Global menu

Our global pages


Data Protection Commission publishes its 2022 Annual Report

  • Ireland
  • Privacy, data protection and cybersecurity - GDPR


The Data Protection Commission (“DPC”) has today published its Annual Report for 2022 (the “Report”).

2022 marked the fourth full year of the implementation of the GDPR and saw significant effort by the DPC to ensure compliance with the GDPR across Ireland. The most frequent GDPR queries and complaints received by the DPC related to Access Requests; Fair Processing; Disclosure; Direct Marketing; and the Right to be Forgotten.

Helen Dixon, Commissioner for Data Protection, highlighted that “2022 was a year that saw significant outputs from the DPC in its efforts to drive GDPR compliance and protect the rights of those in Ireland and across the EU.” This is reflected in the statistics highlighted in the Report.

We have summarised below some initial key areas of interest from the Report and we will shortly publish a more substantive overview of the key findings from the Report.

Data Breaches

The total number of breach notifications received by the DPC in 2022 was 5,828, of which 62% related to unauthorised disclosures via post and email. Breach notifications to the DPC were down by 12% on 2021 figures.

Similar to the DPC’s Annual Report for 2021, public sector bodies and banks account for the ‘top 10’ organisations with the highest number of breach notifications, with insurance and telecom companies featuring in the top twenty.

The Report highlights again that breaches related to unauthorised disclosures were predominantly due to poor operational practices and human error. The DPC further highlighted that autofill options on email address bars have given rise to a significant number of breach notifications where emails have been misdirected.


The DPC received 2,700 complaints from individuals under the GDPR in 2022. 42% of the complaints received related to access requests. The DPC concluded 3,133 complaints in 2022.

The DPC received 204 complaints related to electronic direct marketing in 2022. 118 complaints related to emails, 52 related to text messages, 28 in relation to cookies, and 6 complaints related to phone calls. Two telecom companies were successfully prosecuted for four separate charges of sending unsolicited marketing communications without consent.

Data Subject Access Request complaints constituted 42% of the top complaints received by the DPC in 2022. Complaints about access to personal data remain the most frequent type of complaint the DPC receives.


As of 31 December 2022, the DPC had 88 statutory inquiries on-hand, including 22 large scale cross-border inquiries. These large scale inquiries mostly resulted in fines, reprimands and/or orders being made under the GDPR. The DPC received 125 valid cross-border complaints (as Lead Supervisory Authority) in 2022 and concluded 246 cross-border complaints.

Enforcement Action, Imposition of Fines and Corrective Measures

The DPC levied punitive fines in excess of €1 billion, primarily against big technology firms. In November 2022, the DPC had some of its decisions to impose administrative fines, ranging from between €1,500 and €17 million, confirmed in the Dublin Circuit Court.

Future priorities

The Report notes that in 2023, we can expect the following developments:

• more decisions from the DPC and judgments from the CJEU;

• increased litigation involving the DPC;

• the beginning of the application of the DSA and DMA; and

• the commencement of the Online Safety and Media Regulation Act in Ireland.

In line with the DPC’s Regulatory Strategy for 2022-2027, the DPC will continue in 2023 to seek to pursue “the issues of greatest consequence for data subjects, drive compliance and most importantly, safeguard individuals’ rights.”


The full Report can be found on the DPC website here.

The Report provides useful and practical guidance for organisations on their obligations under data protection law and maintaining compliance with same. It highlights that while data controllers in Ireland continue to improve their compliance efforts, higher standards of responsiveness to individuals seeking to exercise their rights are still needed in many sectors.

Should your organisation have any data protection queries or wish to discuss any concerns, we are happy to assist and support your organisation through any issues.

Further reading

See our summary of the DPC Annual Report from 2021 here.

For more information, plase contact,

Leona Chow, Solicitor, IP, Technology & DP –