PROFILE
Mandate and constitution
Ireland's Data Protection Commission is the supervisory authority designated under Article 51 GDPR for the territory of Ireland and, by operation of Article 56 for cross-border processing, the lead supervisory authority for any controller with its main EU establishment in Ireland. The DPC was established under the Data Protection Act 1988 (the original incorporation of Convention 108 into Irish law), reconstituted under the Data Protection Acts 1988 and 2003, and modernised under the Data Protection Act 2018 to give effect to the GDPR. The 2018 Act designates the DPC as the supervisory authority for the purposes of the GDPR and the Law Enforcement Directive, and establishes its powers, procedures and accountability framework.
The DPC reports to the Oireachtas (Irish parliament) through the Minister for Justice. Its budget, staffing and operational independence are governed by the Data Protection Act 2018 and by EU-level institutional independence requirements set out in Articles 52-54 GDPR. The DPC's headquarters are in Dublin (Fitzwilliam Square), with a satellite office in Portarlington. Staffing has grown materially during the GDPR period, from approximately 110 in 2018 to more than 230 by 2026, reflecting the scale of the Big Tech caseload.
Fining philosophy
The DPC's fining philosophy reflects the institutional reality that it handles the largest cross-border GDPR inquiries in the EU. Its decisions are characterised by long inquiry timelines (often three to five years from complaint to final decision), detailed factual analysis, careful Article 83(2) factor-by-factor weighting, and an emphasis on procedural rigour. Critics have accused the DPC of being insufficiently aggressive on fine amounts; the EDPB Article 65 mechanism has repeatedly recalibrated DPC draft fines upward, most visibly in the WhatsApp case (€30-50M draft to €225M final) and the Meta Chapter V case.
The DPC's decisions are notable for the depth of their Article 6 and Article 25 reasoning on platform-design questions, and for their treatment of cross- border one-stop-shop dynamics. The DPC has also led on Article 6 lawful-basis findings in the Meta cases (contract-as-basis rejected for personalised advertising), which have reshaped ad-tech compliance across the EU.
Headline decisions
The DPC's major decisions since 2018 include the following landmarks. In September 2021, the WhatsApp €225 million transparency decision was issued following EDPB Binding Decision 1/2021 (the first ever EDPB Article 65 binding decision). In September 2022, the Instagram €405 million children's-data decision was issued following EDPB Binding Decision 2/2022. In January 2023, two Meta Ireland decisions totalling €390 million addressed the contractual lawful basis for personalised advertising on Facebook and Instagram, again following an EDPB binding decision. In May 2023, the Meta €1.2 billion Chapter V transfer decision was issued, the largest single GDPR fine to date, following EDPB Binding Decision 1/2023. In September 2023, the TikTok €345 million children's-data decision was issued following EDPB Binding Decision 2/2023.
The 2024-2026 period has continued the pattern. In May 2025, the TikTok €530 million Chapter V (China transfers) decision was issued, the second-largest single GDPR fine to date. Throughout this period the DPC has also handled a steady stream of mid-sized national fines on Irish controllers, smaller breach notifications, and a growing volume of cross-border own-volition inquiries.
Statistical record
Cumulative DPC fines since the GDPR took effect exceed €3 billion. The distribution is highly skewed: a small number of multi-hundred-million-euro Big Tech decisions account for the bulk of the total. Median annual fine count is in the tens (not hundreds, unlike the AEPD); median fine size is in the low-millions when Big-Tech outliers are excluded. The Big Tech share of the total is approximately 95% in any year where a major decision is issued, and lower in years where no Big Tech decision concludes.
Annual reports published by the DPC provide detailed breakdowns of complaint volumes (rising steadily, exceeding 11,000 in 2024), cross-border statutory inquiries (typically 20-30 active concurrently), and Section 110 inquiries (DPC-initiated inquiries under Irish law). The most recent annual report available at the time of writing is for 2024, with the 2025 report expected in mid-2026.
How to engage as a data subject
Data subjects affected by processing carried out by an Ireland-established controller can lodge a complaint with the DPC under Article 77 GDPR. Complaints are submitted through the dataprotection.ie web portal, by post, or by email. The DPC will typically acknowledge within a defined service-level period and will engage either through the formal complaint procedure or through informal resolution depending on the nature of the matter.
For cross-border complaints (where the data subject is in another Member State but the controller is established in Ireland), the one-stop-shop mechanism allows the complaint to be lodged with the data subject's local DPA and then forwarded to the DPC as lead authority. The original DPA retains a role as a "concerned" authority through the Article 60 cooperation procedure and through any Article 65 escalation.
Recent enforcement trends
The DPC's 2024-2026 enforcement priorities, as set out in its regulatory strategy and annual reports, include children's data (continuing from the TikTok and Instagram lines), AI-system processing (under the new EU AI Act intersect with GDPR), DPIA compliance for large-scale processing, and the continued one-stop-shop relationships with concerned authorities. The DPC has published guidance on data-protection considerations in AI development and on the application of GDPR to large language model training data, which signals the direction of future inquiries.
The institutional move to a three-Commissioner structure in 2024 was partly motivated by the operational scale required to handle the concurrent inquiries and the complexity of the EDPB cooperation work. The structural change is intended to reduce single-point-of-decision bottlenecks and to allow the DPC to conclude more inquiries per year while maintaining decision quality.