DPC Ireland: How to File a Privacy Complaint (2026 Guide)
If a company has mishandled your personal data, lost it in a breach, refused a legitimate access request, or continued sending you marketing after you opted out, you have the right to complain to Ireland's Data Protection Commission (DPC). As Ireland's independent supervisory authority under the GDPR, the DPC investigates concerns from residents in Ireland and, in many cases, from people across the EU whose data was processed by companies with their European headquarters in Dublin.
This guide walks you through exactly how to file a privacy complaint with the DPC in 2026: what qualifies as a complaint, what evidence to gather, how to submit it, and what happens after you press send.
What Is the Data Protection Commission (DPC)?
The Data Protection Commission is the national independent authority responsible for upholding the fundamental right of individuals in Ireland to have their personal data protected. It enforces the EU General Data Protection Regulation (GDPR), the Irish Data Protection Act 2018, and the ePrivacy Regulations 2011.
Because many of the world's largest tech companies — Meta, Google, TikTok, Microsoft, Apple, LinkedIn — have their EU headquarters in Ireland, the DPC also acts as the "lead supervisory authority" for cross-border complaints involving those platforms under GDPR's one-stop-shop mechanism.
What the DPC can do
- Investigate complaints against controllers and processors
- Order companies to comply with data subject rights (access, erasure, rectification)
- Impose administrative fines of up to €20 million or 4% of global annual turnover
- Ban specific data processing activities
- Issue reprimands and corrective orders
What the DPC cannot do
- Award you personal compensation (that requires a civil court claim)
- Handle non-data-protection consumer complaints
- Act on complaints about the private personal use of data by individuals
When You Can File a Complaint with the DPC
You can complain to the DPC when you believe an organisation has infringed your data protection rights under the GDPR or Irish data protection law. Typical grounds include:
- Unlawful processing — A company is using your personal data without a valid legal basis (e.g., no consent, no legitimate interest).
- Ignored data subject rights request — You submitted a Subject Access Request (SAR), erasure request, or rectification request and the organisation failed to respond within one month.
- Unsolicited marketing — You keep receiving marketing emails, SMS, or calls after opting out or without ever consenting.
- Data breach affecting you — Your data was exposed in a breach and the controller failed to notify you when they should have.
- Excessive data collection — A company is asking for more data than reasonably needed for the stated purpose.
- Cookies and tracking — A website deploys tracking cookies without valid consent, or hides the "reject all" option.
- CCTV misuse — Cameras recording public areas, neighbours, or employees without proper notices or legal basis.
- International transfers — Your data is being transferred outside the EEA without adequate safeguards.
Before You File: Contact the Organisation First
The DPC strongly encourages — and in many cases expects — you to raise the issue directly with the organisation before escalating. This is not just a formality; it often resolves the matter faster and strengthens your complaint if you do escalate.
Step 1: Find the Data Protection Officer (DPO)
Most medium and large organisations must appoint a DPO. Look for contact details in the company's privacy policy, usually at the footer of their website. Common addresses look like dpo@company.ie or privacy@company.com.
Step 2: Send a written request
Put your concern in writing (email is fine). State clearly:
- Your identity and the account/reference number if relevant
- What went wrong and when
- What outcome you want (deletion, correction, stop marketing, explanation)
- The legal basis you are relying on (e.g., "Article 17 GDPR — right to erasure")
Step 3: Wait one calendar month
Controllers have one month to respond to rights requests, extendable by two further months for complex cases (they must tell you within the first month if they need the extension). If they miss the deadline or give an unsatisfactory response, you have grounds to escalate to the DPC.
How to File a Complaint with the DPC: Step-by-Step
Step 1: Gather your evidence
A complaint is only as strong as the documentation behind it. Before you submit anything, collect:
- Copies of all correspondence with the organisation (dates, times, full email threads)
- Screenshots of the offending processing (unsolicited emails, cookie banners, forms)
- Any privacy policy version in force at the time of the incident
- Reference numbers, account IDs, transaction IDs
- Timeline of events written out chronologically
When sharing screenshots or long URLs as evidence, using a link management tool like Lunyb can help you organise and track the resources you reference — useful if you need to send the same evidence bundle to multiple parties.
Step 2: Choose the right form
The DPC offers two main channels:
- Online webform at dataprotection.ie — the fastest route, available under "Contact / Raise a Concern"
- Postal complaint to: Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28
There is also a dedicated email address (info@dataprotection.ie) but the webform structures your submission and speeds up triage.
Step 3: Complete the complaint form
You'll need to provide:
- Your details — full name, postal address, email, phone. Anonymous complaints are generally not investigated.
- The organisation you're complaining about — legal name, address, any contact person
- Description of the concern — factual, chronological, and specific
- Steps you've already taken — including copies of the correspondence with the DPO
- The outcome you're seeking — e.g., erasure, cessation of marketing, formal reprimand
- Supporting documents — attach PDFs, screenshots, correspondence
Step 4: Submit and note your reference number
You'll receive an acknowledgement, usually within a few working days, along with a case reference. Save this — you'll quote it in all future correspondence.
What Happens After You File
The DPC handles thousands of complaints each year and follows a broadly consistent process, though timelines vary significantly by complexity.
Stage 1: Assessment and amicable resolution
The DPC first reviews whether the complaint falls within its remit. If it does, a case officer typically contacts the organisation and tries to reach an "amicable resolution" — a fast, negotiated outcome that satisfies you without a formal investigation. Around two-thirds of complaints resolve at this stage.
Stage 2: Formal inquiry
If amicable resolution fails, or the case involves systemic issues, the DPC may open a formal statutory inquiry. This is a structured investigation with legal powers to compel documents, interview witnesses, and issue binding decisions. Formal inquiries can take 12–24 months, and cross-border cases involving Big Tech often take longer.
Stage 3: Decision and corrective measures
At the end of an inquiry, the DPC issues a decision. Possible outcomes include:
| Outcome | What It Means |
|---|---|
| No infringement | The DPC finds the organisation complied with the law |
| Reprimand | Formal notice of wrongdoing without a fine |
| Compliance order | Organisation must change its practices by a set deadline |
| Processing ban | Specific processing activities must stop |
| Administrative fine | Up to €20m or 4% of global turnover |
Stage 4: Appeals
Either party (you or the organisation) can appeal a DPC decision to the Irish Circuit Court or High Court within 28 days.
Cross-Border Complaints and the One-Stop-Shop
Under the GDPR one-stop-shop mechanism, if the company you're complaining about has its main EU establishment in Ireland, the DPC acts as "lead supervisory authority" — even if you live in Germany, France, or Spain. This is why the DPC handles complaints against Meta, TikTok, Google, and similar platforms for users all across the EU.
You can still file with your local data protection authority (e.g., CNIL in France, BfDI in Germany), and they'll forward it to the DPC as lead. The final decision then goes back through the European Data Protection Board (EDPB) if other national authorities object.
Timelines: How Long Does a DPC Complaint Take?
| Stage | Typical Duration |
|---|---|
| Acknowledgement | 3–10 working days |
| Initial assessment | 4–12 weeks |
| Amicable resolution attempt | 2–6 months |
| Formal statutory inquiry | 12–24 months |
| Cross-border Big Tech inquiry | 2–5 years |
| Appeal to Irish courts | Additional 6–18 months |
Tips to Strengthen Your Complaint
- Be specific about the GDPR article breached — cite Article 6 (lawfulness), Article 15 (access), Article 17 (erasure), Article 21 (objection) as relevant.
- Keep emotion out of the narrative — the DPC responds to facts and evidence, not frustration.
- Include a clear timeline — a bullet-pointed sequence of dates is far easier to assess than a wall of text.
- Show you tried to resolve it first — the DPO correspondence is often the single most important attachment.
- State what you want — a clear "remedy sought" section helps the case officer scope the investigation.
- Protect your own data hygiene going forward — use unique passwords, encrypted DNS, and privacy-respecting browsers so you have fewer complaints to file in future.
Common Reasons Complaints Get Rejected
- The complaint is anonymous or lacks contact details
- You didn't try to resolve it with the organisation first
- The matter is outside the DPC's remit (e.g., consumer disputes, defamation)
- The issue is time-barred (typically older than 12 months without good reason)
- Insufficient evidence to demonstrate a likely infringement
- The processing is exempt (household use, journalism, national security)
Practical Example: A Marketing Complaint
Imagine you unsubscribed from a retailer's email list six months ago but keep receiving promotional emails. A well-formed DPC complaint would include:
- Screenshot of the unsubscribe confirmation from six months ago
- Screenshots of the three subsequent marketing emails with dates
- Copy of your follow-up email to the company's DPO 30 days ago
- Their (non-)response
- Citation of Article 21 GDPR (right to object) and Regulation 13 of SI 336/2011 (ePrivacy Regulations)
- Requested outcome: immediate cessation of marketing and confirmation of suppression list entry
This kind of complaint typically resolves at the amicable stage within 8–12 weeks.
Protecting Your Privacy Beyond the Complaint
Filing a complaint is a reactive step — it happens after something has already gone wrong. Building good privacy habits reduces how often you'll need to escalate:
- Use encrypted DNS resolvers (e.g., Cloudflare 1.1.1.1, Quad9) at router level
- Choose privacy-respecting browsers (Firefox, Brave) and reject non-essential cookies
- Compartmentalise identities — use email aliases for signups, and privacy-first link tools like Lunyb when you need to share URLs without exposing analytics tokens or unwanted trackers
- Audit which apps have access to your data every few months and revoke what you don't use
- Enable two-factor authentication on any account holding sensitive personal data
For more on choosing privacy-conscious tools, see our 2026 buyer's guide to URL shorteners and our honest review of Lunyb.
Frequently Asked Questions
Can I file a complaint with the DPC if I don't live in Ireland?
Yes. If the organisation you're complaining about has its main EU establishment in Ireland — as many major platforms do — the DPC is the lead supervisory authority for your case. You can either file directly with the DPC or through your national data protection authority, which will forward it under the one-stop-shop mechanism.
Does it cost anything to file a DPC complaint?
No. Filing a complaint with the Data Protection Commission is completely free. You do not need a solicitor to submit one, although legal advice may be helpful for complex or high-stakes cases, especially if you later pursue civil compensation.
Can the DPC award me compensation?
No. The DPC can order corrective action and issue fines to the offending organisation, but any personal compensation for material or non-material damage must be pursued through the Circuit Court or High Court under Section 117 of the Data Protection Act 2018. A DPC decision confirming an infringement can, however, strengthen a subsequent civil claim.
Can I stay anonymous when filing a complaint?
Generally no. The DPC requires your identity to investigate meaningfully, because the organisation typically needs to respond to specific allegations tied to a specific data subject. The DPC treats your personal details confidentially, but they cannot pursue purely anonymous complaints in most cases.
What if I'm unhappy with the DPC's decision?
You have 28 days from the date of the decision to appeal to the Irish Circuit Court or, for larger matters, the High Court. You can also raise concerns about how the DPC handled your case with the Office of the Ombudsman, though the Ombudsman cannot overturn the substantive decision itself.
Final Thoughts
The DPC is one of the most consequential data protection authorities in the world, and for individuals in Ireland — and increasingly across the EU — it is the primary route to enforce your rights against organisations that mishandle your personal data. A well-prepared complaint, backed by evidence and preceded by a genuine attempt to resolve the matter directly, has a strong chance of achieving a meaningful outcome, whether that's the deletion of your data, the end of unwanted marketing, or a systemic change in how a company handles its users.
Take the time to document everything, cite the law, and stay factual. The GDPR gives you real rights — the DPC is how you enforce them.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
ePrivacy Regulations Ireland: Latest Updates for 2026
Ireland's ePrivacy Regulations govern cookies, tracking and electronic marketing — and enforcement is intensifying. This 2026 guide covers the latest DPC guidance, compliance checklists, and common pitfalls for Irish businesses.
Singapore Online Safety Act 2026: Complete Guide for Businesses and Users
Singapore's Online Safety Act 2026 expands regulator powers over harmful content, scams, and deepfakes. This complete guide breaks down who must comply, what content is regulated, penalties, and practical compliance steps for businesses and users.
OAIC Complaints: How to Report a Privacy Breach in Australia
A step-by-step Australian guide to lodging a privacy complaint with the OAIC — from contacting the organisation first, to conciliation, formal investigation, and remedies. Includes timelines, evidence tips, and what compensation to expect.
UK Online Safety Act: What It Means for Your Privacy in 2026
The UK Online Safety Act reshapes how platforms handle your data, messages and identity. This 2026 guide explains what the law actually requires, where it puts your privacy at risk, and the practical steps UK users can take to stay in control online.