In this article we will show you step-by-step how to file a complaint when your data privacy rights have been violated.
- If you believe that your data privacy rights have been violated you have the right to submit a complaint to a data protection authority.
- To do this, you need to determine what the violation was, identity of the offender and the applicable laws.
- Then, you need to go to your DPA and submit a complaint and wait for a decision.
Below in this guide we will exaplain to you step-by-step how to do the above.
Use this to jump straight to the section that explains how to submit data privacy violation complaints.
You, as an internet user and owner of your own personal data, have the right to submit a complaint to the relevant data protection authority in the case of violation of your personal data rights.
Data protection laws protect your online privacy. However, there are billions of websites and just a handful of enforcement agencies to oversee their compliance.
That’s why online users should take a proactive approach for protecting their own privacy. Relying on the action of the authorities may be in vain having in mind the huge task they are up to.
Moreover, most data protection laws equip internet users with the tools to take on the businesses that do not respect their online privacy. If you want to take advantage of that and protect yourself in the case of a violation, keep reading and you’ll learn how to do it, step by step.
Related guide: The Ultimate Guide to Data Subject Rights Under the GDPR
Determining Relevant Laws & Data Protection Authority
First you need to determine what the actual violation is, whether it is a violation under the relevant data protection laws, and if so, the relevant data protection authority to submit the complaint to.
Determine the Violation
You assume that someone has violated your data privacy rights. You need to be able to describe what actually happened to determine what the violation is.
- if there has been a data leak,
- if your data has been sold to third parties without your consent,
- your data subject request has not been answered,
- your data has been transferred to a third country without a lawful basis,
- your data has been collected without your consent or another legal basis, etc.
Once you know what happened, you need to determine whether there is an applicable law protecting you from the deeds of the online business.
If you are not sure that your rights have been violated, you can investigate it by submitting a data subject request.
If you doubt that your data has been collected and processed without your consent or another legal basis, submit a request to know or a request to object to the processing.
If you fear that your data has been transferred to a country without sufficient data protection standards, a request to know would provide you with the information you need. If the controller does not respond, then something may be wrong here. Aside from that, not responding to a request is a violation for itself.
Related guide: How to Transfer Data to the US in Compliance with the GDPR
Determine the Applicable Laws
In general, data protection laws apply to the relationship between the user and the business. This means that in every relationship at least two laws apply – the one where the user is from and one where the business is from.
In practice, if a French internet user interacts online with a UK business, both the French law and the UK law apply, both of which are aligned with the GDPR of the EU.
Source: European Commission
If a California user interacts with a Canadian business from Montreal, the state and the federal laws of both countries apply. Since the US has no federal data privacy law, the California law, the Quebec law, and the Canada federal law will apply.
Source: State of California Department of Justice
If an Indian user interacts with an Indian business, then only the Indian law applies. However, at the moment of writing there is no comprehensive data protection law in India yet, so it is likely that the user does not enjoy data subject rights as in some other countries.
So, the following two laws are applicable to your relationship with the business that may have violated your rights:
- The data protection law of the country you are citizen or resident of, if any, and
- The data protection law of the country where the business is registered, if any.
Determine the Relevant Data Protection Authority
Every data protection law is being enforced by a data protection authority.
The ones that are relevant to your case depend on the applicable laws.
In the case of a French user and UK business, the French user can complain to CNIL (the French data protection authority), or the ICO (the UK data protection authority).
In the case of the California user and Quebec and Canada businesses, the user can complain to the authorities in Canada. If the CCPA (California Consumer Protection Act) applies at all, the options for complaint are very limited.
For users outside of California, though, there is virtually no protection in the United States.
The user from India whose privacy has been violated by an Indian business cannot do a lot as of the moment of writing, since the current law provides insufficient protection of the personal data.
Related guide: GDPR Compliance for Businesses: Step-by-Step Ultimate Guide
Take Steps to Remedy the Violation
Now you know that your personal data has been abused or your data subject rights have been violated. Then, it is time to get yourself protected.
At this point, there are several options at your disposal:
- Request the data controller to remedy the violation. If you don’t want to bother with lots of back-and-forth communication for a minor violation, you may just send an email to the data controller letting them know that you are aware of the violation and requesting them to improve their behavior.
This may be the right way to go when the violation is minor, there are no significant consequences to you, which makes it not worth it to bother with submitting complaints to authorities.
For example, if a data controller calls you over the phone to offer you some products without your consent, you can point out that you haven’t given your consent and they should stop calling you. If they act accordingly, you have remedied the violation without significant efforts.
- Submit a data subject request. Sometimes a simple data subject request could protect you.
It won’t remedy what the data controller has done wrongfully in the past, but it can change how they behave with you in the future.
If the GDPR or a similar law applies to you or the business, here’s what requests can do for you:
- Request to object. The request to object will result in improvement or cease of data processing by the data controller and their processors as per your request.
If you object to the processing of your phone number, then the controller cannot use it anymore to call you. If he has collected your phone for another purpose than calling you (for verification of identity, for example), then it is still a violation of your data privacy rights. However, the data subject request can help you prevent the further processing of the data.
- Request to delete. You can simply ask the controller to delete all the data they have about you. If they don’t have your data, they cannot process it anymore.
- Submit a complaint to the relevant data protection authority. Submitting a complaint is always an option when your rights are violated. You have the right to do so even if you requested the controller to remedy the violation and they have done so.
In fact, you could submit a complaint and, at the same time, submit a request to object or a request to delete to the controller to make them cease with the violation, if that’s a viable tool in your specific case.
Source: European Commission
Complaints were prescribed for internet users (or any other users) to use against businesses who do not comply with data privacy laws and violate their users’ rights. Therefore, feel free to submit one at any time when you can reasonably think that your rights have been violated.
How to Submit a Complaint to the Data Protection Authority?
We assume that at this point you are aware of the violation, you know what the applicable laws are and what the relevant data protection authorities (DPA) are. Now it is time to submit your complaint.
Go to the website of the relevant DPA. The website of every DPA has a section with information for submitting complaints. If not, you can contact them through the contact page, over email, over the phone, or by any other means.
In general, DPAs receive complaints submitted in many different forms and in many different ways.
In most cases, though, you’ll find a way to submit the complaint through their website. You can see an example of the ICO of the UK, and here you can see how CNIL handles complaints in France. Submitting one is as easy as it could get.
If the website of your DPA does not provide an opportunity to submit a complaint as in the case with the UK ICO and the French CNIL, then submit a complaint with mail, email, or over the phone. Even if you make some mistake in this phase, in the worst case scenario someone from the DPA will get back to you and guide you through the right process.
Fill the complaint. Complaint forms available online will ask you for all the information the DPA needs to investigate the case. You just need to fill every field to the best of your knowledge and click the SUBMIT button.
If there is no form available, you can write down a complaint without following any particular form guidelines. That could look just like any other complaint you may submit to a government authority. Just make sure that it contains at least the following:
- Your name and contact details
- Details about the violator, and
- Description of the violation.
If the DPA needs any more details, they will follow up with some questions for you.
After submitting the complaint, you need to wait.
Source: GDPR-Info.eu – Art. 77 GDPR
The investigation. When the DPA receives your complaint, they will start with the investigation.
As mentioned above, they may get back to you for further information.
The DPA will investigate the case and will communicate with you any findings that could be shared with you without hindering the investigation. No one could predict how long it is going to last. Every case has its specifics that determine its complexity and, as a result, the length of the investigation. So, you need to be patient at this phase.
This investigation is not like a police investigation. The people from the DPA are just regular government workers who will have a look at your case and decide upon it. You can expect an experience such as with the tax authorities or consumer protection bodies.
The outcome of the investigation. When the investigation ends, there are multiple possible outcomes:
- The case is dismissed. If the DPA finds that you had no data privacy rights, or they are not the relevant DPA for that case, they will simply dismiss the case. You cannot do a lot about it. Maybe you should consider complaining to the relevant DPA.
- They find that there are no violations. If the evidence does not prove that the data controller violated the law and your rights, the DPA will not act against the controller. If there is no violation, they are free.
- They find that there is a violation. In such a case, the DPA will issue a fine. The amount of the fine depends on the violation, the gross annual revenue of the controller, and other factors that help the DPA determine the actual penalty.
In the case of mild violations and if the law allows so, the DPA may issue a warning, a cease and desist, or another measure to remedy the effects of the violation. These measures are rare, though. In most cases, violators will be fined.
Related: List of GDPR fines
Summing It Up
To sum it up, if you think that your data privacy rights have been violated, you can complain to the relevant data protection authority.
First, you need to determine what the violation is, who is the violator, and what laws are applicable in your case.
Then you should go to the DPA, submit the complaint, cooperate, and wait for the decision. In the meantime, you can communicate directly to the violator to remedy the violation. They may cooperate, after all.
In the whole process it is very important to remember that it is up to you to take action to protect your data privacy rights. Do not wait for the authorities to make every business comply with the laws. It’s never gonna happen.
Even the most proactive DPAs in the world have so many resources to act against every single non-compliant business.
But, you are equipped with the opportunities to act. And you should act whenever you find your data privacy rights violated.
How do I file a GDPR complaint?
First, you need to determine the violation, the offender and the applicable laws. Then you need to go to the website of the relevant Data Protection Authority (DPA) and submit a complaint. Most commonly there should be an online form to fill out. If not, you can call the DPA and they will explain to you step-by-step how to submit a complaint.
Where do I report a data privacy violation?
You can report a data privacy violation to the Data Protection Authority of your country of residence and/or the country where the offending party is located in. Most commonly, national Data Protection Authorities provide and online form on their website for submitting complaints.
Can I sue for a data protection breach?
In most jurisdictions you have the right to sue and claim compensation from an organization or business if you have suffered damages as a consequence of them violation applicable data protection laws.