DPC Annual Report 2025: Key Takeaways

On 30 June 2026, the Data Protection Commission (DPC) published its Annual Report for 2025. The report highlights an active year for the regulator, and a clear intensification of focus on certain themes, including artificial intelligence (AI), international data transfers, biometric processing and children’s data protection rights. We have summarised below the key figures and practical takeaways for organisations from this year’s report.

Key Figures

  • 16,160 new cases were received in 2025, a 45% increase on 2024. October 2025 was the busiest month ever recorded.
  • 11,734 cases were concluded during the year, a 12% increase on 2024.
  • €530.77 million in administrative fines were imposed, bringing total fines issued since May 2018 to €4.04 billion.
  • 6,521 valid data breach notifications were received (a 16% decrease on 2024), with 50% arising from correspondence sent to the wrong recipient.
  • 208 cross-border complaints were concluded (a 43% increase), with 163 amicable resolutions achieved through the Article 60 cooperation mechanism.
  • 275 electronic direct marketing investigations were concluded (an 88% increase), with 50 warning letters issued.
  • 77+ pieces of proposed legislation received DPC input and observations, up from 56 in 2024.

Intensifying Focus on Artificial Intelligence

AI was the dominant theme of the DPC's 2025 activity, spanning large-scale platform investigations through to practical compliance issues affecting organisations.

The DPC engaged extensively with Meta and LinkedIn regarding their use of EU user data to train generative AI models. Both companies were required to implement improved transparency, data minimisation measures, and protections for under-18s. Notably, the DPC has not yet approved or found compliant either company's processing. A formal own-volition inquiry was opened into X Internet Unlimited Company concerning its use of EEA user posts to train the Grok AI models, examining lawfulness, purpose limitation, and transparency.

The DPC also engaged proactively with OpenAI ahead of the EU launch of its ChatGPT Agent feature, reviewing its data protection impact assessment (DPIA), requesting a technical demonstration, and securing improvements to user transparency before the product went live in July 2025.

Beyond the technology sector, the DPC's compliance sweep of the retail sector identified the deployment of AI for image processing in store environments and supply chain operations, alongside increased use of body-worn cameras and live CCTV monitoring at self-service checkouts.  At an individual employee level, a notable case study involved an employee in the financial sector who uploaded 32 CVs to a free external AI tool. The organisation had no policies governing the use of such tools.

Practical takeaway: Organisations of all sizes should ensure they have clear AI acceptable use policies and should be prepared to engage transparently with the DPC on novel AI deployments.

International Data Transfers

International data transfers remained a major enforcement priority for the DPC last year. The headline action was the imposition of €530 million in fines on TikTok Technology Limited for infringements of Articles 46(1) and 13(1)(f) of the General Data Protection Regulation (GDPR), arising from transfers of EEA user data to China by way of remote access by ByteDance personnel. The DPC found that TikTok failed to demonstrate that EEA user data was afforded essentially equivalent protection.

TikTok subsequently appealed the DPC’s decision.  In June 2026, the High Court upheld the DPC's infringement findings and its entitlement to impose administrative fines, while leaving over the amount of the fines for further judgment and proposing to remit the question of corrective orders to the DPC.

In April 2025, TikTok informed the DPC that limited EEA user data had in fact been stored on servers in China, contradicting evidence submitted during the original inquiry. The DPC opened a second inquiry in July 2025, involving an on-site inspection at TikTok's offices.

Practical takeaway: The TikTok decision in respect of the first inquiry and the launch of the second inquiry reinforce the DPC's expectations regarding compliance with Chapter V GDPR and candour in regulatory engagement.

Biometric Data

In June 2025, the DPC fined the Department of Social Protection €550,000 and ordered it to cease processing biometric facial templates as part of its Public Services Card "SAFE 2" registration within nine months unless a valid lawful basis can be identified. Separately, Meta proactively engaged with the DPC on its opt-in facial recognition feature to combat "celeb-bait" scam advertising, securing improved transparency on what images are processed and how long facial embeddings are retained.

Practical takeaway: Organisations considering biometric or facial recognition technologies need a clear lawful basis, a thorough DPIA, and transparent communications to data subjects.

Children's Data Protection Rights

Children's data protection rights (Pillar 3 of the DPC's Regulatory Strategy) saw significant momentum in 2025. The DPC and Coimisiún na Meán signed a Cooperation Agreement on children's online safety, the DPC contributed to a European Data Protection Board (EDPB) Statement on age assurance (establishing 10 guiding principles), and a new inquiry was opened into Children's Health Ireland concerning children's health records. The DPC's viral "Pause Before You Post" sharenting campaign, which is the most watched Irish advertisement in five years, generated over 150 million views globally, while an accompanying survey indicated that 55% of Irish parents are concerned about AI deepfakes involving their children's imagery.

Practical takeaway: Organisations operating platforms, apps, or services involving children should expect heightened scrutiny, particularly around age assurance, transparency, and cross-regulatory cooperation between the DPC and Coimisiún na Meán.

Comment

The 2025 Annual Report confirms the DPC's position as one of Europe's most active data protection authorities. For organisations, the clear message is one of proactive compliance: engage early with the regulator on novel technologies, maintain rigorous data transfer mechanisms, and ensure that policies keep pace with AI innovation, children's data rights, and evolving enforcement expectations.

How can McCann FitzGerald LLP help?

For further information or assistance, please reach out to one of the key contacts below, or your usual contact at McCann FitzGerald LLP.

This document has been prepared by McCann FitzGerald LLP for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.

Key Contacts