Home Knowledge A Record-Breaking Year: the Data Protection Commission’s Annual Report 2025

A Record-Breaking Year: the Data Protection Commission’s Annual Report 2025

In 2025, the Data Protection Commission (DPC) faced a range of new regulatory challenges, driven largely by developments in the use of artificial intelligence (AI).

Throughout its Report, the DPC provides valuable insights and practical guidance to help organisations achieve and maintain compliance with their data protection obligations.

Key Trends

2025 marked continued and significant growth in the DPC’s workload, with complaints increasing by 45% compared to the previous year.

During 2025, the DPC:

  • Received 16,160 complaints, representing an increase of approximately 5,000 complaints compared to 2024. 3,385 complaints progressed through the complaint-handling process, representing a 27% increase compared to 2024. Overall, the DPC concluded 2,569 complaints in 2025.
  • The top three issues complained about to the DPC were: subject access requests (42%), right to erasure requests (17%) and fair processing complaints (16%).
  • Received 6,521 breach notifications, 50% of which arose because of correspondence being sent to the wrong recipient.
  • Received 163 notifications of amicable resolutions through the GDPR’s cooperation (one-stop-shop) mechanism under Article 60 GDPR.
  • Received 208 cross-border complaints.
  • Issued €530,773,000 in administrative fines, of which €530 million amounted to the largest fine (in this regulatory period) against TikTok Technology Limited (TikTok) regarding the transfer of personal data of EU/EEA users to China.

Access requests: retain the top spot for complaints

By the end of 2025, the DPC received a 42% increase in complaints solely relating to the right to access (under Article 15 of the GDPR), making up 1,280 complaints. The Report highlights that the basis for such complaints was alleged non-compliance with the following “underlying issues at their core”:

  • The deterioration in the employer-employee relationship;
  • Disputes involving financial matters; or
  • Poor customer service (rather than a data protection concern).

The Report calls out the DPC’s observed trend that organisations fail to comply with their transparency obligations when responding to access requests. While the DPC acknowledges there have been improvements, challenges remain regarding transparency, as organisations do not identify or explain the rationale for the exemptions relied on to withhold (or redact) personal data relating to the individual requester.

The Report further outlines that organisations must prepare a schedule listing any documents being withheld or redacted, clearly setting out the reasoning for such decision as blanket refusals are unlikely to withstand scrutiny. The Report emphasises that organisations should be able to demonstrate a documented balancing exercise before relying upon exemptions as restrictions must be both necessary and proportionate. Partial disclosure or partially redacted copies may be more appropriate than withholding records in their entirety.

Use of AI in complaints

A notable theme identified in the Report is the growing use of AI by individuals to generate complaints. The DPC observed that while these tools have aided in drafting correspondence, they can also generate inaccurate, overbroad or legally flawed requests, creating difficulties for both the data subjects and organisations. From the DPC’s perspective, the Report highlights that the use of AI in this context added to the volume and complexity of documentation it received in complaint handling.

Controllers should therefore assess requests based on their substance rather than their form and maintain clear processes for seeking clarification where necessary. While AI tools may improve accessibility and facilitate the exercise of data subject rights, organisations should remain alert to requests that may contain inaccuracies, legal misconceptions, or exceed their scope – particularly in the case of access requests under Article 15 of the GDPR.

A marked decrease in reported data breaches and a regulatory focus on documenting unreported breaches

The DPC received 6,521 breach notifications (5,692 of which were GDPR-related personal data breach notifications) in 2025. This figure represents a 16% decrease in the number of breach notifications reported to the DPC.

The Report notes that the reasons for this decrease may include improved GDPR compliance by organisations or organisations determining that incidents do not meet the GDPR reporting threshold. On this issue, the DPC reminds organisations of their obligations to document and record any unreported incidents in line with Article 33(5) of the GDPR.  The DPC also outlines that it has commenced an “initiative” to examine organisations’ compliance with Article 33(5) of the GDPR, which will provide insights into breaches that have occurred and were (or were not) reported to the DPC.

The GDPR breaches reported to the DPC consist of:

  • 45% relating to the private sector (notably from banks, insurance and telecom companies);
  • 45% relating to the public sector (notably public sector bodies);
  • 4% relating to the voluntary and charity sector.

Decisions & Reprimands

By the end of 2025, the DPC had 87 statutory inquiries, including 53 cross-border inquiries. Amendments to the DPA permit the DPC to impose reprimands on data controllers and processors as part of its complaint-handling procedure, a power previously reserved for statutory inquiries only.

Final decisions included a fine of €530 million on TikTok for breaches of Article 46(1), which requires transfers of personal data to be subject to appropriate safeguards, and Article 13(1)(f), which sets transparency requirements for such transfers. Of the fifteen final decisions summarised in the Report, the DPC issued reprimands in every case where an infringement was found, except in the TikTok decision. A notable development in the DPC’s enforcement and supervision powers was the issuance of reprimands against controllers for breaches of Articles 12 and 15 of the GDPR in the context of access requests.

Proactive supervision, engagement and outreach

The DPC supervised 1,222 engagements during 2025; 80 of which came from law enforcement, 123 from the health sector, 162 from the public sector, 191 from charities, 127 from the private and financial sectors, 41 from children- and family-related organisations, and, lastly, an impressive 298 from multinational technology companies.

The DPC encourages proactive engagement to prevent potential infringements before they occur. Through engagement, the DPC can provide organisations with recommendations to mitigate potential infringements or remedy existing ones.

In 2025, the DPC dedicated additional resources to sectoral outreach, creating a culture of trust and accountability between organisations and the DPC from the outset. The highlights from the DPC’s outreach included its award-winning “Sharenting: Pause Before You Post” campaign and the publication of its toolkits for Adult Safeguarding, schools, and sports clubs.

Commitment to co-existence between innovation and regulation

Looking ahead, and against the background of 2025’s proposals from EU level for the simplification of digital regulation (including the GDPR), the Report makes it clear that the DPC will uphold the view that “innovation and regulation can and must co-exist in a mutually conductive balance, ensuring the right to data protection while facilitating responsible innovation”.

We expect 2026’s regulatory focus to remain on this co-existence, particularly as the interplay between AI and data protection (in addition to the GDPR and AI Act) continues to grow in complexity, along with the DPC’s uniquely integral role in the global regulatory landscape.

Takeaways and practical considerations

For organisations, here are some key takeaways from the Report:

  • Compliance must be demonstrated by organisations rather than simply asserting it. The DPC provides valuable insights and recommendations in its 2025 Case Studies Booklet, which supplements the Report.
  • Access requests remain the number one risk area for regulatory complaints due to failures to respond, inadequate responses, or poorly documented exemptions. The review of response templates and procedures by organisations can greatly mitigate this risk.
  • The DPC has a new focus on personal data breach reporting and the documentation of risk in accordance with Article 33(5) of the GDPR. Organisations should prepare and be ready to present such documentation to the DPC.
  • Reprimands are increasingly utilised as a corrective measure by the DPC where there is a finding of infringement of the GDPR or the Data Protection Act 2018.

For further guidance, please contact Rachel Hayes, Leo Moore or your usual William Fry contact.

 

Contributed by Aideen Tansey