In this article we will show you step-by-step how to file a complaint when your data privacy rights have been violated.
Quick Summary
- If you believe that your data privacy rights have been violated you have the right to submit a complaint to a data protection authority.
- To do this, you need to determine what the violation was, identity of the offender and the applicable laws.
- Then, you need to go to your DPA and submit a complaint and wait for a decision.
Below in this guide we will exaplain to you step-by-step how to do the above.
You, as an internet user and owner of your own personal data, have the right to submit a complaint to the relevant data protection authority in the case of violation of your personal data rights.
Data protection laws protect your online privacy. However, there are billions of websites and just a handful of enforcement agencies to oversee their compliance.
That’s why online users should take a proactive approach for protecting their own privacy. Relying on the action of the authorities may be in vain having in mind the huge task they are up to.
Moreover, most data protection laws equip internet users with the tools to take on the businesses that do not respect their online privacy. If you want to take advantage of that and protect yourself in the case of a violation, keep reading and you’ll learn how to do it, step by step.
Related guide: The Ultimate Guide to Data Subject Rights Under the GDPR
Related guide: GDPR Fines
First you need to determine what the actual violation is, whether it is a violation under the relevant data protection laws, and if so, the relevant data protection authority to submit the complaint to.
You assume that someone has violated your data privacy rights. You need to be able to describe what actually happened to determine what the violation is.
For example:
Once you know what happened, you need to determine whether there is an applicable law protecting you from the deeds of the online business.
Related guide: How to Understand the Privacy Practices of an Online Business Based on Their Privacy Policy
If you are not sure that your rights have been violated, you can investigate it by submitting a data subject request.
If you doubt that your data has been collected and processed without your consent or another legal basis, submit a request to know or a request to object to the processing.
If you fear that your data has been transferred to a country without sufficient data protection standards, a request to know would provide you with the information you need. If the controller does not respond, then something may be wrong here. Aside from that, not responding to a request is a violation for itself.
Related guide: How to Transfer Data to the US in Compliance with the GDPR
In general, data protection laws apply to the relationship between the user and the business. This means that in every relationship at least two laws apply – the one where the user is from and one where the business is from.
In practice, if a French internet user interacts online with a UK business, both the French law and the UK law apply, both of which are aligned with the GDPR of the EU.
Source: European Commission
If a California user interacts with a Canadian business from Montreal, the state and the federal laws of both countries apply. Since the US has no federal data privacy law, the California law, the Quebec law, and the Canada federal law will apply.
Source: State of California Department of Justice
If an Indian user interacts with an Indian business, then only the Indian law applies. However, at the moment of writing there is no comprehensive data protection law in India yet, so it is likely that the user does not enjoy data subject rights as in some other countries.
So, the following two laws are applicable to your relationship with the business that may have violated your rights:
Every data protection law is being enforced by a data protection authority.
The ones that are relevant to your case depend on the applicable laws.
In the case of a French user and UK business, the French user can complain to CNIL (the French data protection authority), or the ICO (the UK data protection authority).
In the case of the California user and Quebec and Canada businesses, the user can complain to the authorities in Canada. If the CCPA (California Consumer Protection Act) applies at all, the options for complaint are very limited.
For users outside of California, though, there is virtually no protection in the United States.
The user from India whose privacy has been violated by an Indian business cannot do a lot as of the moment of writing, since the current law provides insufficient protection of the personal data.
Related guide: GDPR Compliance for Businesses: Step-by-Step Ultimate Guide
Now you know that your personal data has been abused or your data subject rights have been violated. Then, it is time to get yourself protected.
At this point, there are several options at your disposal:
This may be the right way to go when the violation is minor, there are no significant consequences to you, which makes it not worth it to bother with submitting complaints to authorities.
For example, if a data controller calls you over the phone to offer you some products without your consent, you can point out that you haven’t given your consent and they should stop calling you. If they act accordingly, you have remedied the violation without significant efforts.
It won’t remedy what the data controller has done wrongfully in the past, but it can change how they behave with you in the future.
If the GDPR or a similar law applies to you or the business, here’s what requests can do for you:
In fact, you could submit a complaint and, at the same time, submit a request to object or a request to delete to the controller to make them cease with the violation, if that’s a viable tool in your specific case.
Source: European Commission
Complaints were prescribed for internet users (or any other users) to use against businesses who do not comply with data privacy laws and violate their users’ rights. Therefore, feel free to submit one at any time when you can reasonably think that your rights have been violated.
We assume that at this point you are aware of the violation, you know what the applicable laws are and what the relevant data protection authorities (DPA) are. Now it is time to submit your complaint.
Go to the website of the relevant DPA. The website of every DPA has a section with information for submitting complaints. If not, you can contact them through the contact page, over email, over the phone, or by any other means.
In general, DPAs receive complaints submitted in many different forms and in many different ways.
In most cases, though, you’ll find a way to submit the complaint through their website. You can see an example of the ICO of the UK, and here you can see how CNIL handles complaints in France. Submitting one is as easy as it could get.
If the website of your DPA does not provide an opportunity to submit a complaint as in the case with the UK ICO and the French CNIL, then submit a complaint with mail, email, or over the phone. Even if you make some mistake in this phase, in the worst case scenario someone from the DPA will get back to you and guide you through the right process.
Fill the complaint. Complaint forms available online will ask you for all the information the DPA needs to investigate the case. You just need to fill every field to the best of your knowledge and click the SUBMIT button.
If there is no form available, you can write down a complaint without following any particular form guidelines. That could look just like any other complaint you may submit to a government authority. Just make sure that it contains at least the following:
If the DPA needs any more details, they will follow up with some questions for you.
After submitting the complaint, you need to wait.
Source: GDPR-Info.eu – Art. 77 GDPR
The investigation. When the DPA receives your complaint, they will start with the investigation.
As mentioned above, they may get back to you for further information.
The DPA will investigate the case and will communicate with you any findings that could be shared with you without hindering the investigation. No one could predict how long it is going to last. Every case has its specifics that determine its complexity and, as a result, the length of the investigation. So, you need to be patient at this phase.
This investigation is not like a police investigation. The people from the DPA are just regular government workers who will have a look at your case and decide upon it. You can expect an experience such as with the tax authorities or consumer protection bodies.
The outcome of the investigation. When the investigation ends, there are multiple possible outcomes:
In the case of mild violations and if the law allows so, the DPA may issue a warning, a cease and desist, or another measure to remedy the effects of the violation. These measures are rare, though. In most cases, violators will be fined.
Related: List of GDPR fines
To sum it up, if you think that your data privacy rights have been violated, you can complain to the relevant data protection authority.
First, you need to determine what the violation is, who is the violator, and what laws are applicable in your case.
Then you should go to the DPA, submit the complaint, cooperate, and wait for the decision. In the meantime, you can communicate directly to the violator to remedy the violation. They may cooperate, after all.
In the whole process it is very important to remember that it is up to you to take action to protect your data privacy rights. Do not wait for the authorities to make every business comply with the laws. It’s never gonna happen.
Even the most proactive DPAs in the world have so many resources to act against every single non-compliant business.
But, you are equipped with the opportunities to act. And you should act whenever you find your data privacy rights violated.
How do I file a GDPR complaint?
First, you need to determine the violation, the offender and the applicable laws. Then you need to go to the website of the relevant Data Protection Authority (DPA) and submit a complaint. Most commonly there should be an online form to fill out. If not, you can call the DPA and they will explain to you step-by-step how to submit a complaint.
Where do I report a data privacy violation?
You can report a data privacy violation to the Data Protection Authority of your country of residence and/or the country where the offending party is located in. Most commonly, national Data Protection Authorities provide and online form on their website for submitting complaints.
Can I sue for a data protection breach?
In most jurisdictions you have the right to sue and claim compensation from an organization or business if you have suffered damages as a consequence of them violation applicable data protection laws.