Annual Report 2025
Timeline of 2025
-
Data Protection Commission (DPC) signs joint declaration on AI alongside data protection authorities from Australia, Korea, France, and the United Kingdom.
European Data Protection Board (EDPB) statement on age assurance, co-drafted by the DPC, is published.
Read more
-
DPC announces Inquiry into X Internet Unlimited Company (XIUC) on the processing of personal data of EU/European Economic Area (EEA) users for the purposes of generative AI model training.
DPC fines TikTok Technology Limited €530 million and orders corrective measures following Inquiry into transfers of EEA user data to China.
Taoiseach Micheál Martin and Minister for Justice Jim O’Callaghan open new DPC office on Pembroke Row, Dublin.
DPC concludes investigation and issues Final Decision into facial matching technology regarding the Department of Social Protection’s Public Services Card.
Final Decision published following an Inquiry into a personal data breach at the City of Dublin Education and Training Board.
-
DPC announces Inquiry into transfers of personal data to China following TikTok Technology Limited’s discovery of an issue in February 2025 that resulted in some EEA user personal data being stored on servers located in China.
Launch of Adult Safeguarding Toolkit to protect vulnerable adults.
Read moreDPC announces Inquiry into Children’s Health Ireland at Tallaght University Hospital.
DPC is shortlisted for award under the enforcement category at the 2025 Global Privacy Assembly in Seoul, Republic of Korea.
DPC, as part of the Digital Regulators’ Group, launches the Short Guide to Digital Regulation.
Read more
-
DPC and Coimisiún na Meán sign Cooperation Agreement and issue a joint statement on Advancing the safety of children and the protection of their personal data online.
Read more
Niamh Sweeney appointed as a third Commissioner for Data Protection.
DPC launched #pausebeforeyoupost ad campaign about Sharenting which generated over 150 million views globally.
Deirdre O’Donovan is appointed as the DPC’s Director of Legal.
DPC hosts the Kick Start Compliance conference in Croke Park, focusing on data protection in sport.
DPC issues Final Decision following an Inquiry into University of Limerick.
Key Numbers
1 January - 31 December 2025
New cases received
16,160
representing a 45% increase from 2024 (11,091).
Cases concluded
11,734
representing a 12% increase from 2024 (10,510).
Cases concluded through complaint-handling
2,569
representing a 9% increase from 2024 (2,357).
Electronic direct marketing investigations concluded
275
representing a 88% increase from 2024 (146).
Cross-Border complaints concluded
208
representing a 43% increase from 2024 (145).
Breach notifications received
6,521
Half of all notifications arose as a result of correspondence being sent to the wrong recipient.
Calls received
6,654
Large-Scale Inquiries concluded
4
Final Decisions
10
Provisional Decisions
92
Administrative fines imposed
€530,773,000
The largest fine imposed was a €530 million penalty against TikTok Technology Limited regarding the transfer of the personal data of EU/EEA users to China. Since May 2018, the DPC has issued €4.04 billion in fines.
163
Notifications of amicable resolutions
were achieved through the GDPR Article 60 cooperation mechanism, representing a 41% increase from 2024 (115).
New Inquiries
In 2025 the DPC announced the commencement of new inquiries into:
- The physical safety and security of children’s health records at Children’s Health Ireland at Tallaght University Hospital.
- Transfers of EU/EEA personal data by TikTok Technology Limited to China.
- Use of EU/EEA user data for AI model training by XIUC.
Received
1,015
Article 61 GDPR Mutual Assistance Requests from other European regulators.
Participated in over
140
European Data Protection Board (EDPB) meetings.
DPC was represented on
13
EDPB subgroups.
The DPC provided input and observations on over
77
pieces of proposed national legislation.
Binding Corporate Rules
The DPC was the lead reviewing supervisory authority (SA) in relation to 13 Binding Corporate Rules (BCR) applications from eight different companies, and acted as co-reviewer for other SAs on nine BCR applications from six different companies.
Pause Before
You Post
Campaign
The DPC launched a national public awareness campaign called Pause Before You Post which highlighted the risks associated with ‘sharenting’ – i.e. the habitual sharing of children’s personal information, photos, and videos online by parents.
Since its publication, the campaign has reached a wide audience.
The campaign generated over
150 million
views globally.
45 million
views across the DPC’s social channels.
The DPC provided input and observations on over
100
speaking events in 2025, both nationally and internationally.
New Guidance
Several new pieces of guidance were also published by the DPC in 2025, including:
- An Adult Safeguarding Toolkit to support organisations dealing with the personal data of vulnerable adults.
- A Short Guide to Digital Regulation which was created in collaboration with the other members of the Digital Regulators’ Group – Coimisiún na Meán, ComReg and the Competition and Consumer Protection Commission – to clarify common queries in the digital regulation space in Ireland.
- An online resource for schools which supports them in taking a proportionate and compliant approach to personal data processing.
- A series of infographics focusing on data protection in sport.
- Sharenting – Top Tips – an online resource offering practical tips to limit the risks posed when parents share or post data about their children’s lives online.
- The DPC’s handling of Subject Access Requests – guidance for data controllers as to how to appropriately respond to a Subject Access Request made under Article 15 of the GDPR.
