How to file a complaint with the DPC
The Data Protection Commission (DPC) is the Irish regulator for GDPR and the Data Protection Act 2018. If an organisation has breached your rights — failed to respond to a Subject Access Request, ignored a request to stop direct marketing, processed your data without lawful basis, or any other GDPR breach — you can file a free complaint. This page covers how, what the DPC will and won't do, and how to follow up.
When to file a DPC complaint
You should file a DPC complaint when:
- An organisation has failed to respond to a Subject Access Request (or any other rights request) within one month.
- An organisation has refused a rights request without adequate justification.
- You believe an organisation has processed your data without a lawful basis under GDPR.
- You believe your data has been disclosed to a third party without proper authorisation.
- You believe your data was in a breach the organisation has not properly notified you about.
- You believe an organisation is using your data for direct marketing in breach of the ePrivacy Regulations.
What the DPC will not do:
- Award you damages. That's a separate civil claim in the courts.
- Force an organisation to apologise or change a single transaction (they can order broader compliance, not consumer remedies).
- Act fast. Most complaints take months to resolve.
- Pursue every complaint to enforcement. The DPC has discretion about which complaints to prioritise.
Before you file
The DPC generally expects you to have first complained to the organisation itself and given them a reasonable opportunity to respond. Exceptions: where the breach is so serious that delay would cause harm, or where it's clear the organisation will not respond. For most complaints, the sequence is:
Write to the organisation's DPO
Set out the breach, what right has been affected, and what you want them to do. Give them a reasonable deadline (e.g. 14 days). Keep a copy.
Wait for the deadline
If they respond and resolve the issue, you're done.
If they don't respond or refuse
File the DPC complaint.
How to file
The DPC accepts complaints by:
- Online form at dataprotection.ie. This is the most efficient route.
- Email to the DPC's general inbox (published on the website).
- Post to the DPC's Portarlington office.
You'll need to include:
- Your full name, address, contact details.
- The name and contact details of the organisation you're complaining about.
- A clear summary of what happened and what right has been affected.
- Copies of your prior correspondence with the organisation (your original request, their response or lack of it, any follow-up).
- What you'd like the DPC to do (e.g. require them to respond to the SAR, audit their data handling, etc.).
What happens next
| Stage | What happens | Typical timing |
|---|---|---|
| Initial review | The DPC acknowledges receipt and a case officer reviews whether the complaint is in scope. | 1-4 weeks |
| Engagement | If in scope, the DPC engages the organisation, asks them to respond, and sometimes asks you for additional information. | 1-6 months |
| Amicable resolution | Many complaints resolve at this stage — the organisation complies once the DPC formally engages. | Most resolve within 6-12 months |
| Inquiry / formal decision | For complaints that don't resolve, the DPC may open a formal inquiry. These can lead to enforcement notices, reprimands, or fines. | 12+ months, sometimes years for complex cross-border cases |
How to maximise the chances of a useful outcome
- Document everything. Dates, content of correspondence, what you asked for, what they said.
- Be specific. "They breached my rights" is less useful than "On [date] I made an SAR, they have not responded within the one-month statutory deadline, here is the request and the absence of response."
- State a clear remedy. "I want the DPC to require the organisation to respond fully to the SAR within 14 days."
- Keep your response to follow-up questions prompt. The DPC closes inactive cases.
- Be patient. The DPC is chronically under-resourced; pressing too aggressively burns goodwill.
If your complaint involves a state body
The DPC has jurisdiction over state bodies too. The Department of Social Protection has been the subject of multiple high-profile DPC findings — see the DPC's PSC findings. Filing a complaint against a state body works the same way procedurally; the difference is that state bodies sometimes have more legal flexibility on certain processing grounds (statutory functions), so the analysis is more legally complex.
If your complaint involves a non-Irish organisation
Under GDPR's one-stop-shop principle, the DPC is the lead supervisory authority for any company with its EU main establishment in Ireland. That includes most of the major US tech companies. For those, the DPC is the right place to complain about EU-wide processing. For companies established in another EU country, the DPC will route your complaint to the appropriate national regulator under the cooperation mechanism.
Outside the DPC
The DPC is not your only remedy:
- If you've suffered actual loss (financial or otherwise) from a breach, you can sue the organisation in the courts. GDPR Article 82 establishes the right; the threshold for damages is being clarified in case law (the Austrian "UI v Österreichische Post" decision is the key reference).
- If the breach involves criminal conduct (fraud, unauthorised access to a computer system), An Garda Síochána is the right channel.
- If the breach involves a regulated profession (a doctor, a lawyer, a financial advisor), their professional regulator can also act.