Any questions?

Under the GDPR, you have the right to lodge a complaint with the Data Protection Authority (DPA) in the country of:

• your habitual residence;
• your place of work; or
• the place where the alleged infringement took place.

Find the contact details for all EEA DPAs

No. The EDPB does not handle complaints or conduct investigations. If you believe your data protection rights have been violated you can contact the organisation holding your data, contact your national data protection authority (DPA), or go to a national court.

DPAs can conduct investigations and impose sanctions where necessary. Find the contact details for all EEA DPAs 

We take note of your suggestion to the EDPB to consider this matter for future guidance. You may consult the topics currently included in the EDPB's Work Programme on our website.

The EDPB does not provide tailored legal advice to citizens or private/public organisations on how to apply data protection law to specific cases. 

The EDPB’s main role is to issue general guidance and opinions. All adopted guidance and opinions can be consulted here: Guidelines, Recommendations, Best Practices and Opinions. We also recommend reading the Data Protection Guide for Small Business. This guide will help you understand key data protection concepts, the rights of individuals under the GDPR, compliance requirements, security measures, and how to handle data breaches.

Additional information on the EDPB's role and the application of the GDPR, can also be found here: Frequently Asked Questions.

We also invite you to consult the websites of the data protection authority in your country. The links to the websites of our Members can be found here: Our members.

Are you asking the EDPB to investigate and take action against an organisation that you consider is infringing EU legislation, including through specific technologies, such as AI, social media, or messaging services?

In the context of data protection rules, you can lodge a complaint with your data protection authority (DPA) (please find a list of them on our website: Our members). Enforcement of data protection rules is the responsibility of the DPAs. You can contact the data protection authority where you live or work, or where the alleged infringement took place, for instance.

Another alternative is to go to national courts where you live or where the controller or processor is established. 

If the GDPR applies in your situation but you're not based in Europe, you can still complain to a DPA in Europe and/or go to court.

The EDPB has no competence to handle specific individual requests or complaints, nor to provide individual consultancy services. The EDPB is not a supranational body that can investigate complaints.

Finally, if you want to complain about how an EU institution, agency or body is using your personal data, you can lodge a complaint with the European Data Protection Supervisor (please see contact details on our website: Our members).

Please note that we do not forward your message to the national DPAs or to the EDPS. Therefore, you should contact them directly.

The EDPB does not have the competence to exercise oversight over the DPAs activities at the request of individuals.

Please note that the competence to issue general guidance cannot be understood as a mechanism for the EDPB to exercise oversight on how DPAs handle your individual case.

If you believe that GDPR has been infringed and you are not satisfied with the DPA’s response, the remaining solution is for you to initiate legal proceedings.

The Coordination Supervision Committee (‘CSC’) - which exists within the EDPB - coordinates the supervision of the processing of personal data in the Schengen Information System (‘SIS’). The relevant EU laws are Regulation (EU) No 2018/1862 (in particular Article 71), and Regulation (EU) No. 2018/1861 (in particular Article 57).

For personal data included in the SIS, you have rights of access, rectification, and erasure. These rights include:

• The right to know if information relating to you is processed in the SIS;
• The right of access to that data;
• The right to correction of inaccurate data or deletion relating when that data have been unlawfully stored; and
• The right to take action with courts, your data protection authority and/or competent authorities, as appropriate, to correct or delete data relating to you or to obtain compensation.

To exercise your rights, please contact your national competent authority, in the Schengen country of your choice. For more information on the national competent authorities and on the data protection authority in each Schengen country, please consult the “Guide for exercising data subjects’ rights”, available on our website. There you can also find model letters to assist you with the exercise of your rights. 

Please note that the EDPB does not have the competence to handle individual complaints or requests. Besides, the EDPB does not have access to the content of these information systems and databases.

More details on how to exercise your rights is available on our website.

The European Commission can decide whether a country outside Europe (or an international organisation) offers an ‘adequate’ level of data protection, which facilitates the data flows between Europe and this country. 

The EDPB is in charge of issuing opinions on the draft adequacy decisions, before the decision of the European Commission. The opinions are not binding on the European Commission but are usually useful for the other organisations which are consulted in this framework, such as the EU Member States.

Further, the European Commission is the one competent to monitor developments in non-European countries that could affect adequacy decisions. Some adequacy decisions provide for a specific regularity for the review of the decision and may refer to the possibility for EDPB representatives to take part in the review process organised by the European Commission.

Please also note that European Data Protection Authorities may protect individuals with respect with data transfers made within the context of adequacy decision (please find a list of them on our website: Our members).

If you believe that an existing adequacy decision is not in line with your fundamental rights of the individual to privacy and data protection, you may initiate a complaint to your DPA which may bring those objections before a national court which may be required to make a reference for a preliminary ruling to the Court of Justice (See Article 58(5) GDPR and ECJ Schrems judgment (Case C-362/14)).

For additional information, please see: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en

Information about career opportunities can be found on our website: Career opportunities.

Please contact edps-selections@edps.europa.eu if you want more information or would like to make a spontaneous application. If you wish to make an application, please mention that you are applying for a post in the EDPB Secretariat. Spontaneous application sent directly to the EDPB are deleted without forwarding.