Your Right to Lodge a Complaint with a Supervisory Authority

As a data subject you have the right to lodge a complaint with a supervisory authority if you consider the processing of personal data relating to you infringes the GDPR. This right is set out in Article 77 of the GDPR. The full text of this article is at the bottom of this page.

In Ireland the relevant supervisory authority you can complain to is the Data Protection Commission of Ireland (DPC).

The process, step by step

If you think a business or organisation is processing your personal data in a way that infringes on your data protection rights, and you wish to exercise your right to lodge a complaint then you’ll have to follow the DPC’s process.

In most cases you will have to get in touch with the data controller first and attempt to resolve any issues with them before you can formally complain to the DPC. The DPC will only deal with your complaint – which at this point is called a ‘concern’ by the DPC – if you are not satisfied with the response you have received from the data controller.

“Generally, we will require you to have raised the matter directly with the organisation before raising a concern with this office. If you have done this, and are dissatisfied with the organisation’s response (or if you have not received a response from the organisation), you may proceed to raise a concern with the DPC. When you raise a concern with us, we are obliged to provide you with an update or outcome report within three months. Where the matter goes on for longer, we will update you at three month intervals thereafter.”

At this point the DPC looks at your concern and decides whether it falls within the DPC’s remit.

The DPC is obliged by Irish law to include a step in its complaint handling process called “amicable resolution”. This means the DPC will attempt to find a solution to your issue which does not require use of its corrective powers. Amicable resolution is used unless you request otherwise.

A concern only becomes a complaint after the amicable resolution process has been completed, or if you have specified you are not seeking an amicable resolution.

A concern becomes a complaint.

The DPC can choose to upgrade your concern and formally accept it as a complaint if an amicable resolution cannot be found. The DPC can also choose to reject or dismiss your complaint.

If the complaint is accepted then the DPC can use its powers to issue an enforcement notice, compelling a data controller to comply with your data protection rights requests, and if necessary begin an inquiry or investigation.

As a result of your complaint the DPC may decide to conduct an inquiry or an investigation. These are relatively rare, according to the DPC.

“Generally speaking, the DPC will only consider commencing an inquiry where the matter raised indicates that the alleged data breach is of an extremely serious nature and/or indicative of a systemic failing within the organisation in question.”

After the inquiry or investigation the DPC may use its corrective powers to sanction the data controller.

Once an inquiry or investigation is completed the DPC may issue a formal decision.

1. Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.
2. The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78.

Where next?

You also have a ‘Right to an effective judicial remedy against a controller or processor’. This means you can take a data controller or data processor to court if you feel your personal data is not being processed in accordance with the GDPR.

Read more elsewhere

Data Protection Fundamentals (basics, definitions and more …)
Your Rights (all your data protection rights: access, information, rectification and more …)
In More Detail (explorations and explanations of data protection concepts …)
Keeping Track (tracking Subject Access Requests and complaints to Supervisory Authorities …)