European Data Protection Supervisor
European Data Protection Supervisor

Complaints

Complaints

/file/complaintminijpg_encomplaint_mini.jpg

Complaint
The EDPS is the EU’s independent data protection authority.

We make sure that that the fundamental right to the protection of personal information is respected by the European institutions and bodies (EU instituions).

We supervise the processing (collection, use, transfer, etc.) of personal information by the EU institutions, as well as ensuring that data protection safeguards are incorporated in EU legislation and policies, where necessary.

  • You may ask the EDPS for advice on how to exercise your rights;
  • You may ask the EDPS to investigate a complaint.

To learn more about your data protection rights and the EU institutions, read our factsheet.
 

How to complain to the EDPS

Please read the information on this page before completing our complaints form. If you have read the above information and

  • think your rights have been infringed by an EU institution processing your personal information;
  • you have not been able to settle this with the institution concerned or its Data Protection Officer;
  • accept our conditions for handling your complaint;

you can lodge a complaint with the EDPS to investigate by filling in our complaints form.

In principle, a complaint to the EDPS will be inadmissible if you have not first contacted the institution or its data protection officer to rectify the matter; for instance, if you would like access your data, you should first request the institution to give you access. If you have not contacted the institution before complaining to the EDPS, please outline why in the form.


Who can complain to us?

1)    Anyone who has dealings with an EU institution(s) can complain against the processing of their personal data by it;
2)    Anyone who is employed by an EU institution can complain against breaches of the data protection rules by an EU institution(s), even if you are not personally affected.

The data protection rules that the EU institutions must follow are set out in Regulation 45/2001. The Regulation says that if you believe your data protection rights have been infringed by the EU administration, for instance:

  • excessive amounts of your personal data is being collected;
  • you have been refused access to your personal data;
  • you have been refused the right to rectify inaccurate or incomplete personal data;
  • your personal data has been shared with third parties without your consent;
  • you are refused the right to block or erase inaccurate or irrelevant personal data about you;
  • your personal data is being processed illegally;

you can lodge a complaint with the EDPS.

If necessary, the EDPS can recommend the EU institution concerned to adopt specific measures to protect your rights.
 

What you can and cannot complain to us about

A complaint to the EDPS must relate to the processing of personal information carried out by an EU institution.

  1. We can only investigate complaints which concern a real or potential and not a hypothetical, breach of personal data protection rules.
  2. A complaint must be made within two years of the date you became aware of the facts on which your complaint is based. The complaint will also be inadmissible if the alleged breach occurred before Regulation (EC) 45/2001 entered into force.
  3.  The EDPS does not handle complaints to modify the content of documents, or to challenge or annul decisions that an EU institution may have taken about you, nor can it grant financial compensation for damages. In those instances, you should address the matter before the Court of Justice of the EU.
  4. The EDPS does not handle cases of general maladministration; those should be addressed to the European Ombudsman.
  5. We are not able to accept complaints concerning Eurojust, please contact the Eurojust Joint Supervisory Body.
  6. The EDPS has no supervisory powers for handling complaints on the processing of personal information by national, regional or local authorities, private companies or organisations, or not-for-profit organisations.

If, for example:

  • a company has shared your personal data with direct marketers;
  • your request to have your name removed from search results on the internet (right to be forgotten) has been refused;
  • the consulate has denied your Schengen visa request;
  • a public authority has not updated incorrect personal data about you which has deprived you of a service as a result;
  • you keep receiving commercial messages even though you have requested to be removed from a mailing list;

you should contact the relevant national data protection authority and NOT the EDPS.
 

  1. We do not have supervisory powers to handle complaints about the processing of personal data by international organisations. You should contact the Data Protection Officer in the organisation concerned.
  2. For data transfers carried out on behalf of an EU institution or body by entities listed under the Privacy Shield, we refer you to the documents and FAQs on Working Party Article 29 website for more information.
  3. If you believe that a Member State is in breach of EU law, you can complain to the European Commission. In its role as guardian of the treaties, the Commission can launch infringement proceedings against Member States who breach EU law.
  4. We do not supervise the Court of Justice of the European Union in its processing of data during the course of its judicial activities, only its actions as an administration. Therefore, we cannot accept complaints about its judicial activities.

If the processing of personal information which is the subject of a complaint is not carried out by one of the EU institutions, your complaint will be inadmissible.

 

What can you expect from us?

We will handle your complaint confidentially.

Confidentiality implies that your personal data will not be disclosed to persons outside of the EDPS.

However, it may be necessary for our investigation to inform the institution concerned, its Data Protection Officer and any third parties involved about the content of the complaint and your identity.

If you wish to remain anonymous, please outline your reasons for the EDPS to consider. The EDPS will inform you if it does or does not accept your request for anonymity. You will then be able to decide to withdraw or proceed with your complaint.

We are unable to accept complaints sent to us anonymously. If you are acting on behalf of a complainant, we ask you to provide the first and last names of the complainant and submit evidence of your power to represent the complainant.

The EDPS does not deal with matters that are currently before a court or that have already been settled by a court.

The EDPS does not deal with matters that are currently being examined by the European Ombudsman or that have already been settled by it unless you have significant new evidence to submit.

Your complaint is admissible even if another EU body is examining it. However, the EDPS can decide to await the outcome of that body’s procedures before starting its own investigation.

More information about how we use your personal data when handling your complaint can be found in our data protection notice page and the DPO register.

 

Handling your complaint

To help us investigate a complaint, the EDPS is entitled to obtain all personal data and all information necessary for our enquiries from the EU institution concerned. We can also access the premises of any EU institution should an on-site investigation be needed.

  • We can conduct enquiries and inspections on our own initiative or on the basis of a complaint, when it is necessary to obtain more information on the processing of personal information;
  • We can order that requests to exercise certain rights in relation to personal information be complied with where such requests have been refused in breach of your rights;
  • We can warn or admonish the European institution or body which is unlawfully or unfairly processing your personal information;
  • We can impose a temporary or definitive ban on processing;
  • We can refer a case to the Court of Justice of the European Union.

 

Important Security Information

The EDPS strives to ensure a high level of security for information shared with us in this complaint form such as using Hypertext Transfer Protocol Secure (HTTPS). Nevertheless, communication over the internet, including email, is not fully secure and can potentially be intercepted by persons outside of the EDPS. The EDPS relies on third party services (the European Parliament and the European Commission) to help maintain the security and performance of the EDPS website; the EDPS IT infrastructure is subject to their security measures.