The highlights for the DPC from 2024 include the completion of 11 inquiries resulting in administrative fines totalling over €652 million. Four of these were cross-border inquiries relating to large tech companies.

The DPC received 11,091 complaints in 2024, consistent with the volume of complaints received in 2023. 2024 saw an 11% increase over the previous year in valid breach notifications to the authority.

The DPC provided guidance and observations on over 56 pieces of proposed legislation relating to data processing. Reflecting its ongoing engagement with technology companies concerning the use of personal data to train Large Language Models in the EU/EEA, it sought a statutory opinion from the European Data Protection Board related to the lawful basis for processing personal data to train AI models. New inquiries were commenced into issues concerning AI models, biometrics, and the security of sensitive health data.

Complaints

As in past years, the most common complaints raised to the DPC related to subject access requests, fair processing, and the right to erasure.

Complaints raised to DPC in 2024

34% of complaints raised to the DPC in 2024 related to subject access requests, 14% to the right to erasure, 17% to fair processing matters and 35% related to other issues.

Case Studies

Alongside the 2024 Annual Report, the DPC published a series of case studies, illustrating how various complaints were resolved and providing practical guidance to help organisations strengthen data compliance and mitigate risk. We now consider a number of these case studies and highlight the key learnings for organisations:

General Data Protection
Case Study: Rectification of Personal Data

The complainant received a missing luggage ticket from an airline that incorrectly listed another passenger’s name, despite the ticket correctly identifying the complainant’s luggage. The airline initially declined to issue a corrected ticket, which the complainant sought for insurance purposes. Following DPC intervention, the airline’s Data Protection Officer provided an updated ticket with the correct details.

Key Learning: Organisations should correct inaccurate personal data in a timely manner to avoid service issues escalating into formal complaints to the DPC.

Subject Access Requests (Article 15 GDPR)
Case Study: Withholding of Records Containing Personal Data

An individual complained to the DPC that a financial service provider had withheld personal data in response to an access request, citing an exemption under the Data Protection Act 2018. Following the DPC’s intervention, the organisation released the requested records.

Key Learning: Organisations must respond to access requests in a timely and comprehensive manner. Any reliance on legal exemptions should be carefully assessed by reference to the specific context of the case concerned.

Case Study: Access Request Redactions

An individual complained to the DPC that a former employer, a public health organisation, had excessively redacted records provided in response to an access request, citing the need to protect third-party data rights. Following DPC intervention, the organisation reissued the documents with only partial redactions. 

Key Learning: Controllers must carefully balance the right of access with other rights, which can include the rights of third parties to privacy, confidentiality, security and safety. As discussed in our recent briefing, ‘Balancing GDPR data access rights against the rights of others’, redaction of certain information may offer a means to reconcile the competing rights of each party. The redaction should also reflect the rights and freedoms of the parties concerned, in light of the specific circumstances of the matter and the severity of the risks to each party.

Case Study: Data Controller vs Data Processor Obligations

An individual lodged a complaint with the DPC after submitting an access request to an organisation they believed was processing their data. The organisation responded that it was not the controller and, in line with its obligation under Article 28(3)(e) GDPR, forwarded the request to the appropriate controller. Following a review of the data protection agreement, the DPC confirmed that the organisation was acting solely as a processor, operating strictly under the controller’s instructions. The DPC concluded that the organisation had fulfilled its obligations under Articles 15 and 28(3)(e) GDPR.

Key Learning: Under the GDPR, controllers are responsible for responding to access requests. While controllers may outsource processing activities to third parties, they cannot delegate certain responsibilities arising under the GDPR. This case study underscores the importance of having a written, legally binding agreement that clearly defines the roles and responsibilities of both the controller and the processor in relation to the processing being undertaken by the processor.

Right to be Forgotten (Article 17 GDPR)
Case Study: Search Engine Results for an Individual’s Name

An individual submitted a complaint to the DPC after a search engine refused to remove links to articles in its search results that included the complainant’s full name. The complainant argued that the content of the articles was outdated and no longer relevant. The search engine submitted that it was understood that only the links to articles that arise from a search of an individual’s full name can qualify for consideration when requests are made under Article 17 of the GDPR. In other words, the search engine will separate the automatic appearance of those URLs when the individual’s full name is searched for in its results listing but the original articles remain online on the websites that posted them. In this instance the DPC conducted searches using the complainant’s full name and did not find the URLs that the complainant had requested be delisted. The DPC therefore found that the right to be forgotten under Article 17 of the GDPR was not applicable in this instance.

Key Learning: The right to be forgotten is not absolute; it refers only to search engine results and not to the content of the linked pages themselves. There are key factors that must be present for requests for search engine delisting to be valid.

Electronic Direct Marketing

In 2024, the DPC prosecuted eight companies for sending unsolicited marketing communications. The Court directed the companies to make charitable donations totalling €9,725 in lieu of convictions. The figure represents an increase from 2023, when four companies were prosecuted and fined a combined total of €2000.

Case Study: Service Feedback Emails

An individual complained to the DPC that a feedback email received from an airline did not include an unsubscribe option and may have constituted unsolicited marketing. The DPC concluded that the email was intended solely to collect service feedback and did not contain any marketing content. As the email did not meet the criteria for direct marketing, an unsubscribe link was not required.

Key Learning: Correspondence sent solely for informational or feedback purposes does not constitute direct marketing. Non-marketing communications should be clearly framed to avoid confusion and maintain transparency.

Data Breach Notifications

In 2024, the DPC was notified of 7,781 valid data breaches, an increase of 11% on 2023 figures. The majority of these related to GDPR data breaches.

Valid Data Breaches 2024

51% of the valid data breaches related to the private sector, 40% to the public sector, and 3% related to the voluntary and charity sector.

In line with previous years, the majority of breach notifications in 2024 (60%) related to unauthorised disclosures affecting individuals or small groups. Public sector bodies and banks once again accounted for the “top ten organisations” with the highest number of breach notifications.

The DPC continued to receive notifications relating to incidents resulting from poor operational practices and human error such as personal data being disclosed without authorisation, or correspondence being inadvertently misdirected to incorrect recipients.

Nature of Breach	Total as %
Unauthorised disclosure – postal material to incorrect recipient	32%
Unauthorised disclosure – email incorrect recipient	14%
Accidental/unauthorised alteration of personal data	10%
Loss or destruction of personal data – accidental	8%
Hacking	5%

Case studies in relation to data breaches are considered below along with the key learnings for organisations:

Case Study: Phishing Email Attack in the Broadcasting Sector

A broadcasting organisation notified the DPC of a data breach after an employee fell victim to a phishing email disguised as an internal job vacancy. Unauthorised access to personal data and special category data was detected. The DPC reminded the organisation of its obligations as a controller. In response, the organisation introduced enhanced safeguards, including updated phishing filters, staff training, awareness campaigns, and revised procedures for account reactivation.

Key Learning: Organisations should implement and regularly review technical and organisational measures to prevent against data breaches.

Case Study: Personal Data Accidentally Disclosed Online

A third-level institution notified the DPC of a data breach involving the inadvertent publication of non-anonymised personal data from a graduate outcomes survey. To prevent recurrence of this issue, the institution reviewed its internal processes for generating reports and liaised with its internal IT teams to ensure appropriate technological and organisational measures were now in place.

Key Learning: Organisations must ensure that published statistical data does not include personal data unless a clear lawful basis exists for the processing of that data. This can be achieved through anonymisation, aggregation, or redaction.

Case Study: Sharing personal data with third parties without consent

A law firm shared an individual’s letter with third parties without explicit consent. The law firm submitted that as the individual had voluntarily written to it to decline any claim to an estate, the law firm had assumed that it had the individual’s consent to share the letter with third parties for the purposes of disclosing the individual’s now defunct claim on the estate. The DPC found the law firm had not met the GDPR’s standard for valid consent and that sharing of the letter was unnecessary. The DPC reminded the firm of its lawful processing obligations under the GDPR.

Key Learning: Consent must be freely given, informed, specific and an unambiguous indication of the individual’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Decisions and Inquiries

As of 31 December 2024, 89 Statutory Inquiries were open, including 53 Cross-Border Inquiries.

Some of the more notable fines issued following the conclusion of inquiries in 2024 include:

Inquiry	Decision Issued	Fine Imposed	Corrective Measure Imposed
Lawfulness, fairness and transparency of processing for the purposes of behavioural analysis and targeted advertising	22 October 2024	€310 million	Order to bring processing operations into compliance Reprimand re: Articles 5(1)(a), 6(1), 13(1)(c) and 14(1)(c) GDPR.
Personal data breach – Token breach, data protection by design and default	12 December 2024	€240 million	Reprimand re: Article 25 GDPR.
Passwords stored in “plaintext” on internal systems	26 September 2024	€91 million	Reprimand re: Articles 5(1)(f), 32(1), 33(1), and 33(5) GDPR.
Personal data breach – Token breach Article 33	12 December 2024	€11 million	Reprimand re: Article 35 GDPR.
Personal data breach	22 November 2024	€40,000	Reprimand re: Articles 5(1)(f), 32(1) and 33(1) GDPR. An order to bring processing into compliance with Article 32(1) GDPR.

The DPC concluded 145 individual cross-border cases in 2024, with 115 resulting in amicable resolutions. The details of each case can be found in the European Data Protection Board’s Article 60 case register.

Cross-border Inquiries Concluded

The DPC also concluded four inquiries concerning cross-border complaints in 2024. In each of these inquiries no relevant and reasoned objections were received from the concerned supervisory authorities following submission of the DPC’s draft Decision to the co-operation mechanism provided by Article 60 GDPR. We set out the decisions below:

• Airbnb Ireland UC: Lawful processing of personal data for identity verification –An individual claimed Airbnb unlawfully requested their ID to verify an erasure request after discontinuing the Airbnb registration process. Airbnb clarified that they needed the individual’s government issued ID for identity verification purposes. The DPC’s decision of January 2024 found that Airbnb’s reliance on legitimate interest for this processing under Article 6(1)(f) GDPR was invalid.
  
  The DPC also determined that requiring an ID for erasure requests did not meet the principle of data minimisation under Article 5(1)(c) GDPR.
  
• Apple Distribution International Limited: Lawfulness of retaining personal data following an erasure request – The DPC found that Apple failed to ensure transparency by not properly informing users about the legal basis for retaining the hashed value of their email addresses following an erasure request. The DPC ordered Apple to revise its terms to improve transparency under Articles 13(1)(c) and (d) of the GDPR and to implement time limits for periodic review of those terms.

• Apple Distribution International Limited: Access Request for Personal Data held on a locked account – The individual concerned could not provide required security credentials. The DPC held that where an individual cannot verify their identity, the controller is not obliged to grant access under Article 15 GDPR if doing so would breach other GDPR obligations.

• Groupon Ireland Operations Limited – In March 2024, the DPC investigated a complaint from the German Supervisory Authority about Groupon’s handling of a data access and erasure request. Groupon initially required photographic ID for identity verification, which the complainant refused. After revising its ID policy in October 2018, Groupon invited the complainant to resubmit the request, but the complainant remained dissatisfied with data deletion. The DPC found Groupon infringed data minimisation (Article 5(1)(c)) and transparency (Article 12(2)) rules and failed to comply with the access and deletion requests (Articles 15, 17, and 6). The DPC confirmed the personal data was fully deleted and issued a reprimand.

The Annual Report also refers to four cases which commenced or where submissions on a Draft Decision, Preliminary Draft Decision or a Statement of Issues were invited from the relevant parties during 2024. These are: 

• MTCH (Tinder service): This own-volition inquiry concerns the rights of data subjects to access their data (Article 15 GDPR) and the right of erasure (Article 17 GDPR);
• Meta Platforms Ireland Limited: This inquiry concerns the lawfulness of the processing of personal data of users of the Facebook service for behavioural analysis and targeted advertising;
• Google: This own-volition inquiry concerns the processing of personal data in connection with the development of Google’s foundational AI model, Pathways Language Model 2; and
• Ryanair: This own-volition inquiry concerns the processing of personal (biometric) data for customer verification purposes.

Litigation

• Ryan v Data Protection Commission: An individual complained to the DPC in 2018 about alleged data protection breaches, particularly relating to real-time bidding systems used by Google. After it had commenced an own-volition inquiry, the DPC was called on by Mr Ryan to separately investigate a complaint in which Mr Ryan called into question the lawfulness of certain other aspects of the same systems. The DPC declined to do so, taking the view that it would be more efficient (and more effective) to complete its own-volition inquiry before considering whether or not to go on to deal with the particular objection raised by Mr Ryan. Mr Ryan brought judicial review proceedings seeking orders compelling the DPC to investigate his complaint. The High Court dismissed the judicial review proceedings, noting that the GDPR affords discretion to supervisory authorities in terms of their approach to the sequencing of investigations. The Court of Appeal found no error in the High Court’s conclusion and held that the DPC’s decision to defer the complaint was proportionate and within the margin of appreciation afforded to supervisory authorities under the GDPR.

• Data Protection Commission v Twitter International Ltd: The DPC brought an urgent application to the High Court under Section 134 of the Data Protection Act 2018, requesting that X be prohibited from processing personal data contained in X posts of EU/EEA users to train its AI tool, “Grok”. This was the first time that the DPC had brought proceedings under Section 134, which allows the DPC to make an application to the High Court for an order requiring a controller to suspend, restrict or prohibit the processing of personal data where the DPC considers it urgent and necessary to protect data subjects’ rights. The Court was satisfied that there was an urgency to the DPC’s application. X agreed to give undertakings to suspend such processing of personal data. The proceedings were struck out when the case came back to the Court based on X’s agreement to permanently adhere to its undertakings.

Looking Forward

• In late 2024, the DPC commenced a mid-point re-evaluation of its Regulatory Strategy 2022-2027 which will conclude in 2025. The re-evaluation will consider the DPC’s first Public Attitudes Survey, which revealed strong concern about the sharing of children’s data online, non-consensual creation of profiles using individuals’ personal data, and the use of personal data without proper consent or understanding.
• With the continuing development and adoption of AI, it is likely that AI and the use of data to train large language models, will be a key focus for the DPC in the coming years.
• In 2024, the DPC carried out 757 supervision engagements to support and drive compliance. In 2025, the DPC will continue its compliance efforts across various sectors including charity, healthcare, and public service.

Many thanks to Ursala McDonnell, Sarah McMahon, James Farrell and Hitesh Gupta for their contributions to this article.