Dublin DPIA City-Law Rules for Projects

Technology and Data Leinster 3 Minutes Read · published February 11, 2026 Flag of Leinster

Dublin, Leinster projects that process personal data must follow EU and Irish requirements for Data Protection Impact Assessments (DPIAs). This guide explains when a DPIA is required, the legal bases, who enforces compliance in Dublin, how to apply or report concerns, and typical penalties to expect when municipal projects or contractors fail to assess risks.

When a DPIA is required

A DPIA is required where processing is "likely to result in a high risk" to the rights and freedoms of individuals, for example large-scale collection of special category data, systematic monitoring, or new technologies that profile people. The requirement is set out in EU law and interpreted by Ireland’s supervisory authority. GDPR Art. 35[1]

  • Projects that introduce new CCTV or automatic number-plate recognition at scale.
  • Works deploying biometric access control across multiple sites.
  • Large databases of health or social care records processed for research or planning.
Start a DPIA at project design stage, not after rollout.

How Dublin projects should conduct a DPIA

Follow the practical steps and templates published by the Irish Data Protection Commission (DPC). The DPC guidance sets out the screening questions, risk assessment steps and example mitigation measures to record in a DPIA. DPC DPIA guidance[2]

  • Screen early: document processing purposes and whether a DPIA is needed.
  • Assess risks to individuals and list technical and organisational mitigations.
  • Keep a written DPIA report and review before each major project milestone.
  • Consult the Data Protection Officer (DPO) for Dublin City projects and record advice.
Documenting mitigation measures is the strongest practical defence in enforcement cases.

Penalties & Enforcement

Enforcement of DPIA obligations arises under the GDPR and is carried out by Ireland’s Data Protection Commission. The GDPR sets administrative fines and the DPC issues decisions and penalties for non-compliance. GDPR Art. 83[1]

  • Fines: EU GDPR provides administrative fines up to "20,000,000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year" (see GDPR Art. 83).
  • Escalation: the regulation distinguishes more and less serious infringements; specific municipal fine scales are not specified on the Dublin City Council page.
  • Non-monetary sanctions: orders to bring processing into compliance, temporary or definitive limitation including a ban on processing, data rectification or erasure, and court enforcement.
  • Enforcer and complaints: the Data Protection Commission enforces GDPR in Ireland; Dublin City Council’s DPO handles internal council project queries and complaints about council processing.Dublin City Council Data Protection[3]
  • Appeals: DPC decisions can be subject to judicial review; specific time limits for court appeals are not specified on the cited pages.
If a DPIA shows a high residual risk, consult the DPC before starting processing.

Applications & Forms

The DPC publishes DPIA guidance and templates; Dublin City Council maintains contact points for its projects. There is no separate Dublin-specific DPIA application form published on the council page; use the DPC guidance and contact the council DPO for project-specific submission details. DPC DPIA guidance[2]

  • DPIA templates: use the DPC template where available; fee: not specified on the cited page.
  • Submit council project queries to the Dublin City Council DPO via the council’s official contact channels.

Action steps for project teams

  • Step 1: Screen your processing against GDPR Art. 35 criteria at project conception.
  • Step 2: Complete a DPIA template, record risks and mitigations, and retain the DPIA in project records.
  • Step 3: Consult the Dublin City Council DPO for council-run projects and seek DPC advice if high residual risk remains.
  • Step 4: Implement mitigations, monitor results, and update the DPIA when project scope changes.

FAQ

Do all Dublin City projects need a DPIA?
Not all projects; a DPIA is required where processing is likely to result in high risk to individuals, per GDPR Art. 35 and DPC guidance.
Who enforces DPIA compliance in Ireland?
The Data Protection Commission enforces GDPR in Ireland and issues decisions and fines; Dublin City Council enforces its internal policy for council processing.
Where do I get a DPIA template?
The DPC provides guidance and templates; contact your project DPO for council-specific advice.

How-To

  1. Identify whether processing is likely to result in high risk (screening).
  2. Complete a DPIA report documenting purposes, risks and mitigations.
  3. Consult the council DPO and seek DPC guidance for unresolved high risks.
  4. Implement mitigations, update the DPIA and record decisions in project files.
  5. Review the DPIA at each major project change and before public launch.

Key Takeaways

  • Start DPIAs early in Dublin projects to avoid costly enforcement actions.
  • Use DPC guidance and Dublin City Council DPO advice for council-run projects.

Help and Support / Resources

  1. [1] EUR-Lex - Regulation (EU) 2016/679 (GDPR)
  2. [2] Data Protection Commission - Data Protection Impact Assessments (DPIAs)
  3. [3] Dublin City Council - Privacy & Data Protection

Categories

General Governance and Administration Public Safety Public Health and Welfare Land Use and Zoning Housing and Building Standards Transportation Environmental Protection Parks and Public Spaces Business and Consumer Protection Taxation and Finance Labor and Employment Education Civil Rights and Equity Elections and Campaign Finance Events and Special Uses Signs and Advertising Utilities and Infrastructure Technology and Data