In this article we will show you step-by-step how to file a complaint when your data privacy rights have been violated.
Below in this guide we will exaplain to you step-by-step how to do the above.
As an internet user and owner of your data, you have the right to submit a complaint to the relevant data protection authority if violating your personal data rights.
Data protection laws protect your online privacy. However, billions of websites and just a handful of enforcement agencies oversee their compliance.
That’s why online users should take a proactive approach to protect their privacy. Relying on the action of the authorities may be in vain having in mind the huge task they are up to.
Moreover, most data protection laws equip internet users with the tools to take on businesses that do not respect their online privacy. If you want to take advantage of that and protect yourself in the case of a violation, keep reading, and you’ll learn how to do it, step by step.
I explain that you have the right to submit a complaint to a data protection authority and outline the steps you need to take to do so.
These steps include determining the violation, identifying the offender and the applicable laws, and submitting a complaint to your data protection authority.
I also discuss the importance of taking a proactive approach to protecting your privacy and provide suggestions for remedying violations.
First, you need to determine the actual violation, whether it is a violation under the relevant data protection laws, and if so, to the applicable data protection authority to submit the complaint.
You assume that someone has violated your data privacy rights. You need to be able to describe what happened to determine what the violation is.
Once you know what happened, you need to determine whether there is an applicable law protecting you from the deeds of the online business.
If you are unsure that your rights have been violated, you can investigate it by submitting a data subject request.
If you doubt that your data has been collected and processed without your consent or on another legal basis, submit a request to know or a request to object to the processing.
If you fear that your data has been transferred to a country without sufficient data protection standards, a request to know will provide you with the information you need.
If the controller does not respond, then something may be wrong here. Aside from that, not responding to a request is a violation.
Data protection laws are generally applicable to the relationship between the user and the business. This means that in every relationship, at least two rules apply – the one where the user is from and one where the company is from.
In practice, if a French internet user interacts online with a UK business, both the French law and the UK law apply, both of which are aligned with the GDPR of the EU.
Source: European Commission
If a California user interacts with a Canadian business from Montreal, both countries’ state and federal laws apply. Since the US has no national data privacy law, the California law, the Quebec law, and the Canada federal law will apply.
If an Indian user interacts with an Indian business, then only the Indian law applies. However, at the moment of writing, there is no comprehensive data protection law in India yet, so, likely, the user does not enjoy subject data rights as in some other countries.
So, the following two laws apply to your relationship with the business that may have violated your rights:
A data protection authority enforces every data protection law.
The ones that are relevant to your case depend on the applicable laws.
In the case of the California user and Quebec and Canada businesses, the user can complain to the authorities in Canada. If the CCPA (California Consumer Protection Act) applies at all, the options for complaint are very limited.
For users outside of California, though, there is virtually no protection in the United States.
The user from India whose privacy has been violated by an Indian business cannot do much as of the moment of writing since the current law provides insufficient protection for personal data.
Now you know that your personal data has been abused or your subject data rights have been violated. Then, it is time to get yourself protected.
At this point, there are several options at your disposal:
This may be the right way to go when the violation is minor. There are no significant consequences to you, making it not worth it to bother submitting complaints to authorities.
For example, if a data controller calls you over the phone to offer you some products without your consent, you can point out that you haven’t given your consent, and they should stop calling you. If they act accordingly, you have remedied the violation without significant effort.
It won’t remedy what the data controller has done wrongfully, but it can change how they behave with you in the future.
If the GDPR or a similar law applies to you or the business, here’s what requests can do for you:
You could submit a complaint and, at the same time, submit a request to object or delete the controller to make them cease with the violation if that’s a viable tool in your specific case.
Source: European Commission
Complaints were prescribed for internet users (or any other users) to use against businesses that do not comply with data privacy laws and violate their users’ rights. Therefore, feel free to submit one at any time when you can reasonably think that your rights have been violated.
We assume that at this point, you are aware of the violation and know the applicable laws and the relevant data protection authorities (DPA). Now it is time to submit your complaint.
Go to the website of the relevant DPA. The website of every DPA has a section with information for submitting complaints. If not, you can contact them through the contact page, email, phone, or any other means.
In general, DPAs receive complaints submitted in many different forms and many different ways.
In most cases, you’ll find a way to submit the complaint through their website. You can see an example of the ICO of the UK, and here you can see how CNIL handles complaints in France. Submitting one is as easy as it could get.
If the website of your DPA does not provide an opportunity to submit a complaint, as in the case with the UK ICO and the French CNIL, then submit a complaint by mail, email, or over the phone. Even if you make some mistakes in this phase, in the worst-case scenario, someone from the DPA will get back to you and guide you through the right process.
Fill out the complaint. Complaint forms available online will ask you for all the information the DPA needs to investigate the case. You must fill every field to the best of your knowledge and click the SUBMIT button.
If no form is available, you can write down a complaint without following any form guidelines. That could look like any other complaint you may submit to a government authority. Just make sure that it contains at least the following:
If the DPA needs more details, they will follow up with some questions for you.
After submitting the complaint, you need to wait.
Source: GDPR-Info.eu – Art. 77 GDPR
The investigation. When the DPA receives your complaint, they will start with the investigation.
As mentioned above, they may get back to you for further information.
The DPA will investigate the case and communicate with you any findings that could be shared without hindering the investigation. No one could predict how long it is going to last. Every case has its specifics that determine its complexity and, as a result, the length of the investigation. So, it would help if you were patient at this phase.
This investigation is not like a police investigation. The people from the DPA are just regular government workers who will have a look at your case and decide upon it. You can expect an experience with the tax authorities or consumer protection bodies.
The outcome of the investigation. When the investigation ends, there are multiple possible outcomes:
In the case of mild violations, and if the law allows, the DPA may issue a warning, a cease and desist, or another measure to remedy the effects of the breach. These measures are rare, though. In most cases, violators will be fined.
To sum it up, if you think your data privacy rights have been violated, you can complain to the relevant data protection authority.
First, you need to determine the violation, who the violator is, and what laws are applicable in your case.
Then it would help if you went to the DPA, submitted the complaint, cooperated, and waited for the decision. In the meantime, you can communicate directly to the violator to remedy the violation. They may cooperate, after all.
In the whole process, it is very important to remember that it is up to you to take action to protect your data privacy rights. Do not wait for the authorities to make every business comply with the laws. It’s never going to happen.
Even the most proactive DPAs worldwide have so many resources to act against every non-compliant business.
But, you are equipped with the opportunities to act. And you should work whenever you find your data privacy rights violated.
Some people found answers to these questions helpful
How do I file a GDPR complaint?
First, you must determine the violation, the offender, and the applicable laws. Then you need to go to the relevant Data Protection Authority (DPA) website and submit a complaint. Most commonly, there should be an online form to fill out. If not, you can call the DPA, who will explain step-by-step how to submit a complaint.
Where do I report a data privacy violation?
You can report a data privacy violation to the Data Protection Authority of your country of residence and/or the country where the offending party is located. National Data Protection Authorities commonly provide an online form on their website for submitting complaints.
Can I sue for a data protection breach?
In most jurisdictions, you have the right to sue and claim compensation from an organization or business if you have suffered damages due to their violation of applicable data protection laws.