How to File a Data Privacy Complaint in Ireland

Data privacy is a fundamental right in Ireland, protected under both the General Data Protection Regulation (GDPR) and national legislation such as the Data Protection Act 2018. If you believe an organisation has mishandled your personal data, ignored your rights, or caused harm through a data breach, you have the right to file a formal complaint with the Data Protection Commission (DPC). This guide explains your rights, the types of complaints the DPC handles, a detailed step-by-step process for filing, what happens after you submit, and practical tips to strengthen your case.

Before filing a complaint, it helps to be clear on the specific rights the law gives you. The GDPR provides the following rights, which apply to any organisation processing personal data of individuals in the EU, including Ireland:

The right to be informed – Organisations must tell you how they collect, use, and share your data in a clear and transparent way.
The right of access – You can request a copy of all personal data an organisation holds about you, plus details on why it is being processed.
The right to rectification – If your data is inaccurate or incomplete, you can ask for it to be corrected.
The right to erasure (right to be forgotten) – In certain circumstances (e.g., no legitimate need for processing, you withdraw consent), you can demand deletion of your data.
The right to restrict processing – You can limit how your data is used while a dispute is resolved.
The right to data portability – You can request your data in a structured, machine-readable format and transfer it to another service.
The right to object – You can object to processing for direct marketing, or profiling based on legitimate interests.
Rights related to automated decision-making and profiling – You have the right not to be subject to a decision based solely on automated processing that significantly affects you.

These rights are not absolute; they may be limited in certain legal contexts. However, if you believe any of these rights have been violated, that is a valid basis for a complaint. The DPC is the Irish supervisory authority responsible for enforcing GDPR and investigating complaints.

Common Reasons People File a Data Privacy Complaint

Complaints come in many forms. Some of the most frequent issues reported to the DPC include:

Unauthorised data sharing – An organisation gives your data to a third party without your consent or a legal basis.
Failure to respond to an access request – You requested your data, but the organisation ignored the request or did not respond within the one-month deadline.
Unsolicited marketing – You receive persistent spam calls, emails, or texts after opting out, or without prior consent.
Data breach notification failures – The organisation suffers a security incident that exposes your data but fails to inform you when required (e.g., high risk to rights).
Inadequate security measures – You discover that weak protections led to a preventable leak of your data.
Biometric data misuse – Employers or businesses collect fingerprints, facial recognition, or other biometrics without clear justification and consent.
Online tracking and cookies – Websites load tracking cookies without your permission or ignore your preferences.

If your situation matches any of these – or something similar – you likely have grounds to file a complaint.

Step-by-Step Guide to Filing a Data Privacy Complaint

Step 1: Identify and Document the Issue Clearly

Start by writing down exactly what happened. Include dates, times, names of people you spoke with, and copies of any relevant communications. A clear timeline and evidence are critical. For example, if you made a data access request, keep a copy of your original email and any replies. If a company sent you unwanted marketing after you opted out, save screenshots of the opt-out confirmation and subsequent messages.

Step 2: Contact the Data Controller First

Under GDPR, you must usually give the organisation – the “data controller” – an opportunity to resolve the issue directly. This is called the “right to lodge a complaint” under Article 77, but the DPC expects you to have contacted the controller first. Write a formal letter or email explaining your concern, referencing your specific right that has been violated, and state what you would like them to do (e.g., delete data, provide access, stop processing). Keep a copy and note the date you sent it. Wait at least one month for a response. If they fail to respond or give an unsatisfactory answer, proceed to step 3.

Step 3: Gather Supporting Evidence

Collect everything that backs up your case: emails, letters, screenshots, call logs, contracts, privacy policies, and any responses from the organisation. If the issue involves a data breach, include any notifications you received. Evidence is the strongest factor in speeding up the DPC’s review. If you have multiple documents, organise them into a clear order (e.g., chronological list).

Step 4: Submit Your Complaint to the DPC

Once you have exhausted the direct contact route, you can file a formal complaint with the DPC. You can do so either through their online portal or by post. The DPC does not charge a fee for filing a complaint.

How to Submit Your Complaint

Using the Online Portal (Recommended)

Go to the DPC’s official website: www.dataprotection.ie.
Click on “Make a Complaint” in the top navigation or under the “Individuals” section.
Read the guidance provided, then select the option to start a new complaint.
Fill in the web form with your personal details, contact information, and a clear description of the issue. Be as specific as possible: what happened, when, which organisation, and what rights were violated.
Attach any supporting documents in accepted formats (PDF, JPG, etc.). The form allows multiple attachments.
Review your submission and confirm. You will receive an automated acknowledgment with a case reference number.

The online portal is the fastest method. The DPC aims to acknowledge complaints within a few working days.

By Post

If you prefer to send a physical letter, write a detailed statement including your full name, address, phone number, and email. Describe the complaint step by step, mention the date you contacted the data controller, and list the evidence you are enclosing. Send copies only – never original documents. Address your letter to:

Data Protection Commission
Canal House
Station Road
Portarlington
Co. Laois
R32 AP23
Ireland

Keep a copy of your letter and any proof of postage (certified mail is advisable). Postal complaints take longer to process but are equally valid.

What Happens After You File a Complaint?

Initial Assessment and Validation

Once the DPC receives your complaint, they will first check that it meets basic admissibility criteria: that you have already tried to resolve it with the data controller, that it falls within their jurisdiction (i.e., the organisation is based in Ireland or has an Irish establishment), and that the issue relates to a serious data privacy matter. If something is missing, they may contact you for clarification.

Investigation and Resolution

If the complaint is accepted, the DPC will assign a case officer. The officer will review the evidence, contact the organisation involved, and request their side of the story. The DPC may attempt mediation to reach an agreement between you and the organisation. Many complaints are resolved at this stage without a full formal investigation. If mediation fails or the violation is serious, the DPC will launch a full investigation.

Investigations can take from a few months to over a year, depending on complexity, the number of parties involved, and the volume of evidence. The DPC has the power to compel organisations to provide information and access premises.

Possible Outcomes

Rejection – If the complaint is found to be unfounded or outside the DPC’s remit, it will be closed, and you will be informed with reasons.
Informal resolution – The DPC may facilitate a solution where the organisation agrees to correct, delete, or cease processing your data, without a formal finding.
Formal decision – The DPC can issue a binding decision requiring the organisation to take specific actions (e.g., erase data, allow access, provide compensation).
Enforcement action – For serious violations, the DPC can impose administrative fines (up to €20 million or 4% of annual global turnover, whichever is higher) and issue reprimands, orders to comply, or temporary bans on data processing.

You will be notified in writing of the outcome. If you disagree with the DPC’s decision, you have the right to appeal to the Circuit Court (for certain decisions) or to seek judicial review.

Tips for a Successful Complaint

Be clear and concise – Avoid emotional language; stick to facts. Describe what happened, which right was violated, and what remedy you seek.
Provide all relevant evidence – The more documentation you supply, the easier it is for the DPC to assess your case quickly.
Keep copies and logs – Record dates of every interaction with both the data controller and the DPC. Note the names of anyone you speak with.
Follow up promptly – If you don’t receive an acknowledgment from the DPC within two weeks, send a polite follow-up email or phone the contact centre.
Respect the DPC’s process – Avoid submitting the same complaint multiple times or contacting different officers simultaneously; it creates confusion.
Consider a data protection advocate – If your case is complex, you may benefit from independent advice or legal support. Some non-profits offer free initial guidance.

Additional Resources and Support

DPC Individual Rights and Complaints – Official guidance from the Irish regulator.
General Data Protection Regulation (GDPR) – Full Text – The legal basis for your rights.
European Data Protection Board – Provides consistency across EU member states; useful for cross-border issues.
Citizens Information – Data Protection Complaints – Irish government resource explaining your options.

Final Thoughts

Filing a data privacy complaint in Ireland is a structured, rights-based process. By understanding your GDPR rights, contacting the organisation first, and then submitting a well-documented complaint to the DPC, you help hold organisations accountable and contribute to a stronger culture of data protection. While the process can take time, the DPC is committed to investigating valid concerns and has a track record of enforcing compliance. Your complaint matters – not just for your own privacy, but for everyone’s.