If you have exercised your rights and you believe your rights to be infringed, you can file a formal complaint to a Data Protection Authority (DPA) against a company. DPAs are the national or regional public authorities who supervise the application of data protection laws and have the power to issue fines or other penalties against companies.
We recommend to choose the DPA of the country of:
- Your habitual residence (e.g. if you want to file the complaint in your own language),
- Your place of work (e.g. if you commute to another country for your employment and it is more practical for you to file there)
- The place of the infringement (e.g. you live in Slovakia and your data is being processed in Spain you may want to go directly to the Spanish DPA).
The contact details and websites of each DPA can be accessed here.
How do I draft a complaint?
The specific lodging process varies among DPAs; many of them have their own particular online forms or submission portals dedicated to lodging complaints. For more details on the specific lodging process of different DPAs in different countries, click here.
- State that your GDPR rights have been infringed. Confirm that the infringement you are reporting concerns the processing of your data and note that this is a complaint under Article 77 GDPR and the relevant national law.
- Give some information about the context of the complaint, including:
- The name and contact details of the likely company or processor who committed the infringement, if you have the information. If you do not have the information, provide any information that allows the DPA to determine the likely opponent of your complaint.
- An easy to understand, well-structured summary of the facts.
- Evidence to proof your claim (screenshots, emails from the company, copy of your data, etc.)
- The specific remedy that would satisfy you (e.g. get a copy of data, certain information, deletion of data and alike). You can also mention the article of the GDPR which was violated in your opinion.
DPA’s decision
The DPA should acknowledge receipt of your complaint without delay and is legally required to keep you informed of the progress and outcome of your complaint, including if it is referred to another DPA or requires further investigation.
Some DPAs are subject to a strict deadlineto issue a decision under their national law (usually between three and six months, sometimes a year). Unfortunately, many DPAs do not comply with these obligations or there is no obligation under national law.
Even if the national law does not provide for a strict deadline, you should be able to ask a court to force the DPA to act or to enforce your rights.
Legal action against a DPA
You have a right to take legal action against a DPA if they have not dealt with your complaint properly or if you disagree with their decision. The details are very different in each EU Member State. Usually a decision by a DPA also includes general information on how to appeal the decision. If you have further questions in your search for information on appealing administrative decisions in your country, you can contact noyb or ask a local lawyer.
Exercising your rights under the GDPR is simple and an informal email is sufficient in most cases. Still, there are some elements to keep in mind. Click here, if you are interested in helpful tips!