ARTICLE
14 July 2026

Spotlight On The Irish Data Protection Commission’s Annual Report: Key Findings

MG
Maples Group

Contributor

The Maples Group is a leading service provider offering clients a comprehensive range of legal services on the laws of the British Virgin Islands, the Cayman Islands, Ireland, Jersey and Luxembourg, and is an independent provider of fiduciary, fund services, regulatory and compliance, and entity formation and management services.
On 30 June 2026, the Irish Data Protection Commission (“DPC”) released its 2025 annual report (“Report”).1 The Report covers the eighth year of the DPC’s enforcement of the General Data Protection Regulation (EU) 2016/679 (“GDPR”).
Ireland Privacy
Claire Morrissey’s articles from Maples Group are most popular:
  • within Privacy topic(s)
Maples Group are most popular:
  • within Privacy, Technology and Compliance topic(s)

What You Need to Know

On 30 June 2026, the Irish Data Protection Commission (“DPC”) released its 2025 annual report (“Report”).1 The Report covers the eighth year of the DPC’s enforcement of the General Data Protection Regulation (EU) 2016/679 (“GDPR”).

Unsurprisingly, it was an exceptionally busy year for the DPC and the Report details key enforcement and complaints developments, supervisory engagements, the DPC’s international activities as well as the DPC’s activities in relation to children’s data protection rights.

Following publication, we have developed our “Spotlight on the Irish DPC Annual Report” series, a number of articles examining the key themes, developments and case studies from the Report.

In this first article, we set out the main highlights from the Report.

Significant Increase in Caseload

The DPC has experienced a 45% increase in new cases, with 16,160 new cases received in 2025 compared to 11,091 in 2024. Much of that increase is being driven by AI with the Report noting that more and more people are using AI tools to help them draft their complaints and exercise their rights, which added to both the volume and the complexity of complaints received.

Three issues make up three-quarters of all complaints. Top of the list, by some distance, are complaints relating to data subject access requests (“DSARs”) (42%), followed by the right to erasure (17%) and fair processing (16%). DSARs remain the number one source of complaints year after year, with the DPC noting that DSARs typically have underlying issues at their core, such as a deterioration in an employer–employee relationship, disputes involving financial matters or situations that effectively began as poor customer service rather than a particular data protection concern.

Personal Data Breaches

The DPC received 6,521 breach notifications, which is down 16% on last year. Notably 55% of those breaches were assessed as low, or no risk; and half of all notifications came down to correspondence sent to the wrong recipient. A significant proportion of breaches therefore relate to everyday human error rather than sophisticated attacks.

Major Enforcement Actions and Fines

The DPC imposed over €530 million in administrative fines in 2025. This brings the cumulative total since May 2018 to €4.04 billion but it has been reported separately that the exchequer has only received €20 million of those funds due to ongoing challenges to the DPC’s decisions.

The largest fine of the year was a €530 million fine against TikTok Technology Limited (“TikTok”) for transferring personal data of EEA users to China and failing to provide the required information to data subjects. This also included an order to suspend those transfers which the High Court stayed in 2025 and recently asked the DPC to reassess the suspension order.

Other fines included a €550,000 fine against the Department of Social Protection for unlawful biometric data processing in connection with the public services card, a €125,000 fine against the City of Dublin Education and Training Board and a €98,000 fine against the University of Limerick for security failures and delayed breach notifications.

Site Visits

The DPC carried out 13 site visits in 2025, covering a range of organisations including TikTok, Sligo County Council, restaurants, a GP’s surgery, a solicitor’s office and the business premises (CRO registered addresses) of a number of sole traders. The DPC made an unannounced visit related to a protected disclosure about the processing of personal data at Tallaght University Hospital.

AI Regulation

A dominant theme in the Report is the balancing of technological innovation and data protection. The DPC continues to regulate the training of generative AI models by large technology companies based in Ireland. There were new inquiries commenced into X Internet Unlimited Company’s processing of EEA user data for AI model training and the DPC has continued its regulatory engagement with LinkedIn, Meta and OpenAI regarding the use of personal data in connection with AI models, chatbots and agents.

DPC Decisions and Litigation

The DPC issued 10 final decisions and 92 provisional decisions in 2025. As of the end of 2025, it also had 87 statutory inquiries in progress, which includes 53 cross-border inquiries.

Litigation involving the DPC in 2025 included (i) TikTok’s appeal against the €530 million fine, (ii) the General Court of the European Union dismissing the DPC’s challenge to the European Data Protection Board’s decision directing it to conduct new investigations in Meta Platforms and (iii) the Irish Court of Appeal’s ruling in favour of the DPC in proceedings brought by Meta. LinkedIn has also appealed the DPC’s €310 million fine.

International Cooperation

The DPC has received 1,015 Article 61 GDPR mutual assistance requests from other European regulators. It has reviewed 158 Article 60 draft decisions from other lead supervisory authorities which is a 40% increase on 2024. The DPC has also had 1,222 supervision engagements, with 498 of these relating to the multinational technology sector.

Children’s Data Protection

The DPC launched its “Sharenting” campaign which aimed to draw parents’ attention to the risks associated with the habitual sharing of children’s personal information, photos and videos online. The campaign generated over 150 million views globally. The DPC has also provided parents with an online resource which offers practical tips about posting online.

The DPC has also signed a cooperation agreement with Coimisiún na Meán on advancing the safety of children and the protection of their personal data online.

Data Protection Officers

The DPC has now been notified of 4,218 Data Protection Officers across the public, private and not-for-profit sectors, underscoring how embedded the role of Data Protection Officers has become.

Organisational Developments

The DPC appointed a third Commissioner for Data Protection in October 2025, which completed the move to a three-person commission. The Report also details that DPC staff increased to 295 by the end of 2025, and the DPC opened its new office in Dublin which allows its staff to be housed in one building.

Case Studies

In conjunction with the Report, the DPC has also published its annual case studies booklet which contains 39 case studies covering the following topics:

  • DSARs;
  • rectification requests;
  • data breaches;
  • CCTV;
  • cross-border cases; and
  • general data protection cases relating to erasure, confirming identity, special categories of personal data and retention.

The case study booklet is an instructive and practical resource, offering useful guidance on how the DPC approaches common data protection issues in practice.

Footnotes

1 https://www.dataprotection.ie/en/data-protection-commission-publishes-2025-annual-report
2 https://maples.com/knowledge

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More