facebook-pixel

DPC Ireland: How to File a Privacy Complaint (2026 Guide)

L
Lunyb Security Team
··9 min read

If your personal data has been mishandled by a company, public body, or website, you have the right to file a formal complaint with Ireland's Data Protection Commission (DPC). As the lead supervisory authority for many of the world's largest technology companies headquartered in Dublin, the DPC handles complaints ranging from local retailers to global platforms like Meta, Google, and TikTok. This guide walks you through exactly how to file a privacy complaint with the DPC in 2026, what evidence you need, and what happens after you submit.

What Is the Data Protection Commission (DPC)?

The Data Protection Commission is Ireland's independent regulator responsible for enforcing the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. Established in its current form in May 2018, the DPC investigates complaints, audits organisations, imposes fines, and issues binding decisions when personal data has been unlawfully processed.

Because Ireland hosts the European headquarters of most major U.S. tech firms, the DPC operates as the "one-stop-shop" lead authority for cross-border cases affecting hundreds of millions of EU citizens. This gives it outsized influence, but it also means Irish residents have direct access to a regulator with real enforcement power.

What the DPC Can Do

  • Investigate complaints against data controllers and processors
  • Issue reprimands, warnings, and corrective orders
  • Impose administrative fines of up to €20 million or 4% of global turnover
  • Order the deletion or rectification of unlawfully processed data
  • Suspend cross-border data transfers

When Should You File a Complaint with the DPC?

You can file a complaint with the DPC when you believe an organisation has breached your data protection rights under the GDPR. The DPC handles complaints against any organisation established in Ireland, as well as cross-border cases where an EU-wide company has its main establishment in Ireland.

Common Grounds for Filing

  1. Ignored data subject requests: The organisation failed to respond to your access, deletion, or rectification request within one month.
  2. Unlawful processing: Your data was collected or used without a valid legal basis.
  3. Data breaches: Your information was exposed and the organisation failed to notify you or the DPC properly.
  4. Unwanted marketing: You continue receiving direct marketing after opting out.
  5. Excessive CCTV or surveillance: Cameras record public areas or workplaces beyond what is proportionate.
  6. Cookie violations: Websites drop tracking cookies without valid consent.
  7. Cross-border transfers: Your data was sent outside the EEA without adequate safeguards.

Try to Resolve It First

The DPC strongly recommends contacting the organisation directly before escalating. You should send a written complaint to the company's Data Protection Officer (DPO) and give them at least one month to respond. This step is not strictly mandatory, but the DPC will usually ask whether you've done it, and cases move faster when you've already tried informal resolution.

How to File a Privacy Complaint with the DPC: Step-by-Step

Filing a complaint is free and does not require a solicitor. Here's the full process from preparation to submission.

Step 1: Gather Your Evidence

Before you contact the DPC, collect everything relevant to your complaint:

  • Copies of emails, letters, or messages between you and the organisation
  • Screenshots of website forms, cookie banners, or privacy notices
  • Dates when incidents occurred
  • Any responses (or lack thereof) to previous data subject requests
  • Copies of the organisation's privacy policy at the time of the incident

Step 2: Identify the Correct Organisation

You must name the data controller — the entity that decides how your data is processed. For large platforms, this is often the Irish subsidiary (e.g., "Meta Platforms Ireland Limited" or "Google Ireland Limited"). Check the organisation's privacy policy to find the exact legal entity name and registered address.

Step 3: Contact the Organisation's DPO

Send a written complaint explaining the issue and what remedy you seek (deletion, correction, compensation, etc.). Keep the message factual and reference the specific GDPR articles you believe were breached. Set a deadline of one month for a substantive response.

Step 4: Complete the DPC Complaint Form

If the organisation fails to respond or the response is unsatisfactory, go to dataprotection.ie and use the online complaints webform. You can also submit by post to: Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28.

The form asks for:

  • Your full name, address, and contact details
  • The name and address of the organisation you're complaining about
  • A clear description of what happened and when
  • Evidence you've already contacted the organisation
  • Copies of supporting documents
  • The outcome you're seeking

Step 5: Wait for Acknowledgment

The DPC typically acknowledges receipt within 5–10 working days and assigns a case reference number. Keep this number for all future correspondence.

What Happens After You File?

Once your complaint is registered, the DPC follows a structured investigation process. Timelines vary depending on complexity — simple cases may resolve in a few months, while cross-border investigations against major platforms can take years.

The DPC Investigation Stages

StageWhat HappensTypical Duration
AssessmentDPC reviews whether the complaint falls within its remit2–8 weeks
Amicable resolutionDPC tries to mediate between you and the organisation1–6 months
Formal inquiryIf unresolved, a statutory investigation opens6 months–3 years
Draft decisionDPC issues findings and proposed corrective measuresVariable
Final decisionBinding decision, possibly including finesVariable

Cross-Border Cases

If your complaint involves a company operating across the EU (e.g., a social media platform), the DPC acts as "lead supervisory authority" and coordinates with other EU regulators through the European Data Protection Board (EDPB). This adds procedural steps but ensures the final decision applies EU-wide.

Your Rights During the Process

The DPC must keep you informed of progress every three months. You have the right to:

  • Receive updates on the investigation
  • Submit additional evidence
  • Be notified of the final decision
  • Appeal to the Circuit Court within 28 days of the decision
  • Seek compensation through the courts separately from the regulatory process

Practical Tips for a Successful Complaint

Be Specific and Concise

The DPC handles thousands of complaints annually. A focused, well-documented submission that cites specific GDPR articles (e.g., Article 15 for access rights, Article 17 for erasure) is far more likely to progress quickly than a vague grievance.

Keep Records of Everything

Save every email, take screenshots of every relevant webpage, and log every phone call. If you share links with the DPC as evidence, make sure they're clean and trackable — using a reputable shortener like Lunyb can help you organise long evidence URLs and see if the DPC has accessed them without exposing your data to unnecessary trackers.

Don't Exaggerate

Stick to verifiable facts. Overstating the severity of harm or making unsupported claims weakens your complaint. The DPC values accuracy over emotion.

Understand the Limits

The DPC cannot award you personal compensation — that must be pursued through the civil courts. It also cannot force a company to apologise or take actions outside data protection law. If you want damages, file a separate court action after the DPC decision.

Common Reasons Complaints Are Rejected

  • Not a data protection issue: Complaints about service quality, contract disputes, or defamation belong elsewhere.
  • Wrong jurisdiction: If the controller isn't in Ireland or doesn't offer services in the EU, another authority handles it.
  • No evidence of harm or breach: Speculative complaints without documentation are usually closed.
  • Already resolved: If the organisation fixed the issue before you filed, the DPC often takes no further action.
  • Vexatious or repetitive: Repeat complaints about the same matter can be dismissed.

Alternatives and Additional Routes

Filing with the DPC isn't your only option. Depending on your situation, you may also consider:

Direct Civil Action

Under Article 82 GDPR and Section 117 of the Data Protection Act 2018, you can sue an organisation directly in the Circuit Court for material or non-material damages. You do not need a DPC decision first, though one can strengthen your case.

Alternative Dispute Resolution

Some sectors (banking, telecoms, insurance) have industry ombudsmen who handle privacy issues alongside broader complaints. The Financial Services and Pensions Ombudsman, for example, can address data handling by banks.

Reporting to Other Regulators

If the issue involves scam calls or unsolicited marketing, ComReg may also be relevant. Consumer-facing issues can go to the Competition and Consumer Protection Commission (CCPC).

Protecting Your Privacy Going Forward

Filing a complaint addresses a past wrong, but preventing future issues is equally important. A few habits reduce your exposure:

  • Read privacy policies before signing up for new services
  • Use browser extensions that block tracking cookies
  • Regularly request copies of your data from platforms you use
  • Delete accounts you no longer need
  • Use privacy-respecting tools for everyday tasks — for example, when sharing links, services like Lunyb avoid the invasive tracking layers common in older shorteners
  • Enable two-factor authentication on all important accounts

For more on choosing privacy-conscious tools, see our 2026 buyer's guide to URL shorteners or our detailed Rebrandly review.

Frequently Asked Questions

How much does it cost to file a complaint with the DPC?

Filing a complaint with the Data Protection Commission is completely free. You do not need to hire a solicitor, though you may choose to do so for complex cases. The DPC provides guidance and forms in plain English on its website.

How long does the DPC take to resolve a complaint?

Simple complaints can be resolved in 2–6 months through amicable resolution. Formal statutory inquiries typically take 12–24 months, and complex cross-border cases against large platforms can take several years. The DPC must update you at least every three months.

Can I file a complaint anonymously?

No. The DPC requires your full name and contact details to investigate. However, your identity will not usually be shared publicly, and the DPC follows strict confidentiality when handling case files. Anonymous tips can be sent but rarely lead to formal action.

What if the DPC's decision goes against me?

You can appeal any DPC decision to the Circuit Court within 28 days of being notified. The appeal is heard as a fresh case, and the court can uphold, vary, or overturn the DPC's finding. You may also pursue civil damages independently through the courts under Section 117 of the Data Protection Act 2018.

Does the DPC handle complaints against public bodies?

Yes. The DPC has jurisdiction over Irish government departments, local authorities, the HSE, An Garda Síochána (for most processing), schools, and other public sector organisations. The complaint process is identical to that used for private companies.

Can I complain about a company based outside Ireland?

If the company offers goods or services in the EU or monitors EU residents' behaviour, GDPR applies. If its EU main establishment is in Ireland, the DPC handles the case. Otherwise, complain to the data protection authority in the country where the company is based or where you live.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles