On 19 June 2025, the Data Protection Commission (DPC) published its Annual Report for 2024 (Report), accompanied by the results of its first Public Attitudes Survey and Case Studies Booklet 2024 (2024 Case Studies).
The Report indicates a fair, consistent regulatory approach by the DPC, which also encompasses a willingness to decisively pursue enforcement measures, where necessary, to safeguard data protection rights.
Key trends
2024 was another year of growth for the DPC, with a steady upward trend in case handling that seems set to maintain its prevailing trajectory. As we outlined earlier this year, the DPC has been granted additional competency in supervising the implementation of the EU AI Act, which will contribute to this growth pattern.
During 2024, the DPC:
- issued 11 finalised inquiry decisions resulting in administrative fines totalling €652 million.
- processed 11,091 new cases from individuals and concluded 10,510 cases; 2,357 complaints were resolved through the formal complaint-handling process.
- received over 32,000 total contacts, of which 24,306 were electronic contacts comprising emails to its account and webforms submitted through its website.
- received 7,781 total valid breach notifications, representing an increase of 11% on 2023, of which 7,346 were General Data Protection Regulation (GDPR) notifications.
- As of 31 December 2024, had 89 statutory inquiries on hand, including 53 cross-border inquiries.
Both public and private sector organisations were subject to these supervision and enforcement trends.
Access requests
Requests by data subjects for sufficient, transparent and easily accessible information about processing their personal data continue to form the largest share of national complaints, at 34%. By the end of 2024, the DPC had received 914 new complaints related to the right of access and concluded 904. The Report outlines that failure by organisations to reply to data subjects regarding their requests within the required timeframe, coupled with the application of redactions or exemptions by those organisations, generates the basis for many of these complaints.
The DPC encourages organisations to engage in amicable resolution to resolve complaints and facilitate early outcomes for the relevant data subjects. The DPC also emphasised the need to not only provide access to personal data, on receiving an access request, but to give meaningful supplemental information about the processing of personal data, as required by Article 15(1) and (2) of the GDPR.
Novel enforcement mechanisms
Notably, in 2024, the DPC adopted a targeted approach regarding the regulation of artificial intelligence through the lens of data protection. In August 2024, the DPC, for the first time, used its power under section 134 of the Data Protection Act 2018 to request the High Court to prohibit the processing of personal data by X of publicly available user posts for training 'Grok', its AI tool. X subsequently gave undertakings to the Court to suspend its processing of specified personal data, and further agreed to adhere to the terms of those undertakings permanently.
In September 2024, to achieve greater harmonisation and regulatory consensus at EU level, the DPC issued its first formal referral to the European Data Protection Board (EDPB) under Article 64(2) of the GDPR seeking clarification on the determination of whether, and under what circumstances, data processed by AI models would be considered personal data. The EDPB subsequently adopted a formal opinion in December 2024.
Sector-specific breaches
Consistent with previous years, public sector bodies and banks were among the organisations with the highest number of breach notifications recorded against them, with organisations in the insurance and telecoms also featuring prominently.
Case Studies
Case Studies are useful tools for organisations seeking guidance on how the DPC applies data protection law, identifies non-compliance, and imposes corrective measures. Organisations should note key takeaways for each case and implement or update organisational measures, as appropriate. The 2024 Case Studies include insights and key takeaways regarding access requests, processing of employee personal data, prosecution, and breach cases. From these case studies, the DPC emphasises key points, such as: the need for organisations to establish effective communication of their policies and procedures to staff members; the importance of individualised consent for marketing purposes; and effectively managing opt-out requests.
Outreach
Building on its examination of data protection issues in sports organisations, which commenced in 2023 and 2024, the DPC issued a questionnaire to 110 sports clubs across Ireland, from major participation sports, to assess data protection compliance and data sharing arrangements between involved parties. The DPC indicated that it will extend this outreach to governing bodies and sports organisations as part of a wider stakeholder engagement to assist in developing guidance for clubs and members of the public.
Following the identification by the DPC in 2023 of key areas of data protection compliance which prove challenging for schools, the DPC commenced a stakeholder engagement process in 2024. This involved targeted outreach to organisations in the education sector and culminated in the publication of a dedicated resource, "Data Protection Toolkit for Schools" (Toolkit), in December 2024. The DPC indicated that the Toolkit represents a preliminary step in assisting the sector to meet its data protection obligations and has signalled its intention to continue to engage with the sector in the future.
The DPC's commitment to outreach under its supervisory function is also evident through its engagement with organisations undergoing product development at the pre-market launch stage.
Future trends: a commitment to growth
We expect these trends to continue tracking upwards, parallel with the DPC's evolving statutory remit. The Report illustrates continued investment by the DPC in recruitment processes to support delivery of its mandate, particularly the appointment of Deputy Commissioners in two new functional areas of EDPB & International Affairs, and Inter-Regulatory Affairs.
Through its engagement with controllers, it is clear that the DPC is also committed to actively pursuing an outreach strategy on an ongoing basis.
Contributed by Nessa Boland
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.