One of our main tasks as the supervisory authority for the EU institutions, bodies and agencies is to hear and investigate complaints by individuals against their processing of personal data.
We are only competent for processing by EU institutions, bodies and agencies in this regard. If you want to complain against a public authority or a company in a Member State, you should contact the relevant national data protection authority instead.
Personal data we process during the investigation of your complaint will be handled in confidence and not shared with others unless necessary for the investigation (e.g. obtaining the position of the controller on the alleged breaches). For more information, please see our Data protection notice.
When we investigate complaints, we contact the accused EU institution, body or agency to obtain its view on the matter. Where necessary, we may also verify the content of files on the spot or conduct other checks.
If we find a breach, we can order the EU institutions, bodies and agencies for example to give you access to your data, to erase it or to change unlawful procedures. We cannot impose disciplinary sanctions or award damages.
Legal background Under Article 57(1)(e) of Regulation 2018/1725 hearing and investigating complaints is a duty of the EDPS. Article 58 provides us with investigation powers, including the right to access all relevant information held by the accused Union institution, body or agency or its contractors. Under Article 32, the accused organisation has an obligation to cooperate and to react to allegations. For complaints against Europol in its core business activities, the EDPS hears and investigates complaints in accordance with Regulation (EU) 2016/794, in particular Articles 43(2)(a) (duty to hear complaint), 43(4) (investigation powers) and 47 (right to complain). EDPS decisions in complaints can be challenged before the Court of Justice.