facebook-pixel

DPC Ireland: How to File a Privacy Complaint (2026 Guide)

L
Lunyb Security Team
··11 min read

If a company has mishandled your personal data, lost it in a breach, refused a legitimate access request, or continued sending you marketing after you opted out, you have the right to complain to Ireland's Data Protection Commission (DPC). As Ireland's independent supervisory authority under the GDPR, the DPC investigates concerns from residents in Ireland and, in many cases, from people across the EU whose data was processed by companies with their European headquarters in Dublin.

This guide walks you through exactly how to file a privacy complaint with the DPC in 2026: what qualifies as a complaint, what evidence to gather, how to submit it, and what happens after you press send.

What Is the Data Protection Commission (DPC)?

The Data Protection Commission is the national independent authority responsible for upholding the fundamental right of individuals in Ireland to have their personal data protected. It enforces the EU General Data Protection Regulation (GDPR), the Irish Data Protection Act 2018, and the ePrivacy Regulations 2011.

Because many of the world's largest tech companies — Meta, Google, TikTok, Microsoft, Apple, LinkedIn — have their EU headquarters in Ireland, the DPC also acts as the "lead supervisory authority" for cross-border complaints involving those platforms under GDPR's one-stop-shop mechanism.

What the DPC can do

  • Investigate complaints against controllers and processors
  • Order companies to comply with data subject rights (access, erasure, rectification)
  • Impose administrative fines of up to €20 million or 4% of global annual turnover
  • Ban specific data processing activities
  • Issue reprimands and corrective orders

What the DPC cannot do

  • Award you personal compensation (that requires a civil court claim)
  • Handle non-data-protection consumer complaints
  • Act on complaints about the private personal use of data by individuals

When You Can File a Complaint with the DPC

You can complain to the DPC when you believe an organisation has infringed your data protection rights under the GDPR or Irish data protection law. Typical grounds include:

  1. Unlawful processing — A company is using your personal data without a valid legal basis (e.g., no consent, no legitimate interest).
  2. Ignored data subject rights request — You submitted a Subject Access Request (SAR), erasure request, or rectification request and the organisation failed to respond within one month.
  3. Unsolicited marketing — You keep receiving marketing emails, SMS, or calls after opting out or without ever consenting.
  4. Data breach affecting you — Your data was exposed in a breach and the controller failed to notify you when they should have.
  5. Excessive data collection — A company is asking for more data than reasonably needed for the stated purpose.
  6. Cookies and tracking — A website deploys tracking cookies without valid consent, or hides the "reject all" option.
  7. CCTV misuse — Cameras recording public areas, neighbours, or employees without proper notices or legal basis.
  8. International transfers — Your data is being transferred outside the EEA without adequate safeguards.

Before You File: Contact the Organisation First

The DPC strongly encourages — and in many cases expects — you to raise the issue directly with the organisation before escalating. This is not just a formality; it often resolves the matter faster and strengthens your complaint if you do escalate.

Step 1: Find the Data Protection Officer (DPO)

Most medium and large organisations must appoint a DPO. Look for contact details in the company's privacy policy, usually at the footer of their website. Common addresses look like dpo@company.ie or privacy@company.com.

Step 2: Send a written request

Put your concern in writing (email is fine). State clearly:

  • Your identity and the account/reference number if relevant
  • What went wrong and when
  • What outcome you want (deletion, correction, stop marketing, explanation)
  • The legal basis you are relying on (e.g., "Article 17 GDPR — right to erasure")

Step 3: Wait one calendar month

Controllers have one month to respond to rights requests, extendable by two further months for complex cases (they must tell you within the first month if they need the extension). If they miss the deadline or give an unsatisfactory response, you have grounds to escalate to the DPC.

How to File a Complaint with the DPC: Step-by-Step

Step 1: Gather your evidence

A complaint is only as strong as the documentation behind it. Before you submit anything, collect:

  • Copies of all correspondence with the organisation (dates, times, full email threads)
  • Screenshots of the offending processing (unsolicited emails, cookie banners, forms)
  • Any privacy policy version in force at the time of the incident
  • Reference numbers, account IDs, transaction IDs
  • Timeline of events written out chronologically

When sharing screenshots or long URLs as evidence, using a link management tool like Lunyb can help you organise and track the resources you reference — useful if you need to send the same evidence bundle to multiple parties.

Step 2: Choose the right form

The DPC offers two main channels:

  • Online webform at dataprotection.ie — the fastest route, available under "Contact / Raise a Concern"
  • Postal complaint to: Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28

There is also a dedicated email address (info@dataprotection.ie) but the webform structures your submission and speeds up triage.

Step 3: Complete the complaint form

You'll need to provide:

  1. Your details — full name, postal address, email, phone. Anonymous complaints are generally not investigated.
  2. The organisation you're complaining about — legal name, address, any contact person
  3. Description of the concern — factual, chronological, and specific
  4. Steps you've already taken — including copies of the correspondence with the DPO
  5. The outcome you're seeking — e.g., erasure, cessation of marketing, formal reprimand
  6. Supporting documents — attach PDFs, screenshots, correspondence

Step 4: Submit and note your reference number

You'll receive an acknowledgement, usually within a few working days, along with a case reference. Save this — you'll quote it in all future correspondence.

What Happens After You File

The DPC handles thousands of complaints each year and follows a broadly consistent process, though timelines vary significantly by complexity.

Stage 1: Assessment and amicable resolution

The DPC first reviews whether the complaint falls within its remit. If it does, a case officer typically contacts the organisation and tries to reach an "amicable resolution" — a fast, negotiated outcome that satisfies you without a formal investigation. Around two-thirds of complaints resolve at this stage.

Stage 2: Formal inquiry

If amicable resolution fails, or the case involves systemic issues, the DPC may open a formal statutory inquiry. This is a structured investigation with legal powers to compel documents, interview witnesses, and issue binding decisions. Formal inquiries can take 12–24 months, and cross-border cases involving Big Tech often take longer.

Stage 3: Decision and corrective measures

At the end of an inquiry, the DPC issues a decision. Possible outcomes include:

OutcomeWhat It Means
No infringementThe DPC finds the organisation complied with the law
ReprimandFormal notice of wrongdoing without a fine
Compliance orderOrganisation must change its practices by a set deadline
Processing banSpecific processing activities must stop
Administrative fineUp to €20m or 4% of global turnover

Stage 4: Appeals

Either party (you or the organisation) can appeal a DPC decision to the Irish Circuit Court or High Court within 28 days.

Cross-Border Complaints and the One-Stop-Shop

Under the GDPR one-stop-shop mechanism, if the company you're complaining about has its main EU establishment in Ireland, the DPC acts as "lead supervisory authority" — even if you live in Germany, France, or Spain. This is why the DPC handles complaints against Meta, TikTok, Google, and similar platforms for users all across the EU.

You can still file with your local data protection authority (e.g., CNIL in France, BfDI in Germany), and they'll forward it to the DPC as lead. The final decision then goes back through the European Data Protection Board (EDPB) if other national authorities object.

Timelines: How Long Does a DPC Complaint Take?

StageTypical Duration
Acknowledgement3–10 working days
Initial assessment4–12 weeks
Amicable resolution attempt2–6 months
Formal statutory inquiry12–24 months
Cross-border Big Tech inquiry2–5 years
Appeal to Irish courtsAdditional 6–18 months

Tips to Strengthen Your Complaint

  1. Be specific about the GDPR article breached — cite Article 6 (lawfulness), Article 15 (access), Article 17 (erasure), Article 21 (objection) as relevant.
  2. Keep emotion out of the narrative — the DPC responds to facts and evidence, not frustration.
  3. Include a clear timeline — a bullet-pointed sequence of dates is far easier to assess than a wall of text.
  4. Show you tried to resolve it first — the DPO correspondence is often the single most important attachment.
  5. State what you want — a clear "remedy sought" section helps the case officer scope the investigation.
  6. Protect your own data hygiene going forward — use unique passwords, encrypted DNS, and privacy-respecting browsers so you have fewer complaints to file in future.

Common Reasons Complaints Get Rejected

  • The complaint is anonymous or lacks contact details
  • You didn't try to resolve it with the organisation first
  • The matter is outside the DPC's remit (e.g., consumer disputes, defamation)
  • The issue is time-barred (typically older than 12 months without good reason)
  • Insufficient evidence to demonstrate a likely infringement
  • The processing is exempt (household use, journalism, national security)

Practical Example: A Marketing Complaint

Imagine you unsubscribed from a retailer's email list six months ago but keep receiving promotional emails. A well-formed DPC complaint would include:

  • Screenshot of the unsubscribe confirmation from six months ago
  • Screenshots of the three subsequent marketing emails with dates
  • Copy of your follow-up email to the company's DPO 30 days ago
  • Their (non-)response
  • Citation of Article 21 GDPR (right to object) and Regulation 13 of SI 336/2011 (ePrivacy Regulations)
  • Requested outcome: immediate cessation of marketing and confirmation of suppression list entry

This kind of complaint typically resolves at the amicable stage within 8–12 weeks.

Protecting Your Privacy Beyond the Complaint

Filing a complaint is a reactive step — it happens after something has already gone wrong. Building good privacy habits reduces how often you'll need to escalate:

  • Use encrypted DNS resolvers (e.g., Cloudflare 1.1.1.1, Quad9) at router level
  • Choose privacy-respecting browsers (Firefox, Brave) and reject non-essential cookies
  • Compartmentalise identities — use email aliases for signups, and privacy-first link tools like Lunyb when you need to share URLs without exposing analytics tokens or unwanted trackers
  • Audit which apps have access to your data every few months and revoke what you don't use
  • Enable two-factor authentication on any account holding sensitive personal data

For more on choosing privacy-conscious tools, see our 2026 buyer's guide to URL shorteners and our honest review of Lunyb.

Frequently Asked Questions

Can I file a complaint with the DPC if I don't live in Ireland?

Yes. If the organisation you're complaining about has its main EU establishment in Ireland — as many major platforms do — the DPC is the lead supervisory authority for your case. You can either file directly with the DPC or through your national data protection authority, which will forward it under the one-stop-shop mechanism.

Does it cost anything to file a DPC complaint?

No. Filing a complaint with the Data Protection Commission is completely free. You do not need a solicitor to submit one, although legal advice may be helpful for complex or high-stakes cases, especially if you later pursue civil compensation.

Can the DPC award me compensation?

No. The DPC can order corrective action and issue fines to the offending organisation, but any personal compensation for material or non-material damage must be pursued through the Circuit Court or High Court under Section 117 of the Data Protection Act 2018. A DPC decision confirming an infringement can, however, strengthen a subsequent civil claim.

Can I stay anonymous when filing a complaint?

Generally no. The DPC requires your identity to investigate meaningfully, because the organisation typically needs to respond to specific allegations tied to a specific data subject. The DPC treats your personal details confidentially, but they cannot pursue purely anonymous complaints in most cases.

What if I'm unhappy with the DPC's decision?

You have 28 days from the date of the decision to appeal to the Irish Circuit Court or, for larger matters, the High Court. You can also raise concerns about how the DPC handled your case with the Office of the Ombudsman, though the Ombudsman cannot overturn the substantive decision itself.

Final Thoughts

The DPC is one of the most consequential data protection authorities in the world, and for individuals in Ireland — and increasingly across the EU — it is the primary route to enforce your rights against organisations that mishandle your personal data. A well-prepared complaint, backed by evidence and preceded by a genuine attempt to resolve the matter directly, has a strong chance of achieving a meaningful outcome, whether that's the deletion of your data, the end of unwanted marketing, or a systemic change in how a company handles its users.

Take the time to document everything, cite the law, and stay factual. The GDPR gives you real rights — the DPC is how you enforce them.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles