Data Protection Commission publishes its 2024 Annual Report and Public Attitudes Survey

2024 marks the fifth full year of the implementation of the General Data Protection Regulation (the “GDPR”), and the entering into force of the European Union’s (the “EU”) Artificial Intelligence Act. One of the defining trends of 2024 was the strategic push to enhance regulatory clarity around data protection responsibilities tied to the development and use of artificial intelligence (“AI”) technologies.

Dr. Des Hogan, Data Protection Commissioner, emphasized that “The DPC’s wide range of activities during the last year points to how fair, consistent regulation can lead to individuals across Europe trusting that their personal data is being used in a lawful and safe manner and that they have control over their data.” This is clearly demonstrated in the statistics highlighted in the Report.

A summarised overview of the Report’s key areas and the Survey is provided below. 

Complaints

In 2024, the DPC managed 11,091 cases from individuals. Of these, 10,510 were concluded, 2,673 advanced to the complaint handling stage, and 2,357 were resolved through the formal complaint process, including 1,367 complaints initially received before 2024.

Regarding the nature of these cases, 65% related to the GDPR. Subject access requests accounted for the largest share (34%), followed by issues concerning fair processing (17%) and the right to erasure (14%).

The DPC, acting as Lead Supervisory Authority, concluded 145 valid cross-border complaints, 82% of which have been received since 2018.

Eight enforcement notices were issued by the DPC in 2024, primarily due to organisations' failure to respond to access requests.

Breaches

Over the course of 2024, the DPC received 7,781 valid breach notifications, showing an 11% increase on the previous year. The Report highlights that 81% of the received notifications have been concluded in the same year.

Of the notifications received, 7,346 were submitted under the GDPR. These originated from the private sector (3,958), the public sector (3,137), and the voluntary and charity sector (251). The most common cause, accounting for 50% of cases, was the misdirection of correspondence to the wrong recipient.

Decisions and Inquiries

In 2024, the DPC imposed over €652 million in administrative fines (a notable decline from the €1.55 billion levied in the previous year). The Report provides comprehensive details of multiple DPC decisions, including a range of investigations that concluded without the imposition of administrative fines.

No fine becomes enforceable until it receives court confirmation. Once confirmed and collected, the money is transferred to Ireland’s central exchequer. In 2024, the DPC collected and remitted €582,500 in fines.

By the end of the 2024, the DPC had 89 statutory inquiries ongoing, including 53 cross-border investigations.

Supervision

The DPC conducted 757 supervision engagements in 2024. The most prominent area of engagement was the multinational technology sector, where a proactive approach has been adopted, involving consultation, engagement, and follow-up with controllers and peer regulators, supporting regulatory consistency across the EU.

The DPC also provided legislative input on 56 proposed measures, including the Child Care (Amendment) Bill 2024, the Automatic Enrolment Retirement Savings System Act 2024, and the Health Information Bill 2024.

The DPC regulatory engagement extended to a range of matters, including:

• offering guidance to local authorities in relation to the deployment of CCTV to combat waste and pollution offences;
• assisting an unnamed County Council with the review of their Data Protection Impact Assessment;
• providing guidance to the Irish Council for Civil Liberties on the use of facial recognition technologies in law enforcement; and
• consulting with An Garda Síochána on their draft code of practice for body-worn cameras under the Garda Síochána (Recording Devices) Act 2023. 

AI 

The deployment of AI models emerged as a key focus in 2024. In response, the DPC undertook a detailed examination of the fundamental issues concerning the processing of personal data during both the training and operational phases of such models. In pursuit of regulatory harmonisation across the EU and European Economic Area, the DPC, together with its fellow Supervisory Authorities, formally referred a set of questions to the European Data Protection Board (the “EDPB”) in September 2024, in accordance with the procedure set out under Article 64(2) of the GDPR. 

The questions posed to the EDPB focused on critical matters of AI, including:

• whether, and under what circumstances, personal data used in AI model training qualifies as personal data under the GDPR; 
• how data subjects can effectively exercise their rights under the GDPR in the context of AI systems; and 
• the appropriateness of relying on legitimate interest under Article 6(1)(f) GDPR as a legal basis for processing.

These questions led to the publication of ‘Opinion 28/2024 on certain data protection aspects related to the processing of personal data in the context of AI models’ in December 2024, available here.

DPC Survey

To accompany the publication of the Report, the DPC released its findings from the Survey which was conducted in May 2025, as part of the mid-point review of the DPC Regulatory Strategy 2022–2027.

The Survey reveals that nearly three-quarters of respondents believe it is important for organisations involved in developing new technologies to comply with data protection requirements, even if this results in delays to implementation. Trust remains a key concern for the public, with two-thirds stating they would trust an organisation significantly less if it misused personal data, and only 4% claiming such misuse would not influence their trust.

Respondents identified several areas of concern:

• 77% were uneasy about how children's data is used online;
• 76% voiced concern about the creation and potential sale or trade of digital profiles; and
• 61% expressed apprehension about the use of AI.

Generational differences were also notable, individuals aged 55 and over reported notably higher levels of concern compared to those aged 18–34.

Just over half of those surveyed believed that data protection laws are effective in ensuring responsible corporate behaviour, although one in five respondents remained unaware of how these laws affect them.

Encouragingly, 70% indicated they trust the DPC to uphold their data protection rights, and among those who had direct interactions with the DPC, half reported a more positive impression as a result.

Conclusion

The Report provides a comprehensive overview of the DPC’s activity in 2024, reflecting its continued commitment to upholding data protection standards in an evolving digital landscape. The DPC has reinforced its role as a lead supervisory authority within the EU through a combination of enforcement actions, legislative engagement, and proactive supervision, particularly in the context of emerging technologies such as AI. The year’s work highlights the importance of regulatory clarity, cross-border cooperation, and the need for consistent interpretation of data protection principles across sectors.

Should your organisation have any questions regarding data protection or wish to raise any concerns, we are happy to provide assistance and guidance.

The Report can be found on the DPC website here.

The Survey can be found on the DPC website here.

Many thanks to Sara Cerise for contributing to this briefing.

For more information, please contact: