GDPR Fines in Ireland: How Much Can the DPC Fine Your Business? (2025)

Ireland is home to the European headquarters of many of the world’s largest technology companies — and the Irish Data Protection Commission (DPC) has become one of the most significant GDPR regulators in the EU. Understanding how GDPR fines work, what triggers DPC investigations, and how to keep your business compliant is essential for any Irish business handling personal data in 2025.

GDPR Fine Tiers

GDPR provides for two tiers of administrative fines:

Lower Tier — Up to €10 million or 2% of global annual turnover

This tier applies to infringements including:

  • Failure to implement appropriate technical and organisational security measures
  • Failure to conduct a Data Protection Impact Assessment (DPIA) where required
  • Failure to appoint a Data Protection Officer (DPO) where required
  • Failure to notify the DPC of a personal data breach within 72 hours
  • Failure to maintain records of processing activities

Upper Tier — Up to €20 million or 4% of global annual turnover

This tier applies to more serious infringements including:

  • Failure to have a lawful basis for processing personal data
  • Breaches of the core data protection principles (fairness, transparency, purpose limitation, data minimisation)
  • Violations of data subject rights (access, erasure, rectification, portability)
  • Unlawful transfer of personal data to third countries
  • Failure to obtain valid consent where consent is the lawful basis

Recent DPC Enforcement Actions

The DPC has issued some of the largest GDPR fines globally, predominantly against major technology companies. Notable fines include very substantial penalties against global platforms for unlawful data transfers and consent failures. However, the DPC also investigates and fines smaller organisations — Irish SMEs are not immune from enforcement.

What Triggers a DPC Investigation?

DPC investigations can be triggered by:

  • A complaint from an individual whose data rights they believe have been violated
  • A personal data breach notification (organisations must self-report serious breaches within 72 hours)
  • A DPC own-initiative inquiry
  • Cross-border cases referred from other EU data protection authorities

How to Reduce Your GDPR Risk

The best protection against GDPR fines is genuine compliance — not just having documentation, but actually following it. Key steps include:

  • Have an accurate, up-to-date Privacy Policy that reflects your actual data processing
  • Identify and document your lawful basis for each type of processing
  • Respond to data subject requests (access requests, erasure requests) within one month
  • Have a personal data breach response plan so you can notify the DPC within 72 hours if required
  • Ensure your cookie consent mechanism is GDPR-compliant — no pre-ticked boxes, no dark patterns
  • Have Data Processing Agreements with all third-party processors

Frequently Asked Questions

Can a small Irish business really be fined under GDPR?

Yes. While the DPC’s most headline-grabbing fines have been against large technology companies, small businesses are not exempt. An individual complaint about how your business handled their data can trigger a DPC investigation regardless of your size.

Do I have to tell the DPC if there is a data breach?

If a personal data breach is likely to result in a risk to individuals’ rights and freedoms, you must notify the DPC within 72 hours of becoming aware. If the breach is likely to result in a high risk to individuals, you must also notify the affected individuals directly.

Get your business GDPR-compliant today with our GDPR Privacy Policy service and Website Terms & Conditions. For data protection advice, book a 30-minute consultation today. Also see our GDPR for small businesses guide.

This article is for informational purposes only and does not constitute legal advice.