Exercise Your Rights – Article 77 – complain to your DPA!
Have you already exercised your rights against a controller? Were you unsatisfied with the response? Did you discover a GDPR infringement another way?
If so, read on to find out you can exercise your right to lodge a complaint…
Your right to lodge a complaint with a supervisory authority
What is the right to lodge a complaint?
You can complain to a Data Protection Authority (DPA) of your choice about an issue that you believe infringes your GDPR data protection rights. Data protection authorities (DPAs) are the national or regional public authorities who have the power to issue fines or other penalties against companies, organisations and other entities processing data.
Complaining to a DPA does not prevent you from filing complaints to other bodies about the same issue. For example, if you buy broken shoes from a company and the company refuses to refund you and collects excessive amounts of your personal data, you can complain to your DPA about the excessive collecting and to your local consumer rights authority about the refusal to refund.
How do I know if a controller or processor has infringed my rights?
There are two main ways you are likely to discover an infringement.
Sometimes, there is an obvious infringement, such as an airline imposing a mandatory charge on changing your information or a company you have never heard of contacting you via your email address.
Other times, the infringement comes to light when you first exercise one of your other GDPR rights and receive the controller’s response to your request.
Some potential infringements may include:
- A failure to reply within the deadline,
- An incomplete response, eg providing you with information on some, but not all, of your personal data they are processing, or acknowledging your request and giving you no substantial answers,
- Refusing to carry out your request,
- Trying to charge you for the request,
- The response indicates that the controller or processor breached Article 6 GDPR, by processing your data with no legal basis or the incorrect legal basis,
- The response indicates that the controller or processor breached Article 5 GDPR, by failing to process your data transparently, for a sufficiently limited purpose or in a secure and confidential manner, or by failing to keep your data up to date or storing it for a longer time period than necessary,
- A security breach having caused the disclosure of your data.
Should I contact the controller first before filing a complaint ?
Yes, you should. In most cases we recommend exercising one of other rights in this series before complaining to a DPA, as it may give you a clearer idea of how the entity dealing with your data might have infringed your rights. It may also allow your complaint to be processed faster by a DPA. Some DPAs also require that you contact the controller first before filing a complaint.
How to explain my case/write my request to the controller efficiently?
- Contact the controller as soon as possible to raise your concern and address your request (the faster you go, the faster you will get a reaction and an answer to your question. Remember as well that your case might be more difficult to solve if you only share your concern after several years).
- Contact the right person within the organization (ask the organization before where you can send your request. Some controllers have a data protection officer (‘a DPO’): they are the best placed to handle your request)
- Write clearly and explain simply to the person what happened. Be aware that the person reading your complaint might have just joined the organization the day before)
- Be specific and short. Only address the data protection point you want to raise. All other matters (conflicts with the organization, frustration with the after sales department) will not help you to exercise your rights. Keep your energy for later!
- Be complete. Our advice: use bullet points in your request.
- Stay reasonable and polite. Do not make this a personal affair and stay polite with the staff of the organization. They are human beings like you and insulting them will not help you to have your rights enforced faster.
- Ask for a reasonable timeframe. Do not require answers the same day. Let the organization investigate your case and come back to you with the complete information. In case of lack of reply, just send a gentle reminder.
- Include all relevant evidence. Send copies of all the documents you have to support your complaint. Do not send too much information: just what you think is needed to understand and process your concern or request.
- Keep records. Always mention the dates on your correspondence, and keep copies of everything.
If the ‘final’ response of the controller does not resolve your problem, then you can decide to lodge a complaint with a data protection authority.
Where can I lodge a complaint?
If you are not satisfied with the answer (or the lack of answer) from the controller, the GDPR gives you the freedom to choose which EU country where you can file your complaint. However, we recommend to choose the DPA of the country of:
- Your habitual residence (eg if you want to file the complaint in your own language),
- Your place of work (eg if you commute to another country for your employment and it is more practical for you to file there)
- The place of the infringement (eg you live in Slovakia and your data is being processed in Spain you may want to go directly to the Spanish DPA).
The DPA where you lodge your complaint will not always be the DPA who investigates and decides on your complaint. The GDPR permits DPAs to transfer complaints to other DPAs in certain circumstances, eg where the processing is taking place in another EU country or if the controller has its main establishment in another country.
How do I lodge a complaint?
Using the guidelines above, decide which DPA to lodge the complaint with. The contact details and websites of each DPA can be accessed here.
The specific lodging process varies among DPAs; many of them have their own particular online forms or submission portals dedicated to lodging complaints. For more details on the specific lodging process of different DPAs in different countries, click here.
The GDPR does not specify a particular process that you must follow in file a complaint. This allows you to keep track of your complaint and avoid any confusion or errors in dealing with it. Several DPAs have their own templates or online forms to use for lodging complaints; the links to these resources are in step 1.
Regardless of a DPA’s particular submission system, you can use the list below to help you structure the details of your complaint. While the DPA has to investigate your complaint themselves, including the information below will be helpful for giving as much of your input into the investigation as possible.
- State that your rights under the GDPR have been infringed. Confirm that the infringement you are reporting concerns the processing of your data.
- Give some information about the specifics of the complaint, including:
- The name and contact details of the controller or processor who committed the infringement;
- A summary of the facts with evidence is available (screenshots, emails from the controller, copy of your data, etc…),
- What you think the infringement is (see our list above). You can also mention the article of the GDPR which was violated in your opinion,
- How you discovered the infringement (eg response to a request, receiving unexpected communications from a source you don’t recognise, notification from the controller, reading the news)
- How the infringement has negatively affected you (eg financial loss, damage to your reputation, humiliation, release or loss of confidential information without your permission or against your wishes).
The DPA where you lodge the complaint should acknowledge receipt of your complaint without delay.
The DPA is legally required to keep you informed of the progress and outcome of your complaint, including if it is referred to another DPA or requires further investigation. This update should be done every 3 months at the latest.
Some DPAs are subject to a strict deadline to issue a decision (such as the Austrian DPA –the DSB- which is required to issue a decision within 6 months for the national cases). Unfortunately, most of the DPAs are not obliged adopt a decision or even to take action within a specific period.
If you don’t get a decision from the DPA within the legal period determined by the law applicable to the DPA, you have the right to file a case before a court.
Even if the national law does not provide for a strict deadline for the DPA to act, this does not mean that you can do nothing. If you think that the DPA is taking too long to handle your complaint, you should be able to ask a court to force the DPA to act or to enforce your rights.
In any case, if you are unsatisfied with the DPA’s response, you can ask the courts in the country where the DPA is located for redress or compensation
If you need assistance in filing a complaint or if you feel that the DPA is not dealing properly with your complaint, you can contact us at firstname.lastname@example.org to discuss further steps.