25 June 2025
On 19 June 2025 the Data Protection Commission (“DPC”) released its annual report for 2024. The report highlights the DPC’s regulatory activities and accomplishments over the last year, including the finalisation of 11 inquiry decisions that resulted in administrative fines being imposed totalling €652 million, along with multiple reprimands and compliance orders being imposed.
Our team summarises the key points and explores the practical implications of the report below.
The DPC received 7,781 valid data breach notifications in 2024, an increase of 11% on the data breach numbers received by the DPC in 2023.
Of the notifications received, 7,346 were GDPR data breach notifications. Of these, 3,958 related to the private sector, 3,137 to the public sector and the remaining 251 came from the voluntary and charity sector. The highest percentage of GDPR data breaches notified to the DPC in 2024 related to unauthorised disclosures, in cases affecting one or small numbers of individuals. In keeping with the trend of previous years, public sector bodies and banks accounted for the ‘top ten’ organisations with the highest number of breach notifications recorded against them, with insurance and telecom companies featuring prominently in the top twenty, illustrating that data breaches remain a key regulatory issue for such organisations.
81% of data breach notifications received in 2024 were concluded by year end.
The DPC issued 11 finalised inquiry decisions resulting in administrative fines totalling €652 million, alongside reprimands and orders, including against companies and organisations in the technology, media and higher education sectors. In 2024, the DPC collected and remitted a total of €582,500 in administrative fines to the central exchequer in Ireland.
In this respect, organisations, including data protection officers (“DPOs”) and management teams, should always be mindful that the DPC may conduct an inquiry of its own volition in respect of infringements of data protection law pursuant to Section 110 of the Data Protection Act 2018 (as amended). Where this occurs, organisations should contact their legal advisers at the earliest available opportunity.
The DPC had 757 supervision engagements during 2024. In addition, across all sectors, the DPC engaged in 291 supervision meetings with organisations in 2024. Not surprisingly, the majority of the DPC’s supervision engagements were with the multinational-technology sector.
The DPC takes an open and communicative approach to supervision engagements and views such engagements as a method to drive compliance, accountability and awareness. The DPC outlines that such proactive engagement with organisations, as well as with peer regulators, also aims to ensure regulatory consistency across the EU.
As of 31 December 2024, the DPC had 89 statutory inquiries on hand, including 53 cross-border inquiries. In 2024, the DPC concluded 115 individual cross-border cases through the EU cooperation procedure pursuant to Article 60 GDPR.
The report, as well as the Case Studies Booklet published alongside the report, provide valuable and practical guidance for organisations. Our team provides an analysis of some of the key themes in this respect below:
Data subject access requests (“DSARs”) were the most common reason for contacts by individuals to the DPC in 2024. Concerns relating to consent, personal data disclosure and domestic CCTV highlight the public’s continuing awareness of data protection issues in both personal and organisational contexts.
DSARs also give rise to the largest number of complaints to the DPC annually. The failure of data controllers to reply to individuals within the required timeframe, combined with the application of redactions or exemptions by the data controller, accounts for many of the complaints received by the DPC. The DPC issued 8 enforcement notices in 2024, the majority of these relating to non-response to access requests.
A key lesson from the Case Studies Booklet is that organisations must ensure that they implement appropriate organisational measures to ensure that they are in position to respond to any data protection rights requests within the stipulated timeframes under the GDPR.
A number of the case studies referenced in the Case Studies Booklet noted that the DPC was required to intervene in order to compel a response from an organisation in respect of DSARs. The DPC advises against organisations waiting for its intervention and should instead respond promptly to DSARs. Further, the DPC references that when organisations seek to rely on the application of a restriction to withhold access to personal data, organisations must undertake a thorough examination of the validity of such restrictions to ensure personal data is not incorrectly withheld.
Organisations must also be able to demonstrate to the DPC that they have taken exhaustive steps when replying to a DSAR. The DPC advises that the reason an exemption/redaction is being applied should be clearly explained to an individual. Any exemptions applied should also be documented internally as organisations must always be able to explain to the DPC why they have applied specific exemptions.
In 2024, the DPC received 198 complaints in relation to electronic direct marketing. 70% of complaints related to unsolicited email communications, 24% to unsolicited SMS text messages, and 6% involved more than one form of electronic direct marketing method, for example both SMS messages and email. 146 electronic direct marketing investigations were concluded in 2024. The DPC issued 49 warning letters to companies on foot of unsolicited marketing communications and prosecuted 8 companies for the sending of unsolicited marketing communications to individuals without consent.
The DPC states that it is critical that before embarking on electronic marketing campaigns, organisations carry out robust testing and checks with their service providers to ensure that they have the valid and up-to-date consent of the individuals on their marketing lists and that their opt-out mechanisms are fully operational. All of the companies prosecuted by the DPC in 2024 had each received a prior warning to correct inadequate processes and procedures for electronic direct marketing.
The Case Studies Booklet highlights the importance of having robust procedures and organisational measures in place in respect of electronic direct marketing communications. Organisations must ensure that when consent is sought for marketing purposes, the consent must be individualised, clearly distinguishable and not “bundled” in with other requests for consent. Organisations must also ensure that their opt-out procedures work properly and are tested regularly to ensure their functionality.
Further, it is crucial for organisations to maintain marketing lists in accordance with customer preferences. Whilst organisations often use third party sub-contractors to operate their electronic direct marketing communications, the DPC states that the data controller is ultimately responsible for the personal data it processes, even when utilising third party processors. As such, it is for the data controller to ensure that no further communications are sent to a customer when a customer opts out of receiving electronic direct marketing communications.
The report states that early responses to data breaches can be invaluable in addressing the financial, legal and reputational risks to organisations and can vindicate the rights of data subjects concerned.
The report and the Case Studies Booklet illustrate the importance of having robust technical and organisational measures in place to maintain personal data security and to prevent the occurrence of data breaches.
The report highlights the importance of having comprehensive data breach policies and procedures in place to ensure that the response to a data breach incident is actioned urgently and in a manner that is appropriate to the risk posed. Whilst data protection law requires that a data breach which poses a risk to the rights and freedoms of individuals must be notified to the relevant supervisory authority without undue delay and, at the latest, within 72 hours, the report makes clear that the DPC will be critical of, and will penalise, organisations who fail to meet this notification obligation. Organisations must also have comprehensive technical measures in place and should engage in regular data protection and cybersecurity training for all staff, appropriate to specific roles and levels of risk.
Multiple other issues are also canvassed in the report and the Case Studies Booklet. We provide a snapshot review of some of these issues below:
CCTV
As a consequence of DPC guidance on the use of CCTV in areas of an increased expectation of privacy, there was a considerable reduction in concerns raised by the public about CCTV in restrooms or areas where a high expectation of privacy exists. CCTV compliance was a key issue canvassed in the DPC’s Annual Report for 2023.
Children
In respect of children, the report highlights that the DPC’s Regulatory Strategy for 2022-2027 identifies the protection of children and other vulnerable groups as a core priority. The DPC continued to engage with Technology Ireland throughout 2024 on their “European Youth Online Data Protection Code of Conduct”. This Code is intended to focus on certain topics of the GDPR that are deemed particularly important to drive higher standards of protection for children’s personal data online.
Sports
In relation to sports, in February 2024 the DPC issued a questionnaire to numerous sports clubs seeking to assess the current state of data protection compliance. The survey findings revealed that over 40% of respondents reported not having any formal data protection policies in place. Additionally, 39% indicated they collect performance data, but did not understand that this is classified as special category personal data. Other issues highlighted by the questionnaire responses included the absence of retention schedules and insufficient training on data protection responsibilities. The DPC’s next steps will include outreach to governing bodies and sports organisations to assist with the development of tailored guidance for both clubs and members of the public.
Data Protection Officers
The report makes clear that DPOs must be fully supported by their employer and allowed to act independently within the organisation, as legislation requires. The DPC highlights that active support of the DPO by organisational management includes providing sufficient financial resources, infrastructure and staff as may be required. DPOs must also be given sufficient time to carry out their tasks, in particular where the DPO may be required to carry out their duties additional to their data protection responsibilities.
Organisations should be aware that if they fail to support DPOs in performing their tasks, this can constitute a breach of Article 39(2) of the GDPR and may lead to administrative action.
Going forward in 2025 and beyond, it is anticipated that children’s data protection rights, data protection compliance in the public sector and SME engagement will remain priorities for the DPC.
We recommend organisations review their privacy frameworks in order to ensure any gaps relating to DPO support, data breach procedures, DSAR response and electronic direct marketing are addressed and remedied.
If you have any queries on the issues referred to above or on any aspect of the work and activities of the Data Protection Commission, please do not hesitate to contact a member of our team below.
