facebook-pixel

DPC Ireland: How to File a Privacy Complaint (2026 Guide)

L
Lunyb Security Team
··9 min read

If you believe an organisation has mishandled your personal data, you have a legal right to complain to Ireland's Data Protection Commission (DPC). As the country's independent supervisory authority for the General Data Protection Regulation (GDPR) and the Data Protection Act 2018, the DPC investigates complaints against controllers ranging from small local businesses to some of the world's largest technology companies headquartered in Dublin. This guide walks you through exactly how to file a privacy complaint with the DPC Ireland, what evidence you need, and what happens after you submit.

What Is the DPC Ireland?

The Data Protection Commission (An Coimisiún um Chosaint Sonraí) is Ireland's national data protection authority, established under the Data Protection Act 2018. It enforces GDPR compliance across Ireland and, because so many multinational tech firms have their EU headquarters in Dublin, it also acts as the "lead supervisory authority" for many cross-border cases affecting millions of EU citizens.

The DPC has broad powers to investigate complaints, issue reprimands, order corrective action, and impose administrative fines of up to €20 million or 4% of a company's global annual turnover, whichever is higher. Its headquarters are located at 21 Fitzwilliam Square South, Dublin 2, with a secondary office in Portarlington, County Laois.

When You Can Complain to the DPC

You can file a complaint with the DPC if you are physically located in Ireland or if the alleged infringement took place in Ireland, and you believe any of your rights under the GDPR or the Data Protection Act 2018 have been breached. Common grounds include:

  • An organisation refuses to give you access to your personal data (Article 15 access request denied or ignored).
  • Your data has been used for direct marketing without valid consent.
  • A company will not delete your data after a valid erasure request (Article 17).
  • You suspect a data breach exposed your information and the controller failed to notify you.
  • CCTV, workplace monitoring, or biometric processing is excessive or unlawful.
  • A website drops non-essential cookies without proper consent (ePrivacy Regulations 2011).

Before You File: Contact the Organisation First

The DPC strongly recommends—and in practice usually requires—that you attempt to resolve the issue directly with the organisation before escalating. Under GDPR, every controller must respond to a data subject request within one calendar month (extendable by two further months for complex requests, with notification).

Step 1: Identify the Data Protection Officer (DPO)

Most medium and large organisations, and all public bodies, must appoint a Data Protection Officer. Their contact details should appear in the organisation's privacy notice, usually linked in the footer of its website. Address your initial complaint in writing (email is fine) to the DPO or to a general "privacy@" or "dataprotection@" mailbox.

Step 2: Make a Clear, Written Request

Be specific. State what happened, what right you are exercising, and what outcome you want (access, correction, deletion, cessation of processing, or an explanation). Keep copies of every email and any postal correspondence—including delivery receipts.

Step 3: Wait the Statutory Period

Give the organisation the full one-month response window. If they fail to reply, reply inadequately, or refuse without a lawful basis, you now have grounds to escalate to the DPC.

How to File a Complaint With the DPC Ireland

The DPC accepts complaints through three main channels: an online webform, postal submission, and (in exceptional cases) telephone. There is no fee to file a complaint.

Option 1: Online Webform (Recommended)

  1. Go to www.dataprotection.ie and navigate to "Contact / Raise a Concern".
  2. Select "Raise a Concern with the DPC" and choose the category that best matches your issue (e.g. access request, direct marketing, CCTV, data breach).
  3. Complete your personal details—name, address, email, and phone number. Complaints must be signed and cannot be anonymous.
  4. Describe the concern in plain language. Include dates, the name of the controller, and any reference numbers.
  5. Upload supporting documents (PDF, JPG, PNG). Typical evidence includes copies of your original request, the controller's reply (or lack thereof), screenshots, and marketing emails.
  6. Submit and save the automatic acknowledgement reference number.

Option 2: Postal Submission

You can download the complaint form from the DPC website, print it, sign it, and post it with copies (never originals) of your evidence to:

Data Protection Commission
21 Fitzwilliam Square South
Dublin 2
D02 RD28

Option 3: Direct Email

For straightforward matters, you may email info@dataprotection.ie with a clear subject line such as "Complaint under Section 108, Data Protection Act 2018". Attach the same supporting documents you would upload online.

What to Include in Your Complaint

A well-prepared complaint dramatically increases the chance of a swift and favourable outcome. The DPC expects the following:

ElementWhat to Provide
Your identityFull name, postal address, email, and a copy of ID if requested later
The controllerLegal name of the organisation, address, and any staff member you dealt with
The right invokedAccess, rectification, erasure, restriction, portability, objection, or a breach concern
TimelineDates of your original request and any responses
EvidenceCopies of emails, letters, screenshots, marketing messages, CCTV notices
Desired outcomeWhat you want the DPC to achieve (e.g. deletion, cessation, compensation guidance)

What Happens After You Submit

The DPC handles thousands of complaints each year, so timelines vary widely depending on complexity and whether the case is cross-border.

Stage 1: Acknowledgement (1–3 Weeks)

You will receive a case reference number and confirmation that a case handler has been assigned. If the DPC believes your complaint is outside its remit, it will tell you why and suggest an alternative body (for example, ComReg for telecoms nuisance calls).

Stage 2: Amicable Resolution

Under Section 109 of the Data Protection Act 2018, the DPC must first attempt to resolve complaints amicably. The case officer will typically write to the controller, share your concerns, and invite a response or corrective action. Many complaints are resolved at this stage within two to four months.

Stage 3: Statutory Inquiry

If amicable resolution fails or the matter is serious, the DPC may open a formal statutory inquiry. This can involve on-site audits, formal information requests, and interviews. Outcomes include reprimands, compliance orders, temporary or permanent processing bans, and administrative fines.

Stage 4: Legally Binding Decision

At the conclusion of a statutory inquiry, the DPC issues a legally binding decision. Cross-border cases go through the European Data Protection Board's cooperation and consistency mechanism, which can extend timelines considerably—sometimes years for the largest tech-company inquiries.

Your Right to Appeal

If you are unhappy with the DPC's handling of your case, you have two escalation paths. You may appeal a decision to the Circuit Court or the High Court within 28 days of the decision being notified. You may also lodge a complaint with the Ombudsman if you believe the DPC itself acted improperly in an administrative sense. Under Article 78 GDPR, every data subject has a right to an effective judicial remedy against a supervisory authority.

Practical Tips to Strengthen Your Complaint

  • Be concise but complete. Case officers read hundreds of complaints. A clear one-page summary plus attachments beats a rambling narrative.
  • Cite the article. Reference the specific GDPR article you believe was breached (e.g. "Article 15 – Right of Access"). It signals you understand your rights.
  • Keep evidence organised. Number your attachments and refer to them in the body ("see Exhibit 1 – original access request dated 4 March").
  • Do not exaggerate. Stick to what you can prove. Overstated claims weaken credibility.
  • Track everything. Save the DPC reference number, screenshot every submission page, and diary follow-up dates.

Protecting Your Privacy Going Forward

Filing a complaint is reactive. Building better privacy habits is proactive. Consider using encrypted DNS resolvers such as Cloudflare 1.1.1.1 or NextDNS, privacy-focused browsers like Brave or Firefox with strict tracking protection enabled, and unique email aliases for every sign-up so you can identify which services leak your data.

When you share links—whether in emails, social posts, or QR codes—consider using a privacy-respecting URL shortener that does not build advertising profiles from click data. Tools such as Lunyb let you create branded short links with click analytics you own, without third-party trackers being injected into the redirect chain. For a broader look at the shortener market, our 2026 buyer's guide to URL shorteners compares privacy features across leading providers, and our honest Lunyb review explains how the service handles user data.

Common Complaint Categories in Ireland

CategoryTypical IssueRelevant Law
Access requestsController ignores or partially respondsArticle 15 GDPR
Direct marketingUnsolicited emails, SMS, or callsePrivacy Regs 2011 (SI 336)
CookiesNon-essential cookies without consentePrivacy Regs 2011
Workplace monitoringExcessive email, CCTV, or GPS trackingArticle 6 & 88 GDPR
Data breachesFailure to notify affected individualsArticle 34 GDPR
CCTV in public/retailNo signage, excessive retentionArticle 5 & 13 GDPR

Frequently Asked Questions

How much does it cost to file a complaint with the DPC Ireland?

Nothing. Filing a data protection complaint is free. You are also not required to hire a solicitor, though legal advice can be helpful for complex or high-value matters.

How long does the DPC take to resolve a complaint?

Simple complaints resolved amicably typically close within two to six months. Statutory inquiries into complex or cross-border matters can take one to three years, especially where the European Data Protection Board's consistency mechanism is engaged.

Can I claim compensation through the DPC?

No. The DPC cannot award compensation. Under Article 82 GDPR and Section 117 of the Data Protection Act 2018, you must pursue compensation for material or non-material damage separately through the Circuit Court or High Court. A DPC finding in your favour, however, is powerful supporting evidence in any civil action.

Can I complain anonymously?

Formal complaints require you to identify yourself so the DPC can correspond and verify the facts. However, you can raise general concerns or tip-offs anonymously through the DPC's contact channels, and these may inform broader investigations even if they do not open a case in your name.

What if the organisation is based outside Ireland?

If the controller has its EU main establishment in Ireland (as many tech firms do), the DPC is the lead authority. Otherwise, you can still file with the DPC and it will forward your complaint to the relevant EU supervisory authority under the GDPR one-stop-shop mechanism. For non-EU controllers targeting Irish residents, the DPC can still act.

Final Thoughts

Ireland's Data Protection Commission is one of the most consequential regulators in the world, and its complaints process is genuinely accessible to ordinary residents. The key to a successful complaint is preparation: exhaust the direct route with the controller, gather clear evidence, cite the specific right that has been breached, and submit through the official webform. Even if your individual case seems small, complaints feed the DPC's supervisory intelligence and contribute to the broader enforcement of privacy rights across the EU.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles