European Data Protection Supervisor
European Data Protection Supervisor

Complaints Wizard

Complaints Wizard

One of our main tasks as the supervisory authority for the EU institutions, bodies and agencies is to hear and investigate complaints by individuals against their processing of personal data.

We are only competent for processing by EU institutions, bodies and agencies in this regard. If you want to complain against a public authority or a company in a Member State, you should contact the relevant national data protection authority  instead.

Personal data we process during the investigation of your complaint will be handled in confidence and not shared with others unless necessary for the investigation (e.g. obtaining the position of the controller on the alleged breaches). For more information, please see our Data protection notice.

When we investigate complaints, we contact the accused EU institution, body or agency to obtain its view on the matter. Where necessary, we may also verify the content of files on the spot or conduct other checks.

If we find a breach, we can order the EU institutions, bodies and agencies for example to give you access to your data, to erase it or to change unlawful procedures. We cannot impose disciplinary sanctions or award damages.

Legal background

Under Article 57(1)(e) of Regulation 2018/1725 hearing and investigating complaints is a duty of the EDPS. Article 58 provides us with investigation powers, including the right to access all relevant information held by the accused Union institution, body or agency or its contractors.  Under Article 32, the accused organisation has an obligation to cooperate and to react to allegations.

For complaints against Europol in its core business activities, the EDPS hears and investigates complaints in accordance with Regulation (EU) 2016/794, in particular Articles 43(2)(a) (duty to hear complaint), 43(4) (investigation powers) and 47 (right to complain).

EDPS decisions in complaints can be challenged before the Court of Justice.
If you want to lodge a complaint, please proceed as described below:
[A. Other entity] I want to complain about the processing of personal data by other organisations, such as national public authorities, companies, non-profit organisations, etc.
 This covers cases such as:
"A company has given my data to direct marketers although I told them not to."
"I asked a search engine provider to delist a website when searching for my name ('right to be forgotten'), but they refused."
  • "A national public authority is collecting more data about me than it is allowed to."
  • "I applied for a Schengen visa and the consulate told me it has been denied, but I don't know why."
  • "I asked to be removed from a charity organisation's mailing list and they keep sending me messages."
  • “A social network app on my phone demands permissions that I think are excessive.”
[B. EU institution, body or agency] I want to complain about the processing of personal data by an EU institution, body or agency.
 This covers cases such as for example:
  • "I asked for access to my own personal data held by an EU institution and they declined to give it to me."
  • "I have reason to believe that an EU institution leaked my personal data to third parties."
  • "I work for an EU institution and my human resources department wants to know things I think they have no business knowing."
  • "I work for an EU institution and it has come to my knowledge that some of my colleagues handle personal data in ways I think are against the law."