Responding to Regulatory Complaints

Overview

Under GDPR Article 77, data subjects have the right to lodge a complaint with a supervisory authority (Data Protection Authority / DPA) if they consider that the processing of their personal data infringes the GDPR. When a DPA receives a complaint and contacts the controller, the controller must respond promptly, cooperate fully, and demonstrate compliance. This skill provides the operational procedure for managing regulatory complaints from receipt through resolution.

Legal Foundation

GDPR Article 77 — Right to Lodge a Complaint

Every data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work, or place of the alleged infringement, if the data subject considers that the processing of personal data relating to them infringes the GDPR.

GDPR Article 31 — Cooperation with the Supervisory Authority

The controller and the processor, and where applicable the controller's or the processor's representative, shall cooperate, on request, with the supervisory authority in the performance of its tasks.

GDPR Article 58 — Powers of Supervisory Authorities

Supervisory authorities have investigative powers (Art. 58(1)), corrective powers (Art. 58(2)), and authorisation and advisory powers (Art. 58(3)), including the power to: