GDPR DSAR Fines in Ireland: What Businesses Need to Know in 2026

DSARs Are the DPC’s Top Complaint Category

Data Subject Access Requests are the single largest source of complaints to the Irish Data Protection Commission. According to the DPC’s 2024 Annual Report, 34% of all complaints received relate to access requests — more than any other category.

In 2024, the DPC issued eight enforcement notices, the majority addressing organisations that failed to respond to DSARs at all.

Why the focus? The DPC has made clear that the right of access under GDPR Article 15 is fundamental, and organisations that fail to respond — or respond inadequately — will face enforcement action.

How the DPC Enforces DSAR Compliance

The DPC uses a graduated enforcement approach:

1. Complaints handling — Individuals file a complaint when an organisation fails to respond or responds inadequately
2. Amicable resolution — The DPC contacts the organisation and seeks voluntary compliance
3. Enforcement notices — Legally binding orders requiring the organisation to comply
4. Administrative fines — Financial penalties for serious or repeated violations

Under GDPR Article 83, fines can reach up to €20 million or 4% of global annual turnover (whichever is higher). While the DPC’s largest fines have targeted multinational tech companies, enforcement notices and reprimands regularly affect smaller organisations.

Common Violations That Trigger Enforcement

1. Missing the 30-Day Deadline

GDPR Article 12(3) requires responses within one calendar month. Extensions of up to two additional months are possible for complex requests, but you must notify the data subject within the original 30 days and explain why.

The DPC has specifically noted that many enforcement actions stem from organisations simply not responding to DSARs within the required timeframe.

2. Incomplete Responses

Providing partial data or omitting certain systems is a violation. Data subjects are entitled to all personal data you hold about them, across all systems.

The DPC has warned that organisations must search all relevant systems — including email, CRM, HR platforms, and shared drives — not just the most obvious ones.

3. Inadequate Explanation of Redactions

When you apply redactions or exemptions to a DSAR response, you must clearly explain to the individual why each exemption is being applied. The DPC has stated it is not sufficient to merely list the exemptions — the reasoning must be documented and communicated.

4. Not Redacting Third-Party Data

When responding to a DSAR, you must protect other individuals’ personal data through proper redaction. Sharing one person’s data in another person’s response constitutes a data breach.

How to Protect Your Business

Implement a Systematic Process

Ad-hoc handling of DSARs leads to mistakes. You need:

• A clear intake process (ideally a dedicated portal)
• Deadline tracking with automated reminders
• A checklist of all systems where personal data might exist
• Quality review before sending responses

Use Technology to Scale

Manual DSAR processing becomes unsustainable as request volumes grow. Modern tools can:

• Automatically detect personal data across documents
• Redact third-party information using AI
• Maintain immutable audit logs for regulatory evidence
• Track deadlines and team assignments

Train Your Team

Everyone who might receive a DSAR needs to know:

• How to recognise a DSAR (they don’t need to use specific words)
• Where to forward requests immediately
• The 30-day clock starts when the request is received, not when it’s read

The Bottom Line

DSARs account for more DPC complaints than any other issue, and enforcement action is increasing. The cost of a proper DSAR management system is a fraction of a single enforcement action — not to mention the reputational damage of a public finding against your organisation.

Sources: DPC Annual Report 2024, KPMG Law — DPC Annual Report Analysis, IAPP — Key Takeaways from Ireland’s DPC Annual Report

Related guides:

• Received a GDPR Data Access Request? — What you must do in 30 days
• What Happens If You Ignore a DSAR? — Consequences explained
• GDPR DSAR Response Checklist — Step-by-step checklist

Need help managing DSARs? SAR Portal provides AI-powered DSAR automation with deadline tracking, automatic redaction, and audit trails that satisfy regulators. Start your free trial.