DPC Ireland: How to File a Privacy Complaint (2026 Guide)
If a company has mishandled your personal data, ignored a subject access request, or sent you unsolicited marketing, you have the right to complain to Ireland's Data Protection Commission (DPC). As the lead supervisory authority for many of the world's largest tech companies under GDPR's one-stop-shop mechanism, the DPC plays an outsized role in European privacy enforcement. This guide walks you through exactly how to file a privacy complaint with the DPC, what evidence to gather, and what happens after you submit.
What Is the DPC and When Should You Complain?
The Data Protection Commission (DPC) is Ireland's independent regulator responsible for upholding the fundamental right of individuals in the EU to have their personal data protected. It enforces the General Data Protection Regulation (GDPR), the Irish Data Protection Act 2018, and the ePrivacy Regulations.
You should consider filing a complaint with the DPC when a company or organisation established in Ireland (or whose main EU establishment is in Ireland) has:
- Failed to respond to a Subject Access Request (SAR) within one month
- Refused to delete your data after a valid erasure request
- Suffered a data breach affecting your personal information
- Used your data for purposes you didn't consent to
- Sent you direct marketing without a lawful basis
- Set cookies or tracking technologies without valid consent
- Shared your data with third parties unlawfully
Why the DPC Matters Globally
Because giants like Meta, Google, TikTok, Apple, LinkedIn, and Microsoft have their EU headquarters in Ireland, the DPC often acts as the "lead authority" for cross-border cases. This means a complaint filed in Dublin can influence how billions of users' data is handled worldwide.
Before You File: Contact the Organisation First
The DPC strongly recommends (and in most cases expects) that you try to resolve the issue directly with the data controller before escalating. This is not just a formality — it's a legal expectation under GDPR Article 77 and improves your chances of a successful complaint.
Step 1: Identify the Data Controller
The data controller is the entity that decides why and how your personal data is processed. Check the organisation's privacy policy — it will list the controller's legal name and Data Protection Officer (DPO) contact details.
Step 2: Submit a Written Request
Write to the organisation's DPO or privacy team explaining:
- Who you are (with enough detail to identify your records)
- What right you are exercising (access, erasure, rectification, objection, portability)
- What outcome you expect
- A reasonable deadline (GDPR gives them one month, extendable to three for complex cases)
Step 3: Keep Copies of Everything
Save every email, letter, chat transcript, and screenshot. If you send physical mail, use registered post. This paper trail becomes the evidence backbone of your DPC complaint.
How to File a Complaint with the DPC: Step-by-Step
Filing a complaint with the DPC is free, and you don't need a solicitor. Here's the exact process.
Step 1: Choose Your Submission Channel
The DPC accepts complaints through three channels:
- Webform: The dedicated complaint form at dataprotection.ie is the fastest route
- Email: info@dataprotection.ie
- Postal mail: Data Protection Commission, 6 Pembroke Row, Dublin 2, D02 X963
Step 2: Complete the Complaint Form
The form asks for:
- Your full name, address, and contact details
- The name and address of the organisation you're complaining about
- A clear description of what happened, in chronological order
- Which GDPR right you believe was breached
- What steps you have already taken with the organisation
- What outcome you're seeking
Step 3: Attach Supporting Evidence
Attach PDFs or screenshots of:
- Your original request to the organisation
- Their response (or proof of no response)
- Any relevant marketing emails, screenshots of unlawful processing, or breach notifications
- Privacy policies at the time of the incident (use archive.org if needed)
Step 4: Submit and Await Acknowledgement
The DPC typically issues an acknowledgement within 5–10 working days, along with a case reference number. Save this number — you'll need it for all future correspondence.
What Happens After You File
Once your complaint is lodged, it moves through several stages. Understanding the timeline helps set realistic expectations.
| Stage | Typical Duration | What Happens |
|---|---|---|
| Acknowledgement | 1–2 weeks | DPC confirms receipt and assigns a case officer |
| Initial Assessment | 1–3 months | DPC reviews jurisdiction and merits |
| Amicable Resolution | 3–6 months | DPC facilitates dialogue between you and the controller |
| Formal Investigation | 6–24+ months | Statutory inquiry with legal powers to compel evidence |
| Decision & Sanctions | Varies | Reprimand, order, fine, or ban on processing |
Amicable Resolution First
The DPC prefers to resolve complaints through dialogue where possible. In many cases, once the DPC contacts the organisation, the company suddenly finds the ability to fulfil your access request or delete your data. If you accept the resolution, the case closes.
Formal Statutory Inquiry
If the matter cannot be resolved amicably — or if the breach is serious enough to warrant investigation — the DPC may open a statutory inquiry. These are the cases that produce headline fines, such as the €1.2 billion fine against Meta in 2023 for data transfers.
Building a Strong Complaint: What Case Officers Look For
The DPC receives thousands of complaints annually. Those that lead to faster action share common characteristics.
1. A Clear, Specific Breach
Vague dissatisfaction ("I don't like their privacy policy") is weaker than a concrete legal claim ("On 3 March I requested erasure under Article 17; they refused on 15 March citing legitimate interest, but the data is used solely for marketing which I have objected to").
2. A Documented Paper Trail
Complaints with email chains showing the organisation's failure are far stronger than "he said, she said" claims.
3. Demonstrated Harm or Risk
While GDPR doesn't require you to prove damages, showing real-world impact (identity risk, distress, financial loss, unwanted contact) helps the DPC prioritise.
4. Reasonable Requested Outcomes
Ask for what the law can deliver: erasure, correction, cessation of processing, a formal reprimand, or a fine. The DPC cannot award personal compensation — for that, you must go to the Circuit Court.
Common Types of DPC Complaints
Understanding what other complainants have successfully raised helps frame your own case.
Subject Access Request (SAR) Failures
By far the most common category. Companies must respond within one month, provide a full copy of the personal data they hold, and explain the purposes of processing.
Direct Marketing Without Consent
Unsolicited emails, SMS, and calls remain a leading complaint source. Under the ePrivacy Regulations, marketers must have prior opt-in consent or a valid "soft opt-in" from an existing customer relationship.
CCTV and Workplace Surveillance
Employers filming staff without proper notice, or businesses recording customers beyond what's necessary, frequently attract DPC scrutiny.
Data Breaches
If a company suffers a breach affecting your data, they must notify the DPC within 72 hours and, in high-risk cases, notify you directly. Failure to do so is itself a breach.
Cookie Consent Violations
Websites that drop non-essential cookies before you consent, use pre-ticked boxes, or make refusing cookies harder than accepting them are increasingly targeted.
Protecting Your Privacy Beyond Complaints
Filing complaints is reactive. Reducing your exposure in the first place is proactive. Consider these practical steps:
- Use encrypted DNS resolvers to prevent your ISP from logging every domain you visit
- Choose privacy-respecting browsers with tracker blocking enabled by default
- Limit the personal data you share when signing up for services
- When sharing links publicly (social media, forums, email), use a shortener that doesn't build advertising profiles on your audience — services like Lunyb focus on link management without turning your clicks into a marketing dataset
- Regularly audit which apps and sites have your data using tools like "Download Your Data" exports
For a broader look at privacy-focused link tools, see our 2026 buyer's guide to URL shorteners or our honest review of Lunyb.
What If You're Unhappy with the DPC's Decision?
You have rights even against the regulator itself.
Appeal to the Circuit Court
Under section 150 of the Data Protection Act 2018, you can appeal a DPC decision to the Irish Circuit Court within 28 days.
Judicial Review
If you believe the DPC failed to investigate properly or acted unlawfully, you can seek judicial review at the High Court — though this is a costly and specialised route.
Complaint to the Ombudsman
For administrative failings (delays, poor communication) rather than legal decisions, the Office of the Ombudsman can review the DPC's conduct.
Cross-Border Complaints and the One-Stop-Shop
If your complaint concerns a company whose EU main establishment is in Ireland (like Meta, TikTok, or Google), the DPC becomes the lead authority even if you live in another EU state. You can file with your local authority (for example, France's CNIL or Germany's BfDI), and they will forward it to Dublin. However, filing directly with the DPC can sometimes speed things up.
Frequently Asked Questions
How long does the DPC take to resolve a complaint?
Straightforward cases resolved through amicable dialogue typically close within 3–6 months. Formal statutory inquiries into complex cross-border matters can take 18–24 months or longer, particularly when they involve the European Data Protection Board's cooperation mechanism.
Does it cost anything to file a complaint with the DPC?
No. Filing a complaint with the DPC is completely free. You do not need a solicitor, though for complex or high-value cases you may choose to be legally represented at your own cost.
Can I get compensation through the DPC?
No. The DPC can order organisations to change their practices, issue reprimands, and impose administrative fines paid to the state — but it cannot award you personal compensation. To claim damages for material or non-material harm, you must bring civil proceedings in the Circuit Court under section 117 of the Data Protection Act 2018.
Can I file a complaint anonymously?
Generally no. The DPC needs to verify that you are the data subject affected and share relevant details with the organisation to investigate. However, the DPC will not disclose more information than necessary, and you can request that certain sensitive details be treated confidentially.
What if the company is based outside Ireland?
If the organisation has no EU establishment in Ireland, the DPC likely won't be the correct authority. Complaints about companies based in other EU states should generally go to that country's regulator (or your local one, which will forward it). For non-EU companies processing EU residents' data, you can still complain to your local authority under GDPR's extraterritorial reach.
Do I need to complain to the company before going to the DPC?
Legally, no — GDPR gives you the right to complain to a supervisory authority at any time. Practically, yes — the DPC almost always asks what steps you took first, and cases where the controller was never given a chance to respond may be sent back or take longer.
Final Thoughts
The DPC is one of the most consequential privacy regulators in the world, and every complaint filed adds to the enforcement picture that shapes how companies treat personal data. A well-prepared complaint — with clear facts, solid evidence, and specific requested outcomes — has real power to change how organisations behave. Take the time to document, escalate calmly to the controller first, and then bring the matter to Pembroke Row with confidence.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
UK Online Safety Act: What It Means for Your Privacy
The UK Online Safety Act reshapes how platforms handle content, age checks, and encrypted messaging. Learn what it means for your privacy in 2025 and beyond, and get practical steps to protect your data under the new rules.
Singapore Online Safety Act 2026: Complete Guide for Businesses and Users
The Singapore Online Safety Act 2026 introduces a duty-of-care model for online platforms, expanded takedown powers, and tougher penalties. This complete guide explains who is in scope, what obligations apply, and how to build a compliance roadmap.
Data Protection Act 2018 Ireland: Complete Guide
A complete plain-language guide to Ireland's Data Protection Act 2018: how it works alongside the GDPR, the powers of the DPC, individual rights, penalties, and practical compliance steps. Essential reading for any Irish business handling personal data.
OAIC Complaints: How to Report a Privacy Breach in Australia
A complete Australian guide to lodging an OAIC privacy complaint — from complaining to the organisation first, to gathering evidence, understanding timelines, and knowing what compensation and outcomes to expect under the Privacy Act.