As our digital footprints grow larger with the increased reliance on online services, understanding our rights related to data privacy becomes more essential than ever. A key piece of legislation governing these rights in the European Union is the General Data Protection Regulation (GDPR). Among the many rights established by the GDPR, one is particularly noteworthy – Article 77 or the Right to Lodge a Complaint with a Supervisory Authority, commonly referred to as the Data Protection Authority (DPA).
Art. 77 GDPR: The Right to Lodge a Complaint
Under Art. 77 GDPR, individuals are granted the right to lodge a complaint with a DPA if they believe their personal data has been processed in a way that violates the GDPR. It empowers individuals to take action against organizations that mishandled personal data and ensures that data subjects can enforce their rights.
When Can an Individual Submit a Complaint Under The GDPR?
An individual can submit a complaint whenever they believe their rights under the GDPR have been infringed due to the processing of their personal data. This could include instances where an individual believes their data has been processed without their consent, if the data processed is excessive, or if the data has been stored for longer than necessary. It’s important to note that the complaint should be submitted without undue delay.
Any data subject, i.e., an individual whose personal data is being processed, can submit a complaint under Article 77 of the GDPR if they believe their rights under the GDPR have been infringed upon. It’s not exclusive to European citizens. However, the infringement must be in relation to personal data processing activities that fall within the scope of the GDPR, such as when an organization based outside the EU is processing data of an individual inside the EU.
How to Submit a Complaint Under The GDPR?
The process for submitting a complaint varies slightly between different DPAs but typically involves submitting a written complaint that describes the nature of the alleged GDPR violation. Some DPAs have online forms that individuals can use to lodge their complaints. In general, the complaint should include:
- Full contact details of the individual submitting the complaint.
- The name and contact details of the organization they are complaining about.
- A detailed description of the alleged GDPR violation, including any evidence to support the claim.
- If applicable, any steps that have been taken to resolve the issue directly with the organization.
What Documents Are Needed?
It is important to provide as much relevant information as possible when lodging a complaint. This includes any communications with the organization regarding the issue, evidence of the data processing in question, and any other supporting documents. While not all DPAs require documentation for the initial complaint, having these documents on hand can speed up the investigation process.
Please note that if someone is submitting the complaint on your behalf, you might need to include a power of attorney (POA).
Make sure to keep any reference numbers, documents and dates as your complaint might be forwarded from one DPA to another.
Which Data Protection Authority to Approach?
Complaints should be lodged with the DPA in the EU member state where the individual resides, works, or where the alleged infringement occurred. For instance, if a French citizen believes their data has been misused by a company based in Ireland, they can lodge their complaint with either the French or Irish DPA.
In order to make your life easier, we have prepared a table with the relevant contact details and links of the DPA, according to the relevant jurisdiction:
Country | DPA | Website | File a Complaint | |
Austria | Österreichische Datenschutzbehörde | |||
Belgium | Autorité de la protection des données – Gegevensbeschermingsautoriteit (APD-GBA) | https://www.autoriteprotectiondonnees.be | ||
Bulgaria | Commission for Personal Data Protection | Send via email it must be formatted as an electronic document, signed with a qualified electronic signature (QES) | ||
Croatia | Croatian Personal Data Protection Agency | Send via email | ||
Cyprus | Commissioner for Personal Data Protection | Send via email | ||
Czech Republic | Office for Personal Data Protection | |||
Denmark | Datatilsynet | Form or any other way | ||
EDPS | European Data Protection Supervisor | |||
Estonia | Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) | |||
Finland | Office of the Data Protection Ombudsman | |||
France | Commission Nationale de l’Informatique et des Libertés – CNIL | |||
Germany | Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit | |||
Greece | Hellenic Data Protection Authority | POSSIBLE ONLY FOR CITIZENS! | ||
Hungary | Hungarian National Authority for Data Protection and Freedom of Information | POSSIBLE ONLY FOR CITIZENS! | ||
Ireland | Data Protection Commission | |||
Italy | Garante per la protezione dei dati personali | |||
Latvia | Data State Inspectorate | |||
Lithuania | State Data Protection Inspectorate | |||
Luxembourg | Commission Nationale pour la Protection des Données | |||
Malta | Office of the Information and Data Protection Commissioner | |||
Netherlands | Autoriteit Persoonsgegevens | |||
Poland | Urząd Ochrony Danych Osobowych (Personal Data Protection Office) | |||
Portugal | Comissão Nacional de Proteção de Dados – CNPD | |||
Romania | The National Supervisory Authority for Personal Data Processing | Fill out this form And send it to: | ||
Slovakia | Office for Personal Data Protection of the Slovak Republic | |||
Slovenia | Information Commissioner of the Republic of Slovenia | Download the relevant form here | ||
Spain | Agencia Española de Protección de Datos (AEPD) | |||
Sweden | Integritetsskyddsmyndigheten |
How Long Does the Process Take?
In accordance with GDPR, DPAs must respond within three months to the individual who made the complaint. However, this period may be extended if necessary, based on the number and complexity of complaints received by a DPA. In the event of such an extension, the DPA must inform the individual within three months of receiving the complaint.
In conclusion, the GDPR and Art. 77 provides individuals the possibility to lodge a complaint regarding a misuse of their personal data or failing to protect it. Understanding how to lodge a complaint with the DPA is an important aspect of enforcing these rights.
Summary
Article 77 of the GDPR, focusing on the Right to Lodge a Complaint with a Supervisory Authority, stands out as a significant empowerment tool for individuals. This provision allows any data subject who believes their personal data has been mishandled in violation of GDPR protocols to file a complaint with their national Data Protection Authority (DPA). This process, while varying slightly among different DPAs, generally requires a detailed written complaint, potentially supported by evidence of the alleged violation. Complaints can be lodged in the member state where the complainant lives, works, or where the alleged infringement took place, facilitating a responsive framework for addressing grievances.
In conclusion, the GDPR and Art. 77 provides individuals the possibility to lodge a complaint regarding a misuse of their personal data or failing to protect it. Understanding how to lodge a complaint with the DPA is an important aspect of enforcing these rights.
Noa Kahalon
Noa is a certified CIPM, CIPP/E, and a Fellow of Information Privacy (FIP) from the IAPP. Her background consists of marketing, project management, operations, and law. She is the co-founder and COO of hoggo, an AI-driven Digital Governance platform that allows legal and compliance teams connect, monitor, and automate digital governance across all business workflows.