Print

Complaints

How to make a complaint to the European Data Protection Supervisor?

The European Data Protection Supervisor (EDPS) investigates complaints from individuals about the processing of their personal data carried out by EU institutions, bodies, offices and agencies (EU institutions).

Who can complain?

  • Anyone whose personal data are processed by an EU institution.
  • Anyone who is employed by an EU institution can complain about an alleged violation of data protection rules by an EU institution, even if they are not personally affected.

Subject of the complaint

A complaint to the EDPS can only relate to the processing of personal data by an EU institution. The processing of personal data by a public or private entity of an EU Member State does not fall under the EDPS’ competences.

Additional conditions

Before complaining to the EDPS, the complainant should first  contact and try to resolve the matter with the data protection officer (DPO) of the EU institution in question.

A complaint must be made within two years of the date when the matter first came to the attention of the person lodging the complaint.

What the European Data Protection Supervisor cannot do

The processing of personal data that is the subject of a complaint  must be carried out by one of the EU institutions. The EDPS cannot handle complaints concerning processing of personal data by national authorities in the EU Member States, private entities (those should be addressed to the relevant national data protection authority) and international organisations.

The EDPS is not competent to deal with:

  • cases of general maladministration - these should be addressed to the European Ombudsman;
  • modifying the content of  documents that the complainant wants to challenge;
  • granting financial compensation for damages - these types of complaints should be addressed to the Court of Justice of the EU.

How to submit a complaint?

1. Check the criteria - Go through our checklist on how to make a complaint. Make sure that the EDPS can actually handle your complaint.

Can the EDPS help me? If not, who else could?

If the EDPS is not able to help with the issue you are facing, there are other bodies at EU or national level that may be able to assist you.

Please use the filters below to check whether your complaint can be handled by the EDPS. If this is not the case, some other relevant authorities will be suggested to you.

Is your complaint against an EU institution, body, office or agency?

Is your complaint against a private organisation?

The EDPS cannot handle your complaint. We cannot investigate private organisations.

If you want to complain about the processing of personal data by other organisations (such 
as private companies, non-profit organisations, etc.), the relevant European Data Protection Authority may be able to help you. You can find their contact details here

For the contact details of other data protection authorities worldwide, please see the list of members of the International Conference of Data Protection & Privacy Commissioners.

You can also contact directly the data protection officer (DPO) of the company or the organisation regarding your complaint. You should find the DPO contact information in the company's or organisation’s Privacy Policy, usually available on their website. 

You can also address your complaint directly to the courts in the relevant EU Member State.

The advice given in this interactive guide is for guidance only. If you are still unsure about where to turn with your complaint, or if, despite the advice given you believe that the matter could be dealt with at the European level, please feel free to contact the EDPS at supervision@edps.europa.eu.

Is you complaint against a national public authority?

The EDPS cannot handle your complaint. We cannot investigate national authorities.

If you want to complain about the processing of personal data by national public authorities, the relevant European Data Protection Authority will be able to help you. You can find their contact details here

For the contact details of other data protection authorities worldwide, please see the list of members of the International Conference of Data Protection & Privacy Commissioners.

You can also address your complaint directly to the courts in the relevant EU Member State.

In case of a negative decision or a lack of a decision by a national Data Protection Authority, you may address your complaint to the courts in the relevant EU Member State.

If you believe that a public authority of an EU Member State is in breach of EU law, you can address your complaint to the European Commission. In its role as guardian of the treaties, the European Commission can launch infringement proceedings against EU Member States that breach EU law. For more information, please see here.

If you believe that an EFTA Member State is in breach of EFTA law, you can address your complaint to the EFTA Surveillance Authority, which can launch infringement proceedings against EFTA Member States that breach rules covered under the EEA Agreement. For more information, please see here.

The advice given in this interactive guide is for guidance only. If you are still unsure about where to turn with your complaint, or if, despite the advice given you believe that the matter could be dealt with at the European level, please feel free to contact the EDPS at supervision@edps.europa.eu.

Is you complaint against an international organisation?

Is your complaint about how your own personal data are being used by an EU institution, body, office or agency?

Are you employed by an EU institution, body, office or agency?

The EDPS cannot handle your complaint.

You can still alert the EDPS about a data protection issue within an EU institution or body by sending an email to supervision@edps.europa.eu. The EDPS will analyse the information and decide how to follow-up, but cannot handle it as a complaint, which means that you will not be informed of the outcome of a potential investigation or an audit. 

If your complaint concerns a modification of the content of documents, challenging or annulling decisions that an EU institution may have taken about you, or getting financial compensation for damages, you should address your complaint to the Court of Justice of the EU.

The advice given in this interactive guide is for guidance only. If you are still unsure about where to turn with your complaint, or if, despite the advice given you believe that the matter could be dealt with at the European level, please feel free to contact the EDPS at supervision@edps.europa.eu.

Have you contacted the EU institution, body, office or agency, specifically its Data Protection Officer, directly?

Please contact the data protection officer (DPO) or the EU institution about your complaint, before complaining to the EDPS.

The EDPS will not, in principle, handle your complaint before you have received the DPO’s final reply to your complaint. The DPO is in a better position to address your complaint at this stage. 

The advice given in this interactive guide is for guidance only. If you are still unsure about where to turn with your complaint, or if, despite the advice given you believe that the matter could be dealt with at the European level, please feel free to contact the EDPS at supervision@edps.europa.eu.

When did you become aware of the issue you would like to complaint about?

The EDPS cannot handle your complaint.

A complaint must be made within two years of the date on which the facts of the matter first came to the attention of the person lodging the complaint.

The advice given in this interactive guide is for guidance only. If you are still unsure about where to turn with your complaint, or if, despite the advice given you believe that the matter could be dealt with at the European level, please feel free to contact the EDPS at supervision@edps.europa.eu.

Has the issue of your complaint been the subject of on-going court proceedings?

It is unlikely that the EDPS can help you. 

The EDPS cannot investigate a case where the issue is the subject of legal proceedings.

The advice given in this interactive guide is for guidance only. If you are still unsure about where to turn with your complaint, or if, despite the advice given you believe that the matter could be dealt with at the European level, please feel free to contact the EDPS at supervision@edps.europa.eu.

Have you already filed a complaint on the same facts before the European Ombudsman?

It is unlikely that the EDPS can help you. 

The EDPS cannot investigate a case where the issue is the subject of the proceedings before the European Ombudsman. 

The advice given in this interactive guide is for guidance only. If you are still unsure about where to turn with your complaint, or if, despite the advice given you believe that the matter could be dealt with at the European level, please feel free to contact the EDPS at supervision@edps.europa.eu.

The EDPS should be able to help you.

Please use the complaint form to make a complaint. 

The EDPS cannot handle your complaint. We cannot investigate international organisations.

You can contact the international organisation’s data protection officer (DPO) regarding your complaint. You should find the DPO contact information in the organisation’s Privacy Policy, usually available on their website.

The advice given in this interactive guide is for guidance only. If you are still unsure about where to turn with your complaint, or if, despite the advice given you believe that the matter could be dealt with at the European level, please feel free to contact the EDPS at supervision@edps.europa.eu.

Unfortunately, according to your responses to the questionnaire, it looks like the EDPS cannot help you in this situation. 

The advice given in this interactive guide is for guidance only. If you are still unsure about where to turn with your complaint, or if, despite the advice given you believe that the matter could be dealt with at the European level, please feel free to contact the EDPS at supervision@edps.europa.eu.

 

2. Prepare the necessary information and documents in advance

In order to submit a complaint, you will need to provide the following information.

  • The name of the EU institution that you wish to complain about.
  • Your contact details. We are unable to accept complaints sent to us anonymously. If you are acting on behalf of a complainant, we ask you to provide the first and last names of the complainant and to submit evidence of your power to represent the complainant.
  • The reason for your complaint, meaning why you consider that the EU institution has done something wrong with your  personal data.
  • What, in your view, the EU institution should do to put things right.
  • Whether the matter has already been settled, or is pending, before a court, or another judicial or administrative body.
  • Evidence that you have already contacted the Data Protection Officer of the EU institution concerned and that you have given them reasonable time to reply.

3. Guidelines for complaints

  • Please keep your complaint concise. In exceptional cases, where a complaint needs to be longer than the allowed maximum number of words in the form, please include the full complaint as an attachment, and write a summary in the complaint form. Submitting an unnecessarily lengthy complaint will slow down the process.
  • If you have a number of concerns, please identify and number the various issues. Please provide arguments and evidence supporting each alleged infringement.
  • Please indicate clearly the steps that you consider should be taken to resolve the complaint.
  • Please only provide documents or information to the EDPS that are necessary to understand the complaint.
  • Ensure that any documents attached as evidence (for example correspondence) are numbered and labelled (for example, 1-Letter from xx-date, 2-Email to xx-date ...). Please also provide a list with the number and name of each document. In your complaint, please refer to any document by numbering them.
  • Please do not provide the EDPS with personal data of third parties unless the personal data are necessary for the EDPS to be able to handle the complaint.

Our dedicated online form allows us to deal with complaints more efficiently. If you cannot use the online form, the EDPS accepts complaints submitted by email or post.

Submit your complaint by post: Rue Wiertz 60, B-1047 Brussels

How do we deal with complaints?

This flowchart gives you a rough outline of the process the EDPS follows when handling complaints.

  • Complaint received

    • Admissibility check

      • Complaint handling

        EDPS assesses the complaint and may:
        - ask the EU institution, body, office or agency (EUI) (controller) to reply or provide more information
        - carry out an inspection in the EUI
        - ask the complainant for information or to comment the controller's explanations

        • Case referred to other body

          - case referred to the controller or to the Data Protection Officer
          - case referred to the European Ombudsman

        • Closure of the case

          - no infringement found
          - case resolved during the investigation
          - the complainant’s request was satisfied

        • EDPS Decision

          - infringement found and corrective measures applied
          - no infringement found but the EDPS might issue recommendations to improve compliance

      • No case

        - complaint does not concern personal data processed by an EU institution, body, office or agency (EUI)
        - complaint is anonymous
        - complaint concerns a matter older than 2 years

What happens after the EDPS has handled a complaint?

  • We can order the EU institutions to comply with requests in relation to personal data (e.g. requests to access, rectify or erase personal data), where such a request has been made.
  • We can order the EU institutions to inform individuals about personal data breaches, if the EU institutions  have unlawfully failed to do so.
  • We can warn or reprimand EU institutions that are unlawfully or unfairly processing your personal data.
  • We can order EU institutions to bring processing operations into compliance with  data protection rules. If the EU institutions do not comply with these orders, we can impose an administrative fine.
  • We can impose a temporary or definitive ban on processing operations or suspend data flows.
  • We can refer a case to the Court of Justice of the European Union.

How do we handle your personal data?

Information about how we use your personal data when handling your complaint can be found in our data protection notice and the Records register.

Important Security Information

The EDPS strives to ensure a high level of security for information shared with us in this complaint form, such as using Hypertext Transfer Protocol Secure (HTTPS). Nevertheless, communication over the internet, including email, is not fully secure and can potentially be intercepted by individuals outside of the EDPS. The EDPS relies on third party services - the European Parliament and the European Commission -  to help maintain the security and performance of the EDPS website; the EDPS IT infrastructure is subject to their security measures.