{{Short description|Irish independent national authority tasked with enforcing EU privacy protections}} {{more citations needed|date=February 2018}} {{Use dmy dates|date=September 2016}} {{Use Hiberno-English|date=December 2023}} {{Infobox official post | formation = 1989 | status = Independent Regulator | constituting_instrument = | post = Data Protection Commissioner | incumbent = [[Helen Dixon]] | budget = | department = Office of the Data Protection Commissioner | website = }}

The Office of the '''Data Protection Commissioner''' ({{langx|ga|An Coimisinéir Cosanta Sonraí}}) (DPC), also known as '''Data Protection Commission''',<ref>{{Cite web|title=Who we are|url=https://www.dataprotection.ie/who-we-are|access-date=2021-05-03|website=Data Protection Commission}}</ref> is the independent national authority responsible for upholding the [[European Union|EU]] fundamental right of individuals to [[data privacy]] through the enforcement and monitoring of compliance with [[Information privacy|data protection]] legislation in [[Ireland]]. It was established in 1989.

== Role and operations == The independent role and powers of the Data Protection Commissioner are as set out in legislation in the Data Protection Acts 1988 and 2003. These Acts transpose the [[Council of Europe]] 1981 [[Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data|Data Protection Convention]] (Convention 108)<ref>{{Cite web|title=Modernisation of the Data Protection "Convention 108"|url=https://www.coe.int/en/web/portal/28-january-data-protection-day-factsheet|access-date=2021-12-09|website=Council of Europe|language=en-GB}}</ref> and the 1995 [[Data Protection Directive|EU Data Protection Directive]] (Directive 95/46/EC). However, the latter was then replaced by the EU [[General Data Protection Regulation]] (GDPR), which is directly applicable upon Members States such as Ireland.

=== Investigation of complaints === Complaints received from individuals who feel that their [[Personal data|personal information]] is not being treated in accordance with the data protection law are investigated under section 10 of the Data Protection Acts. It is the statutory obligation of the Office to seek to amicably resolve complaints in the first instance. Where an amicable resolution cannot be achieved, the Commissioner may make a decision on whether, in her opinion, there has been a breach of the law. If the complainant or the data controller disagrees with the Commissioner's finding, they have the right to appeal the decision to the [[Circuit Court (Ireland)|Circuit Court]]. The DPC's main priority, if a complaint is upheld, is that the data controller complies with the law and puts right the matter concerned. If an organization does not voluntarily cooperate with an investigation, the DPC has powers of compulsion to require such cooperation.

In 2015, the Office received 932 complaints that were opened for investigation.<ref name=":0">{{Cite web|url=https://www.dataprotection.ie/docs/21-06-2016-Commissioner-publishes-Annual-Report-2015/1576.htm|archive-url=https://web.archive.org/web/20161107050020/https://www.dataprotection.ie/docs/21-06-2016-Commissioner-publishes-Annual-Report-2015/1576.htm | archive-date=7 November 2016 | title=Data Protection Commissioner publishes Annual Report 2015|last=Dixon|first=Helen|date=21 June 2016|publisher=Data Protection Commissioner|location=Ireland|access-date=5 July 2019}}</ref> Investigations into 1,015 complaints were concluded.

In 2018, [[Martin Meany]], editor of Goosed.ie, filed a complaint to the DPC against the Diocese of Ossory stating he wished for his baptismal records to be deleted.<ref>{{Cite news |title=Catholic Church records may be inspected over GDPR concerns |url=https://www.irishtimes.com/business/catholic-church-records-may-be-inspected-over-gdpr-concerns-1.4178767 |access-date=2022-10-10 |newspaper=The Irish Times |language=en}}</ref><ref>{{Cite web |last=Martin |first=Meany |date=2020-08-10 |title=Can You Leave the Catholic Church Using GDPR? |url=https://goosed.ie/news/leaving-catholic-church-using-gdpr/ |access-date=2022-10-10 |website=goosed.ie |language=en-GB}}</ref> The complaint started a subsequent "own volition enquiry" by the DPC into "whether the church's holding of personal data on baptisms and other Catholic sacraments that individuals may have taken falls under the EU's data protection law, the General Data Protection Regulation".<ref>{{Cite news |title=Catholic Church records may be inspected over GDPR concerns |url=https://www.irishtimes.com/business/catholic-church-records-may-be-inspected-over-gdpr-concerns-1.4178767 |access-date=2022-10-10 |newspaper=The Irish Times |language=en}}</ref>

In 2022, Meany launched High Court [[Judicial review|Judicial Review]] proceedings against the DPC. He claims the DPC has failed to complete an investigation into his complaint against the Catholic Church.<ref>{{Cite news |date=2022-10-17 |title=Man takes court challenge over retention of church data |url=https://www.rte.ie/news/courts/2022/1017/1329752-courts-data/ |website=[[RTÉ News]] |language=en}}</ref><ref>{{Cite news |title=Man claims DPC failed to complete investigation into church's refusal to destroy records |url=https://www.irishtimes.com/crime-law/courts/2022/10/17/man-claims-dpc-failed-to-complete-investigation-into-churchs-refusal-to-destroy-records/ |access-date=2022-10-29 |newspaper=The Irish Times |language=en}}</ref>

In 2021, [[NOYB]] (None Of Your Business), an Austrian NGO founded by [[Max Schrems]], filed a complaint against the DPC for corruption under Austrian law after the DPC demanded that the group sign a [[non-disclosure agreement]] in order to continue with their long-running complaint against [[Facebook]]. NOYB argued that the DPC could not demand favourable media coverage as the price of using its services.<ref>{{Cite web|title=Facebook's lead EU privacy watchdog accused of corruption|url=https://techcrunch.com/2021/11/22/facebooks-lead-eu-privacy-supervisor-hit-with-corruption-complaint/|access-date=2022-01-03|website=TechCrunch|date=23 November 2021 |language=en-US}}</ref><ref>{{Cite web|title=Irish DPC removes noyb from GDPR procedure - Criminal report filed|url=https://noyb.eu/en/irish-dpc-removes-noyb-gdpr-procedure-criminal-report-filed|access-date=2022-01-03|website=noyb.eu|language=en}}</ref><ref>{{Cite web|title=First noyb "Advent Reading" from Facebook/DPC Documents|url=https://noyb.eu/en/first-noyb-advent-reading-facebookdpc-documents|access-date=2022-01-03|website=noyb.eu|language=en}}</ref>

In January 2023, DPC was forced to increase the fine issued to [[Meta Platforms]] after a review by [[European Data Protection Board]] found that the initial fine was insufficient.<ref>{{cite news |last1=Curran |first1=Ian |last2=Scally |first2=Derek |title=Data Protection Commission increases Meta fines to €390m after European ruling |url=https://www.irishtimes.com/business/2023/01/04/data-protection-commission-increases-meta-fines-after-european-ruling/ |newspaper=The Irish Times |access-date=27 January 2023 |language=en}}</ref> European Data Protection Board determined that DPC has failed to perform its enforcement responsibility with "due diligence". The critics have pointed out that 7 out of 8 decisions handed down by European Data Protection Board were against the Irish DPC, and that the DPC "always choose the most tortuous, lengthy and expensive legal route to a decision rather than a simple application of EU law".<ref>{{cite news |last1=Scally |first1=Derek |title=Ireland's data commissioner out of step with European peers |url=https://www.irishtimes.com/opinion/2023/01/23/irelands-data-commissioner-out-of-step-with-european-peers/ |newspaper=The Irish Times |access-date=27 January 2023 |archive-url=https://archive.today/20230123014444/https://www.irishtimes.com/opinion/2023/01/23/irelands-data-commissioner-out-of-step-with-european-peers/ |archive-date=23 January 2023 |language=en |quote=Overruling a national regulator requires a two-thirds majority. In the recent Meta cases, of the 30 member states in the EDPB, four abstained from voting, according to sources, while all others backed the EDPB position. No one sided with the Irish regulator.<br>Critics disagree, linking the interventions to how the Irish regulator – faced with a choice – will always choose the most tortuous, lengthy and expensive legal route to a decision rather than a simple application of EU law.}}</ref>

{{Main|Grok sexual deepfake scandal}} In February 2026 the DPC opened an investigation into the Grok deepfake scandal under section 110 of the Data Protection Act 2018 as well as determining whether X violated the [[General Data Protection Regulation]], including articles 5, 6, 25 and 35.<ref>{{Cite news |title=Ireland joins regulator smackdown after X's Grok AI accused of undressing people |last=Jones |first=Connor |date=2026-02-17 |url=https://www.theregister.com/2026/02/17/ireland_dpc_x_grok_probe/ |access-date=2026-02-23 |work=[[The Register]]}}</ref>

=== Audits === Section 10 (1A) of the Acts provides that "the Commissioner may carry out or cause to be carried out such investigations as he or she considers appropriate in order to ensure compliance with the provisions of this Act and to identify any contravention thereof." These investigations often take the form of audits of selected organizations. The aim of an audit is to identify any issues of concern about the way the organization under scrutiny manages personal data.{{citation needed|date=July 2019}}

In 2015, the DPC carried out 51 audits and inspections of organizations in the public and private sectors.<ref name=":0" />

== Enforcement ==

=== Offences under the Electronic Communications Regulations === All breaches of the [[Privacy and Electronic Communications (EC Directive) Regulations 2003]] for which the Office of the Data Protection Commissioner has responsibility are offences. The offences relate primarily to the sending of unsolicited [[marketing communications]] by electronic means. The offences are punishable by fines – up to €5,000 for each unsolicited message on summary conviction and up to €250,000 on conviction on indictment. The Office of the Data Protection Commissioner may bring summary proceedings for an offence under the Regulations.{{citation needed|date=July 2019}}

Enforcement responsibility is shared with the [[Commission for Communications Regulation]] (ComReg).{{citation needed|date=July 2019}}

==References== {{Reflist}}

{{Privacy}} {{Portal bar|Ireland|Law}}

{{authority control}}

[[Category:Government agencies of the Republic of Ireland]] [[Category:Data protection authorities]] [[Category:Department of Justice, Home Affairs and Migration]]