DPC Ireland: How to File a Privacy Complaint (2026 Guide)
If a company has mishandled your personal data, ignored your access request, or refused to delete your information, you have the right to complain to Ireland's Data Protection Commission (DPC). As the country's independent supervisory authority for GDPR, the DPC handles thousands of complaints each year — and because so many major tech companies have their European headquarters in Dublin, its decisions often shape privacy enforcement across the entire EU.
This guide walks you through exactly how to file a privacy complaint with the DPC Ireland, what evidence you need, how long the process takes, and what remedies you can realistically expect.
What Is the DPC Ireland?
The Data Protection Commission (DPC) is Ireland's national data protection authority, established under the Data Protection Act 2018. It is responsible for enforcing the EU General Data Protection Regulation (GDPR) and the Irish Data Protection Act, and it acts as the lead supervisory authority for many multinational companies headquartered in Ireland, including Meta, Google, TikTok, Apple, and Microsoft.
The DPC has three core functions:
- Handling complaints from individuals whose data protection rights have been breached.
- Investigating and sanctioning organisations that violate GDPR, including issuing fines of up to €20 million or 4% of global turnover.
- Providing guidance to controllers, processors, and the public on data protection obligations.
The DPC is headquartered at 21 Fitzwilliam Square South, Dublin 2, with additional offices in Portarlington.
When Should You File a Complaint With the DPC?
You can file a complaint with the DPC when an organisation established in Ireland (or one for which the DPC is the lead authority) has infringed your data protection rights and has failed to resolve the issue directly. Common grounds for complaint include:
- Refusal or delay of a Subject Access Request (SAR) — the controller must respond within one month.
- Failure to erase data after a valid "right to be forgotten" request.
- Unlawful processing — e.g. no valid legal basis, or processing beyond the original purpose.
- Unsolicited marketing — spam email, SMS, or cold calls without consent.
- Data breaches that were not properly notified to you.
- Excessive data collection or lack of transparency in privacy notices.
- Cookie violations under the ePrivacy Regulations 2011.
- CCTV misuse by employers, landlords, or neighbours.
Step 1: Contact the Organisation First
Before the DPC will accept your complaint, you must give the organisation a reasonable opportunity to resolve the matter. This is a firm procedural requirement — skipping it will usually result in your complaint being returned.
- Identify the Data Protection Officer (DPO). Larger organisations are required to publish DPO contact details in their privacy policy.
- Send a written request or complaint by email or post. Be specific: state what you want (access, erasure, correction) and cite the relevant GDPR article if you can.
- Keep records. Save every email, letter, and reference number. You will need these as evidence.
- Wait one month. Under Article 12(3) GDPR, controllers must respond within 30 days (extendable by two months for complex requests, with notification).
If the organisation refuses, ignores you, or gives an unsatisfactory response, you can escalate to the DPC.
Step 2: Prepare Your Evidence
The DPC is a regulator, not a court, but the quality of your complaint file directly affects how quickly it can act. Before submitting, gather:
- A clear timeline of events, with dates.
- All correspondence with the organisation (emails, screenshots, letters).
- Copies of the organisation's privacy policy or the terms you accepted.
- Any reference numbers from previous complaints or SARs.
- Evidence of the harm or distress caused, if applicable.
- Your proof of identity (the DPC will not act on anonymous complaints).
Step 3: Submit Your Complaint to the DPC
The DPC offers three official ways to lodge a complaint. All are free — the DPC never charges for handling complaints.
Option 1: Online Webform (Recommended)
Visit dataprotection.ie and use the "Raise a Concern" or "Lodge a Complaint" webform. This is the fastest route and automatically generates a case reference.
Option 2: Email
Send your complaint to info@dataprotection.ie. Include "Formal Complaint under Section 108 of the Data Protection Act 2018" in the subject line to ensure it is routed correctly.
Option 3: Post
Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28. Recommended for complaints involving sensitive documents you don't wish to email.
What to Include in Your Complaint
A well-structured complaint should contain the following sections. The DPC's own guidance recommends being concise but complete.
| Section | What to Include |
|---|---|
| Your details | Full name, address, email, phone. Confirm you are the data subject. |
| Organisation | Legal name, address, DPO contact, and any account/customer number. |
| Nature of complaint | Which GDPR right was breached (e.g. Article 15 access, Article 17 erasure). |
| Timeline | Dates of your original request, their responses, and any escalations. |
| Desired outcome | What you want: deletion, correction, compensation, an apology, or enforcement. |
| Evidence | Numbered attachments referenced in the body of your complaint. |
What Happens After You File?
The DPC follows a structured process defined by Part 6 of the Data Protection Act 2018.
- Acknowledgement — usually within 5–10 working days, with a case reference number.
- Assessment — the DPC decides whether the complaint is admissible and whether it has jurisdiction.
- Amicable resolution — for most complaints, the DPC first attempts to mediate between you and the organisation. This resolves the majority of cases within a few months.
- Formal investigation — if mediation fails or the matter is serious, the DPC opens a statutory inquiry. This can lead to enforcement notices, reprimands, or administrative fines.
- Decision — you receive a written decision. If cross-border, the decision may involve consultation with other EU authorities under the GDPR's "one-stop-shop" mechanism.
Typical Timelines
| Stage | Typical Duration |
|---|---|
| Acknowledgement | 1–2 weeks |
| Amicable resolution attempt | 2–6 months |
| Formal inquiry (domestic) | 6–18 months |
| Cross-border inquiry (Big Tech) | 18 months – 4+ years |
Your Right to Appeal
If you disagree with the DPC's decision, you have two routes of redress:
- Appeal to the Circuit Court or High Court within 28 days of the decision, under Section 150 of the Data Protection Act 2018.
- Judicial review if you believe the DPC acted unlawfully in how it handled your complaint.
You may also pursue a separate civil action for compensation under Article 82 GDPR, independently of the DPC process.
Protecting Your Privacy Going Forward
Filing a complaint is a reactive measure. To reduce the chance of future privacy violations, take preventative steps:
- Minimise data sharing — only provide information that is genuinely required.
- Use encrypted DNS (such as DNS-over-HTTPS via Cloudflare 1.1.1.1 or Quad9) to prevent ISPs from logging your browsing.
- Choose privacy-focused browsers like Firefox or Brave, and enable tracker blocking.
- Audit third-party links before clicking. When sharing links yourself, use a privacy-respecting shortener like Lunyb, which doesn't sell click data or attach invasive tracking. See our honest Lunyb review for details on how it handles data.
- Review privacy policies before creating accounts — pay attention to third-party sharing and retention periods.
- Exercise your GDPR rights annually — send SARs to companies you no longer actively use, and request erasure where appropriate.
For marketers and businesses evaluating link tools with GDPR compliance in mind, our 2026 buyer's guide to URL shorteners compares privacy practices across the main providers.
Common Mistakes That Delay Complaints
Based on published DPC case reports and annual reviews, these are the most frequent reasons complaints get delayed or rejected:
- Not contacting the organisation first — the DPC will usually redirect you.
- Missing evidence — vague complaints with no dates or documents are hard to progress.
- Wrong jurisdiction — if the controller is based in another EU country and not led by the DPC, your complaint may be transferred (which adds time). You can also file directly with your local authority.
- Confusing GDPR with consumer law — the DPC cannot help with refunds, contract disputes, or general customer service issues unless personal data is central.
- Anonymous complaints — the DPC needs to verify you are the data subject to progress the case.
Notable DPC Enforcement Cases
Individual complaints have triggered some of the largest privacy fines in EU history, showing that the process genuinely produces results:
- Meta (2023) — €1.2 billion fine for unlawful EU–US data transfers.
- TikTok (2023) — €345 million fine for children's data processing failures.
- Instagram (2022) — €405 million fine relating to children's account settings.
- WhatsApp (2021) — €225 million fine for transparency failures.
Many of these inquiries began with individual or NGO complaints — a reminder that a single well-documented submission can lead to industry-wide change.
Frequently Asked Questions
Is there a fee to file a complaint with the DPC?
No. Filing a complaint with the Data Protection Commission is completely free. The DPC is funded by the Irish state and does not charge individuals for handling complaints, investigations, or appeals within its own procedures.
How long do I have to file a complaint?
There is no strict statutory deadline for lodging a GDPR complaint, but the DPC recommends filing as soon as reasonably possible. Complaints filed more than 12 months after the incident may be harder to investigate due to data retention limits at the organisation being complained about.
Can I get compensation through the DPC?
The DPC itself does not award compensation to individuals. However, once it establishes that a breach occurred, you can use that decision as evidence in a separate civil claim under Article 82 GDPR and Section 117 of the Data Protection Act 2018, filed in the Circuit Court or High Court.
What if the company is based outside Ireland?
If the controller has its main EU establishment in another member state, the DPC will forward your complaint to that country's authority under the GDPR one-stop-shop mechanism. You can also file directly with any EU data protection authority — including your own country's — and they will coordinate on your behalf.
Can I remain anonymous?
No. The DPC needs to verify that you are the data subject whose rights were affected, so complaints must include your identity. However, the DPC will only share your details with the organisation being complained about to the extent necessary to investigate — and you can request that specific information be kept confidential where possible.
Final Thoughts
Filing a complaint with the DPC Ireland is one of the most powerful tools EU residents have to enforce their data protection rights. The process rewards preparation: contact the organisation first, gather solid evidence, and be precise about which GDPR rights have been breached. Even if your individual complaint doesn't lead to a headline-grabbing fine, it feeds into a larger enforcement ecosystem that has reshaped how the world's biggest companies handle personal data.
Privacy is a right, not a favour — and the DPC exists to make sure organisations remember that.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
Australian Data Breach Notification Scheme: Complete 2026 Guide
Australia's Notifiable Data Breaches scheme requires organisations to report eligible breaches to the OAIC and affected individuals. This 2026 guide covers obligations, timelines, penalties, and a practical compliance checklist for Australian entities.
OAIC Complaints: How to Report a Privacy Breach in Australia
A complete Australian guide to lodging a privacy breach complaint with the OAIC. Learn who's covered, what evidence to gather, how the investigation process works, and what outcomes — including compensation — you can realistically expect.
UK Online Safety Act: What It Means for Your Privacy in 2026
The UK Online Safety Act reshapes how platforms handle age verification, encryption and content moderation — with real consequences for your privacy. This guide explains the law in plain English and gives British users practical steps to protect their data.
PIPEDA vs GDPR: Canadian Privacy Law Explained (2026 Guide)
PIPEDA and GDPR both protect personal data, but they take very different approaches to consent, individual rights, and enforcement. This guide breaks down the key differences and explains what Canadian businesses need to know to stay compliant in 2026.