DPC Ireland: How to File a Privacy Complaint (2026 Guide)
If you believe an organisation has mishandled your personal data, you have a legal right to complain to Ireland's Data Protection Commission (DPC). As the country's independent supervisory authority for the General Data Protection Regulation (GDPR) and the Data Protection Act 2018, the DPC investigates complaints against controllers ranging from small local businesses to some of the world's largest technology companies headquartered in Dublin. This guide walks you through exactly how to file a privacy complaint with the DPC Ireland, what evidence you need, and what happens after you submit.
What Is the DPC Ireland?
The Data Protection Commission (An Coimisiún um Chosaint Sonraí) is Ireland's national data protection authority, established under the Data Protection Act 2018. It enforces GDPR compliance across Ireland and, because so many multinational tech firms have their EU headquarters in Dublin, it also acts as the "lead supervisory authority" for many cross-border cases affecting millions of EU citizens.
The DPC has broad powers to investigate complaints, issue reprimands, order corrective action, and impose administrative fines of up to €20 million or 4% of a company's global annual turnover, whichever is higher. Its headquarters are located at 21 Fitzwilliam Square South, Dublin 2, with a secondary office in Portarlington, County Laois.
When You Can Complain to the DPC
You can file a complaint with the DPC if you are physically located in Ireland or if the alleged infringement took place in Ireland, and you believe any of your rights under the GDPR or the Data Protection Act 2018 have been breached. Common grounds include:
- An organisation refuses to give you access to your personal data (Article 15 access request denied or ignored).
- Your data has been used for direct marketing without valid consent.
- A company will not delete your data after a valid erasure request (Article 17).
- You suspect a data breach exposed your information and the controller failed to notify you.
- CCTV, workplace monitoring, or biometric processing is excessive or unlawful.
- A website drops non-essential cookies without proper consent (ePrivacy Regulations 2011).
Before You File: Contact the Organisation First
The DPC strongly recommends—and in practice usually requires—that you attempt to resolve the issue directly with the organisation before escalating. Under GDPR, every controller must respond to a data subject request within one calendar month (extendable by two further months for complex requests, with notification).
Step 1: Identify the Data Protection Officer (DPO)
Most medium and large organisations, and all public bodies, must appoint a Data Protection Officer. Their contact details should appear in the organisation's privacy notice, usually linked in the footer of its website. Address your initial complaint in writing (email is fine) to the DPO or to a general "privacy@" or "dataprotection@" mailbox.
Step 2: Make a Clear, Written Request
Be specific. State what happened, what right you are exercising, and what outcome you want (access, correction, deletion, cessation of processing, or an explanation). Keep copies of every email and any postal correspondence—including delivery receipts.
Step 3: Wait the Statutory Period
Give the organisation the full one-month response window. If they fail to reply, reply inadequately, or refuse without a lawful basis, you now have grounds to escalate to the DPC.
How to File a Complaint With the DPC Ireland
The DPC accepts complaints through three main channels: an online webform, postal submission, and (in exceptional cases) telephone. There is no fee to file a complaint.
Option 1: Online Webform (Recommended)
- Go to www.dataprotection.ie and navigate to "Contact / Raise a Concern".
- Select "Raise a Concern with the DPC" and choose the category that best matches your issue (e.g. access request, direct marketing, CCTV, data breach).
- Complete your personal details—name, address, email, and phone number. Complaints must be signed and cannot be anonymous.
- Describe the concern in plain language. Include dates, the name of the controller, and any reference numbers.
- Upload supporting documents (PDF, JPG, PNG). Typical evidence includes copies of your original request, the controller's reply (or lack thereof), screenshots, and marketing emails.
- Submit and save the automatic acknowledgement reference number.
Option 2: Postal Submission
You can download the complaint form from the DPC website, print it, sign it, and post it with copies (never originals) of your evidence to:
Data Protection Commission
21 Fitzwilliam Square South
Dublin 2
D02 RD28
Option 3: Direct Email
For straightforward matters, you may email info@dataprotection.ie with a clear subject line such as "Complaint under Section 108, Data Protection Act 2018". Attach the same supporting documents you would upload online.
What to Include in Your Complaint
A well-prepared complaint dramatically increases the chance of a swift and favourable outcome. The DPC expects the following:
| Element | What to Provide |
|---|---|
| Your identity | Full name, postal address, email, and a copy of ID if requested later |
| The controller | Legal name of the organisation, address, and any staff member you dealt with |
| The right invoked | Access, rectification, erasure, restriction, portability, objection, or a breach concern |
| Timeline | Dates of your original request and any responses |
| Evidence | Copies of emails, letters, screenshots, marketing messages, CCTV notices |
| Desired outcome | What you want the DPC to achieve (e.g. deletion, cessation, compensation guidance) |
What Happens After You Submit
The DPC handles thousands of complaints each year, so timelines vary widely depending on complexity and whether the case is cross-border.
Stage 1: Acknowledgement (1–3 Weeks)
You will receive a case reference number and confirmation that a case handler has been assigned. If the DPC believes your complaint is outside its remit, it will tell you why and suggest an alternative body (for example, ComReg for telecoms nuisance calls).
Stage 2: Amicable Resolution
Under Section 109 of the Data Protection Act 2018, the DPC must first attempt to resolve complaints amicably. The case officer will typically write to the controller, share your concerns, and invite a response or corrective action. Many complaints are resolved at this stage within two to four months.
Stage 3: Statutory Inquiry
If amicable resolution fails or the matter is serious, the DPC may open a formal statutory inquiry. This can involve on-site audits, formal information requests, and interviews. Outcomes include reprimands, compliance orders, temporary or permanent processing bans, and administrative fines.
Stage 4: Legally Binding Decision
At the conclusion of a statutory inquiry, the DPC issues a legally binding decision. Cross-border cases go through the European Data Protection Board's cooperation and consistency mechanism, which can extend timelines considerably—sometimes years for the largest tech-company inquiries.
Your Right to Appeal
If you are unhappy with the DPC's handling of your case, you have two escalation paths. You may appeal a decision to the Circuit Court or the High Court within 28 days of the decision being notified. You may also lodge a complaint with the Ombudsman if you believe the DPC itself acted improperly in an administrative sense. Under Article 78 GDPR, every data subject has a right to an effective judicial remedy against a supervisory authority.
Practical Tips to Strengthen Your Complaint
- Be concise but complete. Case officers read hundreds of complaints. A clear one-page summary plus attachments beats a rambling narrative.
- Cite the article. Reference the specific GDPR article you believe was breached (e.g. "Article 15 – Right of Access"). It signals you understand your rights.
- Keep evidence organised. Number your attachments and refer to them in the body ("see Exhibit 1 – original access request dated 4 March").
- Do not exaggerate. Stick to what you can prove. Overstated claims weaken credibility.
- Track everything. Save the DPC reference number, screenshot every submission page, and diary follow-up dates.
Protecting Your Privacy Going Forward
Filing a complaint is reactive. Building better privacy habits is proactive. Consider using encrypted DNS resolvers such as Cloudflare 1.1.1.1 or NextDNS, privacy-focused browsers like Brave or Firefox with strict tracking protection enabled, and unique email aliases for every sign-up so you can identify which services leak your data.
When you share links—whether in emails, social posts, or QR codes—consider using a privacy-respecting URL shortener that does not build advertising profiles from click data. Tools such as Lunyb let you create branded short links with click analytics you own, without third-party trackers being injected into the redirect chain. For a broader look at the shortener market, our 2026 buyer's guide to URL shorteners compares privacy features across leading providers, and our honest Lunyb review explains how the service handles user data.
Common Complaint Categories in Ireland
| Category | Typical Issue | Relevant Law |
|---|---|---|
| Access requests | Controller ignores or partially responds | Article 15 GDPR |
| Direct marketing | Unsolicited emails, SMS, or calls | ePrivacy Regs 2011 (SI 336) |
| Cookies | Non-essential cookies without consent | ePrivacy Regs 2011 |
| Workplace monitoring | Excessive email, CCTV, or GPS tracking | Article 6 & 88 GDPR |
| Data breaches | Failure to notify affected individuals | Article 34 GDPR |
| CCTV in public/retail | No signage, excessive retention | Article 5 & 13 GDPR |
Frequently Asked Questions
How much does it cost to file a complaint with the DPC Ireland?
Nothing. Filing a data protection complaint is free. You are also not required to hire a solicitor, though legal advice can be helpful for complex or high-value matters.
How long does the DPC take to resolve a complaint?
Simple complaints resolved amicably typically close within two to six months. Statutory inquiries into complex or cross-border matters can take one to three years, especially where the European Data Protection Board's consistency mechanism is engaged.
Can I claim compensation through the DPC?
No. The DPC cannot award compensation. Under Article 82 GDPR and Section 117 of the Data Protection Act 2018, you must pursue compensation for material or non-material damage separately through the Circuit Court or High Court. A DPC finding in your favour, however, is powerful supporting evidence in any civil action.
Can I complain anonymously?
Formal complaints require you to identify yourself so the DPC can correspond and verify the facts. However, you can raise general concerns or tip-offs anonymously through the DPC's contact channels, and these may inform broader investigations even if they do not open a case in your name.
What if the organisation is based outside Ireland?
If the controller has its EU main establishment in Ireland (as many tech firms do), the DPC is the lead authority. Otherwise, you can still file with the DPC and it will forward your complaint to the relevant EU supervisory authority under the GDPR one-stop-shop mechanism. For non-EU controllers targeting Irish residents, the DPC can still act.
Final Thoughts
Ireland's Data Protection Commission is one of the most consequential regulators in the world, and its complaints process is genuinely accessible to ordinary residents. The key to a successful complaint is preparation: exhaust the direct route with the controller, gather clear evidence, cite the specific right that has been breached, and submit through the official webform. Even if your individual case seems small, complaints feed the DPC's supervisory intelligence and contribute to the broader enforcement of privacy rights across the EU.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
Singapore Online Safety Act 2026: Complete Guide for Businesses and Users
Singapore's Online Safety Act 2026 significantly expands digital regulation for platforms, businesses, and users. This complete guide covers scope, obligations, penalties, and a practical 90-day compliance roadmap.
Data Protection Act 2018 Ireland: Complete Guide
The Data Protection Act 2018 is Ireland's implementation of the GDPR, setting out rights, obligations, and penalties for anyone processing personal data. This complete guide covers key definitions, lawful bases, data subject rights, breach notification, and a practical compliance checklist for Irish businesses in 2026.
OAIC Complaints: How to Report a Privacy Breach in Australia
A step-by-step guide for Australians on how to lodge a privacy complaint with the OAIC after a data breach or mishandling of personal information. Covers evidence, timelines, outcomes and your rights under the Privacy Act 1988.
How Canadian Businesses Should Handle Data Privacy in 2026
Canadian businesses face a complex mix of federal and provincial privacy laws, from PIPEDA to Quebec's Law 25. This practical 2026 guide explains obligations, provides a step-by-step compliance framework, and helps you build lasting customer trust.