DPC Ireland: How to File a Privacy Complaint (2026 Guide)
If your personal data has been mishandled by a company, public body, or website, you have the right to file a formal complaint with Ireland's Data Protection Commission (DPC). As the lead supervisory authority for many of the world's largest technology companies headquartered in Dublin, the DPC handles complaints ranging from local retailers to global platforms like Meta, Google, and TikTok. This guide walks you through exactly how to file a privacy complaint with the DPC in 2026, what evidence you need, and what happens after you submit.
What Is the Data Protection Commission (DPC)?
The Data Protection Commission is Ireland's independent regulator responsible for enforcing the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. Established in its current form in May 2018, the DPC investigates complaints, audits organisations, imposes fines, and issues binding decisions when personal data has been unlawfully processed.
Because Ireland hosts the European headquarters of most major U.S. tech firms, the DPC operates as the "one-stop-shop" lead authority for cross-border cases affecting hundreds of millions of EU citizens. This gives it outsized influence, but it also means Irish residents have direct access to a regulator with real enforcement power.
What the DPC Can Do
- Investigate complaints against data controllers and processors
- Issue reprimands, warnings, and corrective orders
- Impose administrative fines of up to €20 million or 4% of global turnover
- Order the deletion or rectification of unlawfully processed data
- Suspend cross-border data transfers
When Should You File a Complaint with the DPC?
You can file a complaint with the DPC when you believe an organisation has breached your data protection rights under the GDPR. The DPC handles complaints against any organisation established in Ireland, as well as cross-border cases where an EU-wide company has its main establishment in Ireland.
Common Grounds for Filing
- Ignored data subject requests: The organisation failed to respond to your access, deletion, or rectification request within one month.
- Unlawful processing: Your data was collected or used without a valid legal basis.
- Data breaches: Your information was exposed and the organisation failed to notify you or the DPC properly.
- Unwanted marketing: You continue receiving direct marketing after opting out.
- Excessive CCTV or surveillance: Cameras record public areas or workplaces beyond what is proportionate.
- Cookie violations: Websites drop tracking cookies without valid consent.
- Cross-border transfers: Your data was sent outside the EEA without adequate safeguards.
Try to Resolve It First
The DPC strongly recommends contacting the organisation directly before escalating. You should send a written complaint to the company's Data Protection Officer (DPO) and give them at least one month to respond. This step is not strictly mandatory, but the DPC will usually ask whether you've done it, and cases move faster when you've already tried informal resolution.
How to File a Privacy Complaint with the DPC: Step-by-Step
Filing a complaint is free and does not require a solicitor. Here's the full process from preparation to submission.
Step 1: Gather Your Evidence
Before you contact the DPC, collect everything relevant to your complaint:
- Copies of emails, letters, or messages between you and the organisation
- Screenshots of website forms, cookie banners, or privacy notices
- Dates when incidents occurred
- Any responses (or lack thereof) to previous data subject requests
- Copies of the organisation's privacy policy at the time of the incident
Step 2: Identify the Correct Organisation
You must name the data controller — the entity that decides how your data is processed. For large platforms, this is often the Irish subsidiary (e.g., "Meta Platforms Ireland Limited" or "Google Ireland Limited"). Check the organisation's privacy policy to find the exact legal entity name and registered address.
Step 3: Contact the Organisation's DPO
Send a written complaint explaining the issue and what remedy you seek (deletion, correction, compensation, etc.). Keep the message factual and reference the specific GDPR articles you believe were breached. Set a deadline of one month for a substantive response.
Step 4: Complete the DPC Complaint Form
If the organisation fails to respond or the response is unsatisfactory, go to dataprotection.ie and use the online complaints webform. You can also submit by post to: Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28.
The form asks for:
- Your full name, address, and contact details
- The name and address of the organisation you're complaining about
- A clear description of what happened and when
- Evidence you've already contacted the organisation
- Copies of supporting documents
- The outcome you're seeking
Step 5: Wait for Acknowledgment
The DPC typically acknowledges receipt within 5–10 working days and assigns a case reference number. Keep this number for all future correspondence.
What Happens After You File?
Once your complaint is registered, the DPC follows a structured investigation process. Timelines vary depending on complexity — simple cases may resolve in a few months, while cross-border investigations against major platforms can take years.
The DPC Investigation Stages
| Stage | What Happens | Typical Duration |
|---|---|---|
| Assessment | DPC reviews whether the complaint falls within its remit | 2–8 weeks |
| Amicable resolution | DPC tries to mediate between you and the organisation | 1–6 months |
| Formal inquiry | If unresolved, a statutory investigation opens | 6 months–3 years |
| Draft decision | DPC issues findings and proposed corrective measures | Variable |
| Final decision | Binding decision, possibly including fines | Variable |
Cross-Border Cases
If your complaint involves a company operating across the EU (e.g., a social media platform), the DPC acts as "lead supervisory authority" and coordinates with other EU regulators through the European Data Protection Board (EDPB). This adds procedural steps but ensures the final decision applies EU-wide.
Your Rights During the Process
The DPC must keep you informed of progress every three months. You have the right to:
- Receive updates on the investigation
- Submit additional evidence
- Be notified of the final decision
- Appeal to the Circuit Court within 28 days of the decision
- Seek compensation through the courts separately from the regulatory process
Practical Tips for a Successful Complaint
Be Specific and Concise
The DPC handles thousands of complaints annually. A focused, well-documented submission that cites specific GDPR articles (e.g., Article 15 for access rights, Article 17 for erasure) is far more likely to progress quickly than a vague grievance.
Keep Records of Everything
Save every email, take screenshots of every relevant webpage, and log every phone call. If you share links with the DPC as evidence, make sure they're clean and trackable — using a reputable shortener like Lunyb can help you organise long evidence URLs and see if the DPC has accessed them without exposing your data to unnecessary trackers.
Don't Exaggerate
Stick to verifiable facts. Overstating the severity of harm or making unsupported claims weakens your complaint. The DPC values accuracy over emotion.
Understand the Limits
The DPC cannot award you personal compensation — that must be pursued through the civil courts. It also cannot force a company to apologise or take actions outside data protection law. If you want damages, file a separate court action after the DPC decision.
Common Reasons Complaints Are Rejected
- Not a data protection issue: Complaints about service quality, contract disputes, or defamation belong elsewhere.
- Wrong jurisdiction: If the controller isn't in Ireland or doesn't offer services in the EU, another authority handles it.
- No evidence of harm or breach: Speculative complaints without documentation are usually closed.
- Already resolved: If the organisation fixed the issue before you filed, the DPC often takes no further action.
- Vexatious or repetitive: Repeat complaints about the same matter can be dismissed.
Alternatives and Additional Routes
Filing with the DPC isn't your only option. Depending on your situation, you may also consider:
Direct Civil Action
Under Article 82 GDPR and Section 117 of the Data Protection Act 2018, you can sue an organisation directly in the Circuit Court for material or non-material damages. You do not need a DPC decision first, though one can strengthen your case.
Alternative Dispute Resolution
Some sectors (banking, telecoms, insurance) have industry ombudsmen who handle privacy issues alongside broader complaints. The Financial Services and Pensions Ombudsman, for example, can address data handling by banks.
Reporting to Other Regulators
If the issue involves scam calls or unsolicited marketing, ComReg may also be relevant. Consumer-facing issues can go to the Competition and Consumer Protection Commission (CCPC).
Protecting Your Privacy Going Forward
Filing a complaint addresses a past wrong, but preventing future issues is equally important. A few habits reduce your exposure:
- Read privacy policies before signing up for new services
- Use browser extensions that block tracking cookies
- Regularly request copies of your data from platforms you use
- Delete accounts you no longer need
- Use privacy-respecting tools for everyday tasks — for example, when sharing links, services like Lunyb avoid the invasive tracking layers common in older shorteners
- Enable two-factor authentication on all important accounts
For more on choosing privacy-conscious tools, see our 2026 buyer's guide to URL shorteners or our detailed Rebrandly review.
Frequently Asked Questions
How much does it cost to file a complaint with the DPC?
Filing a complaint with the Data Protection Commission is completely free. You do not need to hire a solicitor, though you may choose to do so for complex cases. The DPC provides guidance and forms in plain English on its website.
How long does the DPC take to resolve a complaint?
Simple complaints can be resolved in 2–6 months through amicable resolution. Formal statutory inquiries typically take 12–24 months, and complex cross-border cases against large platforms can take several years. The DPC must update you at least every three months.
Can I file a complaint anonymously?
No. The DPC requires your full name and contact details to investigate. However, your identity will not usually be shared publicly, and the DPC follows strict confidentiality when handling case files. Anonymous tips can be sent but rarely lead to formal action.
What if the DPC's decision goes against me?
You can appeal any DPC decision to the Circuit Court within 28 days of being notified. The appeal is heard as a fresh case, and the court can uphold, vary, or overturn the DPC's finding. You may also pursue civil damages independently through the courts under Section 117 of the Data Protection Act 2018.
Does the DPC handle complaints against public bodies?
Yes. The DPC has jurisdiction over Irish government departments, local authorities, the HSE, An Garda Síochána (for most processing), schools, and other public sector organisations. The complaint process is identical to that used for private companies.
Can I complain about a company based outside Ireland?
If the company offers goods or services in the EU or monitors EU residents' behaviour, GDPR applies. If its EU main establishment is in Ireland, the DPC handles the case. Otherwise, complain to the data protection authority in the country where the company is based or where you live.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
OAIC Complaints: How to Report a Privacy Breach in Australia
A practical Australian guide to lodging OAIC complaints when your personal information is mishandled. Learn the step-by-step process, evidence you'll need, realistic timelines, and what outcomes to expect from the privacy regulator.
PIPEDA vs GDPR: Canadian Privacy Law Explained (2026 Guide)
PIPEDA and GDPR both protect personal data, but they take very different approaches to consent, rights, and penalties. This guide compares Canada's and Europe's privacy laws and explains what Canadian businesses need to do to stay compliant in 2026.
Data Protection Act 2018 Ireland: The Complete Guide
Ireland's Data Protection Act 2018 works alongside GDPR to govern how organisations handle personal data. This complete guide covers key provisions, individual rights, business obligations, DPC enforcement, penalties, and a practical compliance checklist for Irish organisations.
Singapore Online Safety Act 2026: Complete Guide for Users and Businesses
Singapore's Online Safety Act has evolved significantly by 2026, with tougher rules on deepfakes, child safety, and scam content. This complete guide explains who the Act applies to, what platforms and businesses must do, and how everyday users are protected.