When the Regulator Knocks: What Irish Case Studies Tell Us About the Powers of the DPC
Most organisations only really “meet” the Data Protection Commission (DPC) through headlines about fines. But the case studies behind those headlines tell a more useful story: the DPC’s powers are wide, layered, and often exercised long before a fine is even considered. Used well, those stories are a roadmap for what the DPC can do – and how to stay off its enforcement radar.
The DPC: more than a fining machine
Under the GDPR and the Data Protection Act 2018, the DPC is Ireland’s independent supervisory authority for data protection. It investigates complaints, opens its own inquiries, audits organisations, issues guidance, and, where needed, takes corrective and punitive action.
The key point the case studies show: fines are the end of a process that usually starts with complaints, questions and cooperation – not the beginning.
From complaint to corrective order: a typical journey
In many published cases, the DPC’s involvement begins with a seemingly small complaint:
a subject access request that was ignored or mishandled
CCTV footage retained too long or used for the wrong purpose
direct marketing sent without a proper lawful basis or opt‑out
The DPC’s first use of its powers is often information‑gathering – requesting policies, logs, correspondence and technical details. If the organisation responds clearly and can evidence what it does, the outcome may be guidance, a requirement to change a practice, or a formal reprimand.
Where the case studies become more interesting is when gaps are obvious: no proper lawful basis, no rights procedures, inaccurate privacy information, or systemic issues repeated over time. At that point, the DPC starts to use stronger corrective powers:
orders to bring processing into compliance
directions to delete or rectify data
restrictions or temporary bans on processing in particular ways
When things escalate: fines and high‑profile inquiries
High‑profile cases – particularly involving large tech and digital services operating from Ireland – show the DPC using its full enforcement toolkit. In those inquiries, the Commission has:
required major changes to product design and default settings
limited the use of certain legal bases for large‑scale processing
ordered changes to international transfer arrangements
imposed multi‑million‑euro administrative fines
Two themes stand out in those decisions:
Accountability and documentation – organisations that could not show clear decision‑making, risk assessment and records of processing were in a significantly weaker position.
Impact on individuals – where the DPC found that people’s rights and freedoms were exposed to significant risk, corrective measures and sanctions were correspondingly more severe.
Even if an SME will never see those kinds of figures, the principles scale down directly: the DPC expects organisations of all sizes to understand their processing, document their decisions and take risk seriously.
The DPC’s softer powers: guidance, engagement and reputation
Not every case ends with a sanction. Many case summaries and thematic reports highlight the DPC’s use of “soft” powers:
publishing guidance on recurring problem areas (CCTV, DSARs, children’s data, cookies)
issuing opinions and recommendations to sectors or specific controllers
sharing anonymised case studies that show what went wrong and how it was fixed
From an organisational perspective, this is still a form of power. A public finding or case study that effectively describes “an organisation very like yours” can change expectations overnight. Even without a fine, the reputational impact and the cost of remediation can be significant.
What the case studies mean for Irish organisations
Taken together, recent Irish case studies suggest a few practical lessons about the DPC’s powers and how they are used in practice:
The DPC expects evidence, not just policies. When an issue arises, the Commission asks: “Show us how this works in reality.” Organisations that cannot produce records, logs, DPIAs or clear governance materials give up a lot of ground immediately.
Small issues can expose big weaknesses. A single mishandled subject access request or CCTV complaint can lead the DPC to discover that rights procedures, retention practices or security controls are fundamentally flawed.
Engagement style matters. Where organisations cooperate, answer questions fully and move quickly to remediate, outcomes in the case studies are often lighter: warnings, reprimands or targeted corrective measures. Where responses are slow, incomplete or defensive, the Commission tends to use stronger enforcement tools.
Sector doesn’t guarantee safety. Public bodies, charities, schools, SMEs and multinationals all appear in DPC case summaries. The regulator’s powers apply across the board; the difference is in scale and context, not principle.
Turning enforcement lessons into a practical to‑do list
If these case studies are read as “what the DPC could do to us”, they can feel intimidating. Read as practical guidance, they become a useful de facto checklist for strengthening your position before anything goes wrong. For most Irish organisations, that means:
Making sure there is clear senior ownership of data protection, not just an “IT issue”.
Maintaining a real Record of Processing Activities and keeping it aligned with how the business actually operates.
Getting subject access and other rights procedures working end‑to‑end, with staff able to recognise and escalate requests.
Tightening processor contracts, international transfers and security controls so they stand up to scrutiny.
Ensuring breach response is tested, logged and capable of meeting regulatory timelines.
The DPC’s powers are broad, but the case studies show something reassuring: organisations that take accountability seriously, document their decisions and engage constructively usually have far more room to fix problems than those that treat data protection as paperwork.
