knowledge 24 June 2025 |

DPC Annual Report 2024: Proportionate, Fair and a Balanced Approach to Regulation

DPC

The DPC is the supervisory authority in Ireland that has a statutory role in upholding the data protection rights of individuals and monitoring the application of the GDPR. It has statutory powers to take enforcement actions and corrective measures against those who breach the GDPR. As many of the world’s leading tech companies are based in Ireland, the DPC has a crucial role in regulating the tech sector and its decisions and supervisory activity have a significant impact.

AI

The DPC was as busy as ever in 2024 and this looks unlikely to change any time soon given it will have a central role in regulating AI. In 2024, the DPC was designated as one of Ireland’s fundamental rights body under the EU AI Act and it is also proposed that it will have a role as a market surveillance authority. During 2024, the DPC was active in its regulation of AI, particularly the use of personal data for training large language models (LLMs). The DPC notes that while it recognises the immense societal benefits of AI, it is also important to introduce AI in a balanced way that protects individuals, especially children and vulnerable adults, from harm. Some of the interventions and developments relating to AI included:

• X (formerly Twitter) agreeing to suspend its processing of personal data for the purpose of training AI tool ‘Grok’. This was following High Court proceedings taken by the DPC.
• The DPC requesting a statutory opinion from the European Data Protection Board (EDPB), for the first time, on AI model development. The opinion was published in December 2024.
• An inquiry into Google’s AI Model that was launched in September 2024.

As well as its work in connection with AI, the DPC was active on a number of other matters. This briefing summarises some of the highlights from the Annual Report.

Complaints

In 2024, the DPC continued to receive a high volume of complaints. Access requests continue to account for the highest proportion of complaints (34%), followed by the fair processing of data (17%) and the right to erasure (14%). In total, the DPC processed 11,091 new cases, with 10,510¹ cases resolved and 2,673 progressing to the formal complaint process.

The DPC’s approach to complaint-handling continues to encourage an amicable resolution of complaints to achieve an early outcome for the complainant. The DPC, however, will use its enforcement powers where it considers it appropriate. This can arise where, for example, the organisation does not engage with the complainant or the DPC. In 2024, the DPC issued 8 enforcement notices and the majority of these related to the non-response of access requests.

Direct marketing

Electronic direct marketing continues to be an active area of investigation and enforcement for the DPC. In 2024, the DPC received 198 new complaints, with 70% of these related to unsolicited email communications and 24% related to unsolicited text messages. The DPC concluded 146 electronic direct marketing investigations in 2024, successfully prosecuting 8 organisations under the ePrivacy Regulations 2011² for sending unsolicited marketing communications without complying with the relevant opt-in / opt-out requirements.

Breach notifications

In 2024, the DPC received 7,781 valid notifications of data breaches, which was an 11% increase from 2023. Breach notifications were addressed by the DPC expeditiously and efficiently with 81% of cases concluded by the end of 2024. Of the breach notifications received, 7,346 were made under the GDPR with the sectoral breakdown as follows:

• 3,958 related to the private sector; 
• 3,137 related to the public sector; and
• 251 came from the voluntary and charity sector.

The top cause of complaints was correspondence being sent to the wrong recipient (50%). In line with previous years, public sector bodies and banks accounted for the ‘top ten’ organisations with the highest number of breach notifications recorded. Telecoms and insurance companies also featured prominently and were amongst the ‘top twenty’.

Fines and Inquiries

In 2024, the DPC imposed administrative fines of over €652 million, which is a significant decrease from last year’s €1.55 billion in fines. The Annual Report also lists some of the decisions that the DPC took in 2024 (summarised in the table below). It is particularly notable that for a number of these decisions the DPC decided not to impose administrative fines but instead applied corrective measures including reprimands and orders directing the controller to bring their processing into compliance. This would suggest that fines are a last resort that are intended to be dissuasive, with the DPC more concerned with the overall outcome of bringing about compliance.

2024 Decisions
Sector	Subject	Fines and Corrective Measures
Short-term rental platform *Cross-border inquiry subject to Article 60 cooperation and consistency mechanism	Requesting ID to carry out an erasure request.	Fine: N/A Reprimand re Articles 5(1)(c) (Data Minimisation) and 6 (Lawfulness of processing) of the GDPR.
Multinational technology corporation selling consumer devices and online services *Cross-border inquiry subject to Article 60 cooperation and consistency mechanism	Access request for personal data held on a locked account.	Fine: N/A No infringement found.
Online deals and coupons website and app *Cross-border inquiry subject to Article 60 cooperation and consistency mechanism	Requesting ID to carry out an access request and erasure request. Demonstrating compliance with an erasure request	Fine: N/A Reprimand re Articles 5(1)(c) (Data Minimisation), 6(1) (Lawful Basis for Processing), 12(2 (Facilitating the Exercise of Data Subject Rights), 15(1) (Access Right), 15(3) (Access Right) and 17(1) (Right to Erasure) of the GDPR.
Multinational technology corporation selling consumer devices and  online services *Cross-border inquiry subject to Article 60 cooperation and consistency mechanism	Retention of an email address following an erasure request.	Fine: N/A Order to bring processing into compliance. Reprimand re Articles 13(1)(c) (Transparency Information) and 13(1)(d) (Transparency Information) of the GDPR.
Media organisation *Domestic inquiry	Exercise of the right to freedom of expression and information for journalistic purposes.	Fine: N/A. No infringement found.
Social networking platform *Large-scale cross-border inquiry subject to Article 60 cooperation and consistency mechanism	Storage of users’ passwords in plaintext.	Fine: €91 million Reprimand re Articles 5(1)(f) (Integrity and Confidentiality), 32(1) (Security Measures), 33(1) (Reporting Personal Data Breaches), and 33(5) (Documenting Personal Data Breaches) of the GDPR.
Professional networking platform *Large-scale cross-border inquiry subject to Article 60 cooperation and consistency mechanism	Behavioural analysis and targeted advertising.	Fine: €310 million Order to bring processing into compliance. Reprimand re Articles 5(1)(a) (Lawfulness, Fairness and Transparency), 6(1) (Legal Basis), 13(1)(c) (Transparency Information) and 14(1)(c) (Transparency Information) of the GDPR.
County Council *Domestic inquiry	Processing of personal data through CCTV, ANPR and other tech.	Fine: €29,500 Temporary ban on CCTV at a number of locations. Order to bring processing into compliance.  Reprimand under a number of provisions of the GDPR and Data Protection Act 2018.
University *Domestic inquiry	Personal data breach.	Fine:  €40,000 Reprimand re: Articles 5(1)(f) (Integrity and Confidentiality), 32(1) (Security Measures) and 33(1) (Reporting a Personal Data Breach) GDPR. Order to bring processing into compliance with Article 32(1).
Social networking platform *Large-scale cross-border inquiry subject to Article 60 cooperation and consistency mechanism	2018 personal data breach arising from user tokens on the platform. This decision considered notification obligations.	Fine: €11 million Reprimand re: Article 33 (Reporting a Personal Data Breach) of the GDPR.
Social Networking platform *Large-scale cross-border inquiry subject to Article 60 cooperation and consistency mechanism	2018 personal data breach arising from user tokens on the platform. This decision considered notification obligations.	Fine: €240 million Reprimand re Article 25 (Data Protection by Design and by Default) of the GDPR.

 

On 31 December 2024, the DPC had 89 live statutory inquiries, with 53 cross-border inquiries ongoing. In 2024, the DPC concluded 4 large-scale cross-border inquiries (see table above) with draft decisions sent forward to the EU concerning supervisory authorities under the co-operation and consistency mechanism provided for in Article 60 of the GDPR. Notably, the Annual Report records that none of the other concerned supervisory authorities objected to the draft decisions, which appears to indicate growing consensus between the DPC and is fellow regulators.

Engagement

The Annual Report notes that the DPC adopts an open and communicative approach to the organisations that it regulates, as well as sector representative bodies, DPO networks and legislators. The Annual Report highlights that while proactive engagement can be resource intensive, the DPC has found it to be an effective mechanism for driving compliance which ultimately leads to better outcomes for individuals. In 2024, the DPC had 757 supervision engagements and a significant proportion of these were with the multi-national technology sector. The sectoral breakdown is as follows:

• Law enforcement: 14;
• Health: 81;
• Public sector: 40;
• Charities / Voluntary Bodies: 30;
• Children / Family: 43;
• Private sector & financial: 121;
• Multinational technology: 421; and
• Other: 7.

Some of the matters that the DPC engaged on included:

• Local authorities and their use of CCTV for tackling litter and waste offences.
• Public bodies on their adoption and deployment of recording devices, such as body-worn cameras and drone technology, in support of their law enforcement activities.
• Revenue Commissioners in relation to a pilot project for the use of drone technology in support of its customs enforcement functions.
• Irish Council for Civil Liberties on the use of Facial Recognition Technologies (FRT) in law enforcement.
• Use of children’s data in sport.
• Adult safeguarding.
•  Government Departments and public bodies on the data protection implications of the digitalisation of their services.
• Technology companies on the use of personal data for AI.

In addition to engaging with organisations, the DPC also provided guidance and observations on 56 proposed legislative measures in 2024.

New functions: (i) Inter-Regulatory Affairs; and (ii) Head of EDPB and International Affairs

Looking ahead, the DPC anticipates having a prominent role in providing data protection expertise and guidance to other regulators at a national and EU level due to the new EU digital legislative package[1]  given the essential role of personal data to the digital economy. As such, it established a new function of ‘Inter-Regulatory Affairs’ in 2024 which is led by a Deputy Commissioner. The Annual Report notes that inter-regulatory engagement is a key priority for 2025 and this function is expected to work closely with Ireland’s Digital Regulators Group (which also includes the Competition and Consumer Protection Commission, the Commission for Communications Regulation and An Coimisiún na Meán).

The DPC regularly interacts with other EU data protection supervisory authorities particularly on cross-border matters (as part of the Article 60 cooperation and consistency mechanism) and the provision of mutual assistance to other supervisory authorities under Article 61 of the GDPR, and also as a member of the European Data Protection Board. In recognition of the increasing importance of its engagement on international affairs, it appointed a Deputy Commissioner in October 2024 to lead the ‘EDPB and International Affairs’ function.

New Public Attitudes Survey

The Annual Report, this year, was also accompanied by a Public Attitudes Survey for the first time. The survey, which was undertaken as part of a mid-point review of the DPC’s Regulatory Strategy 2022-2027, was conducted in May 2025. Some of the key findings include:

• There was a high level of concern about how children’s personal data is being shared and used online, with 77 per cent of respondents reporting being quite/very concerned.
• 76% of people were concerned with how personal data is used to create a digital profile of themselves which could be shared, sold or traded.
• 61% of people were concerned with the use of AI.
• There was a slightly lower level of concern about social media and tech companies creating profiles to personalise content, and personal data being used for targeted ads (59% and 58% respectively).
• Fewer than one in five people pay close attention to how their personal data is used by organisations, with around a quarter admitting to paying hardly any or no attention at all. Those aged 18 to 34 tend to pay less attention.
• Just over half of those surveyed believe that data protection laws ensure companies using information do so responsibly, with 1 in 5 not aware of how the law impacts them. This increases to almost 3 in 10 amongst the over fifty-fives.
• There is a high level of trust for the DPC, based on those surveyed.

Conclusion

It appears from the Annual Report that the DPC had a busy 2024 and this looks likely to continue given its role in regulating AI and its prominent role on the international stage as the Lead Supervisory Authority for some of the world’s largest tech companies. The DPC’s approach of proactive engagement with organisations to drive compliance is positive and seems in many cases to yield good outcomes for data subjects, but it is clear that it is willing to use its enforcement powers where appropriate.

While resources have increased, this will need to continue to meet the new, wider remit of the organisation and its demands. The Annual Report also helpfully provides us with insight into priority areas for the DPC which appear to be biometrics, AI models and sensitive health data.

Also contributed to by Evan Sheedy