How to Complain to the Data Protection Authority When Your Rights Have Been Violated

Determining Relevant Laws & Data Protection Authority

First, you need to determine the actual violation, whether it is a violation under the relevant data protection laws, and if so, to the applicable data protection authority to submit the complaint.

Determine the Violation

You assume that someone has violated your data privacy rights. You need to be able to describe what happened to determine what the violation is.

For example:

• if there has been a data leak,
• if your data has been sold to third parties without your consent,
• your data subject request has not been answered,
• your data has been transferred to a third country without a lawful basis,
• your data has been collected without your consent or another legal basis, etc.

Once you know what happened, you need to determine whether there is an applicable law protecting you from the deeds of the online business.

If you are unsure that your rights have been violated, you can investigate it by submitting a data subject request.

If you doubt that your data has been collected and processed without your consent or on another legal basis, submit a request to know or a request to object to the processing.

If you fear that your data has been transferred to a country without sufficient data protection standards, a request to know will provide you with the information you need.

If the controller does not respond, then something may be wrong here. Aside from that, not responding to a request is a violation.

Determine the Applicable Laws

Data protection laws are generally applicable to the relationship between the user and the business. This means that in every relationship, at least two rules apply – the one where the user is from and one where the company is from.

In practice, if a French internet user interacts online with a UK business, both the French law and the UK law apply, both of which are aligned with the GDPR of the EU.

Source: European Commission

If a California user interacts with a Canadian business from Montreal, both countries’ state and federal laws apply. Since the US has no national data privacy law, the California law, the Quebec law, and the Canada federal law will apply.

Source: State of California Department of Justice

If an Indian user interacts with an Indian business, then only the Indian law applies. However, at the moment of writing, there is no comprehensive data protection law in India yet, so, likely, the user does not enjoy subject data rights as in some other countries.

So, the following two laws apply to your relationship with the business that may have violated your rights:

• The data protection law of the country you are a citizen or resident of if any, and
• The data protection law of the country where the business is registered, if any.

Determine the Relevant Data Protection Authority

A data protection authority enforces every data protection law.

The ones that are relevant to your case depend on the applicable laws.

In the case of a French user and UK business, the French user can complain to CNIL (the French data protection authority), or the ICO (the UK data protection authority).

In the case of the California user and Quebec and Canada businesses, the user can complain to the authorities in Canada. If the CCPA (California Consumer Protection Act) applies at all, the options for complaint are very limited.

For users outside of California, though, there is virtually no protection in the United States.

The user from India whose privacy has been violated by an Indian business cannot do much as of the moment of writing since the current law provides insufficient protection for personal data.

Take Steps to Remedy the Violation

Now you know that your personal data has been abused or your subject data rights have been violated. Then, it is time to get yourself protected.

At this point, there are several options at your disposal:

• Request the data controller to remedy the violation. If you don’t want to bother with lots of back-and-forth communication for a minor violation, you may email the data controller, letting them know that you are aware of the violation and requesting them to improve their behavior.

  This may be the right way to go when the violation is minor. There are no significant consequences to you, making it not worth it to bother submitting complaints to authorities.

  For example, if a data controller calls you over the phone to offer you some products without your consent, you can point out that you haven’t given your consent, and they should stop calling you. If they act accordingly, you have remedied the violation without significant effort.

• Submit a data subject request. Sometimes a simple data subject request could protect you.

  It won’t remedy what the data controller has done wrongfully, but it can change how they behave with you in the future.

  If the GDPR or a similar law applies to you or the business, here’s what requests can do for you:

  • Request to object. The request to object will result in improvement or cease data processing by the data controller and their processors as requested.
    If you object to processing your phone number, then the controller cannot use it anymore to call you. If he has collected your phone for another purpose than calling you (for verification of identity, for example), it is still a violation of your data privacy rights. However, the data subject request can help you prevent further data processing.
  • Request to delete. You can ask the controller to delete all the data they have about you. If they don’t have your data, they cannot process it anymore.
• Submit a complaint to the relevant data protection authority. Submitting a complaint is always an option when your rights are violated. You have the right to do so even if you requested the controller to remedy the violation, and they have done so.

  You could submit a complaint and, at the same time, submit a request to object or delete the controller to make them cease with the violation if that’s a viable tool in your specific case.

  Source: European Commission

  Complaints were prescribed for internet users (or any other users) to use against businesses that do not comply with data privacy laws and violate their users’ rights. Therefore, feel free to submit one at any time when you can reasonably think that your rights have been violated.

How to Submit a Complaint to the Data Protection Authority?

We assume that at this point, you are aware of the violation and know the applicable laws and the relevant data protection authorities (DPA). Now it is time to submit your complaint.

Go to the website of the relevant DPA. The website of every DPA has a section with information for submitting complaints. If not, you can contact them through the contact page, email, phone, or any other means.

In general, DPAs receive complaints submitted in many different forms and many different ways.

In most cases, you’ll find a way to submit the complaint through their website. You can see an example of the ICO of the UK, and here you can see how CNIL handles complaints in France. Submitting one is as easy as it could get.

If the website of your DPA does not provide an opportunity to submit a complaint, as in the case with the UK ICO and the French CNIL, then submit a complaint by mail, email, or over the phone. Even if you make some mistakes in this phase, in the worst-case scenario, someone from the DPA will get back to you and guide you through the right process.

Fill out the complaint. Complaint forms available online will ask you for all the information the DPA needs to investigate the case. You must fill every field to the best of your knowledge and click the SUBMIT button.

If no form is available, you can write down a complaint without following any form guidelines. That could look like any other complaint you may submit to a government authority. Just make sure that it contains at least the following:

• Your name and contact details
• Details about the violator, and
• Description of the violation.

If the DPA needs more details, they will follow up with some questions for you.

After submitting the complaint, you need to wait.

Source: GDPR-Info.eu – Art. 77 GDPR

The investigation. When the DPA receives your complaint, they will start with the investigation.

As mentioned above, they may get back to you for further information.

The DPA will investigate the case and communicate with you any findings that could be shared without hindering the investigation. No one could predict how long it is going to last. Every case has its specifics that determine its complexity and, as a result, the length of the investigation. So, it would help if you were patient at this phase.

This investigation is not like a police investigation. The people from the DPA are just regular government workers who will have a look at your case and decide upon it. You can expect an experience with the tax authorities or consumer protection bodies.

The outcome of the investigation. When the investigation ends, there are multiple possible outcomes:

• The case is dismissed. If the DPA finds that you have no data privacy rights, or they are not the relevant DPA for that case, they will dismiss it. You cannot do a lot about it. Maybe you should consider complaining to the relevant DPA.
• They find that there are no violations. If the evidence does not prove that the data controller violated the law and your rights, the DPA will not act against the controller. If there is no violation, they are free.
• They find that there is a violation. In such a case, the DPA will issue a fine. The GDPR fine amount depends on the violation, the gross annual revenue of the controller, and other factors that help the DPA determine the actual penalty.

  In the case of mild violations, and if the law allows, the DPA may issue a warning, a cease and desist, or another measure to remedy the effects of the breach. These measures are rare, though. In most cases, violators will be fined.

Summing It Up

To sum it up, if you think your data privacy rights have been violated, you can complain to the relevant data protection authority.

First, you need to determine the violation, who the violator is, and what laws are applicable in your case.

Then it would help if you went to the DPA, submitted the complaint, cooperated, and waited for the decision. In the meantime, you can communicate directly to the violator to remedy the violation. They may cooperate, after all.

In the whole process, it is very important to remember that it is up to you to take action to protect your data privacy rights. Do not wait for the authorities to make every business comply with the laws. It’s never going to happen.

Even the most proactive DPAs worldwide have so many resources to act against every non-compliant business.

But, you are equipped with the opportunities to act. And you should work whenever you find your data privacy rights violated.