The EDPS is the EU’s independent data protection authority.
We make sure that that the fundamental right to the protection of personal information is respected by the EU institutions, bodies and agencies (EU institutions).
We supervise the processing (collection, use, transfer, etc.) of personal information by the EU institutions, as well as ensuring that data protection safeguards are incorporated in EU legislation and policies, where necessary.
- You may ask the EDPS for advice on how to exercise your rights;
- You may ask the EDPS to investigate a complaint.
To learn more about your data protection rights and the EU instotutions, read our factsheet.
How to complain to the EDPS?
Please read the information on this page before completing our complaints form. If you have read the above information and:
- think your rights have been infringed by an EU institution processing your personal information;
- you have not been able to settle this with the institution concerned or its Data Protection Officer;
- accept our conditions for handling your complaint;
you can lodge a complaint with the EDPS to investigate by filling in our complaints form.
In principle, a complaint to the EDPS will be inadmissible if you have not first contacted the institution or its data protection officer to rectify the matter; for instance, if you would like access your data, you should first request the institution to give you access. If you have not contacted the institution before complaining to the EDPS, please outline why in the form.
Who can complain to us and what can you complain about?
Complaints to the EDPS must relate to the processing of personal information carried out by an EU institution.
Please note that we can only investigate your complaint if:
- It concerns a real or potential and not a hypothetical, breach of personal data protection rules;
- You lodge it within two years of the date you became aware of the facts on which your complaint is based.
The data protection rules that the EU institutions must follow are set out in Regulation 2018/1725. The Regulation says that if you believe your data protection rights have been infringed by the EU institution, for instance:
- excessive amounts of your personal data is being collected;
- you have been refused access to your personal data;
- you have been refused the right to rectify inaccurate or incomplete personal data;
- your personal data has been shared with third parties without your consent;
- you are refused the right to block or erase inaccurate or irrelevant personal data about you;
- your personal data is being processed illegally;
you can lodge a complaint with the EDPS.
There are two situations in which you can submit complaints:
- Anyone whose personal data are processed by an EU institution can complain about that processing;
- Anyone who is employed by an EU institution can complain about breaches of the data protection rules by an EU institution, even if they are not personally affected.
What you cannot complain to us about
- The EDPS does not handle complaints to modify the content of documents, or to challenge or annul decisions that an EU institution may have taken about you, nor can it grant financial compensation for damages. In those instances, you should address the matter before the Court of Justice of the EU.
- The EDPS does not handle cases of general maladministration; those should be addressed to the European Ombudsman.
- We are not able to accept complaints concerning Eurojust. That agency is subject to specific data protection rules and has its own separate supervisory body. Please contact the Eurojust Joint Supervisory Body.
- The EDPS has no supervisory powers for handling complaints about the processing of personal information by national, regional or local public authorities, private companies or organisations, or not-for-profit organisations.
If, for example:
- a company has shared your personal data with direct marketers;
- your request to have your name removed from search results on the internet (right to be forgotten) has been refused;
- the consulate has denied your Schengen visa request;
- a public authority has not updated incorrect personal data about you which has deprived you of a service as a result;
- you keep receiving commercial messages even though you have requested to be removed from a mailing list;
- a social network app on your phone demands what you think are excessive permissions;
you should contact the relevant national data protection authority and not the EDPS.
- We do not have supervisory powers to handle complaints about the processing of personal data by international organisations. You should contact the Data Protection Officer in the organisation concerned.
- For data transfers carried out on behalf of an EU institution or body by entities listed under the Privacy Shield, we refer you to the documents and press releases on the archived Working Party Article 29 website for more information.
- If you believe that a Member State is in breach of EU law, you can complain to the European Commission. In its role as guardian of the treaties, the Commission can launch infringement proceedings against Member States who breach EU law.
- We do not supervise the Court of Justice of the European Union in its processing of data during the course of its judicial activities, only its actions as an administration. Therefore, we cannot accept complaints about its judicial activities.
What can you expect from us?
We will handle your complaint confidentially.
Confidentiality implies that your personal data will not be disclosed to persons outside of the EDPS.
However, it may be necessary for our investigation to inform the institution concerned, its Data Protection Officer and any third parties involved about the content of the complaint and your identity. If your complaint falls into the tasks of a data protection authority of a Member State, we will forward your complaint to that authority, as they are the ones who can help you.
If you wish to remain anonymous vis-à-vis the EU institution you complain against, please outline your reasons for the EDPS to consider. The EDPS will inform you if it does or does not accept your request for anonymity. You will then be able to decide to withdraw or proceed with your complaint.
We are unable to accept complaints sent to us anonymously. If you are acting on behalf of a complainant, we ask you to provide the first and last names of the complainant and submit evidence of your power to represent the complainant.
The EDPS does not deal with matters that are currently before a court or that have already been settled by a court.
The EDPS does not deal with matters that are currently being examined by the European Ombudsman or that have already been settled by it unless you have significant new evidence to submit.
Your complaint is admissible even if another EU institution is examining it. However, the EDPS can decide to await the outcome of that body’s procedures before starting its own investigation.
More information about how we use your personal data when handling your complaint can be found in our data protection notice page and the DPO register.
Handling your complaint
To help us investigate a complaint, the EDPS is entitled to obtain all personal data and all information necessary for our enquiries from the EU institution concerned. We can also access the premises of any EU institution should an on-site investigation be needed.
- We can conduct enquiries and inspections on our own initiative or on the basis of a complaint, when it is necessary to obtain more information on the processing of personal information;
- We can order that requests to exercise certain rights in relation to personal information be complied with where they have not been dealt with properly, breaching your rights;
- We can order controllers to inform data subjects about personal data breaches, where they have unlawfully neglected to do so.
- We can warn or reprimand the European institution or body which is unlawfully or unfairly processing your personal information;
- We can order the EU institution or its contractors to bring processing operations into compliance with the data protection rules and if the EU institution does not comply with those orders, impose an administrative fine.
- We can impose a temporary or definitive ban on processing or suspend data flows ;
- We can refer a case to the Court of Justice of the European Union.
Important Security Information
The EDPS strives to ensure a high level of security for information shared with us in this complaint form such as using Hypertext Transfer Protocol Secure (HTTPS). Nevertheless, communication over the internet, including email, is not fully secure and can potentially be intercepted by persons outside of the EDPS. The EDPS relies on third party services (the European Parliament and the European Commission) to help maintain the security and performance of the EDPS website; the EDPS IT infrastructure is subject to their security measures.