or if the complaint raises systemic issues, the DPC may launch a statutory inquiry. This is a formal legal process with binding outcomes. Large-scale inquiries against multinational tech companies can take years and have resulted in some of the largest GDPR fines in Europe.

Cross-Border Complaints and the One-Stop-Shop

If your complaint involves a company whose EU headquarters is in Ireland (for example, Meta or TikTok), the DPC will likely act as the lead supervisory authority. Other concerned EU regulators are entitled to weigh in, and the European Data Protection Board may issue a binding decision under Article 65 of the GDPR if regulators disagree.

You can still lodge your complaint with the DPC directly, or with the data protection authority in your own EU country, which will forward it to Ireland. Either path is valid.

Common Mistakes to Avoid

  • Skipping the controller: Filing with the DPC before contacting the company often delays the case.
  • Vague descriptions: "They have my data" is not enough. Be specific about dates, data types, and impact.
  • Missing evidence: Without documentation, the DPC cannot verify your claim.
  • Expecting compensation: The DPC enforces the law; for damages, you need civil court proceedings.
  • Anonymous complaints: The DPC generally requires identifiable complainants, although your identity is not disclosed to the public.

What If You Disagree With the DPC's Decision?

If you are unhappy with the final outcome, you have several options:

  1. Statutory appeal: You can appeal certain decisions to the Circuit Court or High Court within 28 days.
  2. Judicial review: Challenge the procedure used by the DPC, not the merits.
  3. Civil action: Sue the organisation directly under Section 117 of the Data Protection Act 2018 for compensation and damages.

Tips for a Strong Complaint

  1. Be chronological. Walk the case officer through events in order.
  2. Stick to facts. Avoid emotional language; let the evidence speak.
  3. Quote the law. Mention the specific GDPR article you believe was breached.
  4. State your desired outcome. Deletion? Access? Halt to marketing?
  5. Keep copies of everything. Save acknowledgements, emails, and correspondence.
  6. Be patient but persistent. Reasonable follow-ups every 6–8 weeks are appropriate.

Protecting Your Privacy Going Forward

Filing a complaint is reactive. To reduce future privacy headaches:

  • Review consent settings on every major service annually.
  • Use a dedicated email alias for sign-ups so you can track who shared your data.
  • Enable encrypted DNS (DNS-over-HTTPS) in your browser to limit ISP tracking.
  • Choose a privacy-respecting browser and disable third-party cookies.
  • When sharing links publicly, use a trustworthy shortener with analytics controls — see our 2026 buyer's guide to URL shorteners for options that respect data minimisation principles.

Frequently Asked Questions

How much does it cost to file a complaint with the DPC?

It is completely free. The Data Protection Commission does not charge any fee for lodging or investigating a complaint, regardless of how complex the case becomes.

How long does a DPC investigation take?

Simple cases resolved by amicable resolution typically close within 1–3 months. Formal statutory inquiries — especially cross-border cases involving large tech companies — can take anywhere from six months to several years. The DPC publishes annual statistics on its caseload.

Can I file a complaint anonymously?

No. The DPC requires identifiable complainants so it can correspond with you, verify the facts, and exercise procedural fairness. However, your identity is not made public, and disclosure to the organisation under investigation is limited to what is necessary to address the complaint.

What if the company is based outside Ireland?

If the company has an EU establishment in Ireland, the DPC is likely the lead regulator. If it is based in another EU country, you can still file with the DPC, which will transfer it. For companies entirely outside the EU that target Irish residents, the DPC can still act because the GDPR has extraterritorial reach under Article 3.

Can I get compensation through the DPC?

No. The DPC cannot award you money. To claim damages — including for non-material harm such as distress — you must bring civil proceedings under Section 117 of the Data Protection Act 2018, typically in the Circuit Court. A successful DPC finding can, however, strengthen a subsequent compensation claim.

Do I need a solicitor to file a complaint?

No. The DPC complaint process is designed to be accessible to individuals without legal representation. However, if your case involves significant damages, complex cross-border issues, or you intend to appeal a decision, professional legal advice is recommended.

Final Thoughts

The DPC complaint process is one of the most powerful free tools available to Irish and EU residents. It costs nothing, can result in binding orders against some of the world's largest companies, and gives individuals real leverage over how their data is used. The keys to success are simple: contact the organisation first, document everything carefully, file a clear and factual complaint, and be prepared to wait while the regulator does its work.

Whether your issue is a stubborn marketing email, a CCTV camera you never consented to, or a global platform that ignored your erasure request, the DPC Ireland exists precisely to hold controllers accountable — and your complaint helps shape how privacy law is enforced across Europe.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles

OAIC Complaints: How to Report a Privacy Breach in Australia

If an Australian organisation has mishandled your personal information, you can lodge a free complaint with the OAIC. This guide walks through eligibility, evidence, the complaint process and the remedies you can realistically expect.

10 min

Singapore Online Safety Act 2026: Complete Guide for Businesses and Users

Singapore's Online Safety Act 2026 expands platform obligations around harmful content, scams, deepfakes, and child safety. This complete guide explains who it applies to, the key compliance duties, IMDA enforcement powers, and what businesses and users should do to prepare.

10 min

Data Protection Act 2018 Ireland: Complete Guide

A complete guide to Ireland's Data Protection Act 2018: how it works with GDPR, the rights it grants, the obligations it imposes on businesses, and the penalties for non-compliance. Includes a practical compliance checklist and FAQs for Irish organisations.

10 min

ePrivacy Regulations Ireland: Latest Updates for 2026

A practical 2026 guide to ePrivacy regulations in Ireland, covering S.I. 336/2011, the latest DPC enforcement priorities, cookie consent rules, direct marketing requirements, and step-by-step compliance actions for Irish businesses.

10 min