What can individuals do if they consider that their rights under the GDPR have been violated?
Here is what you should know about the different steps that individuals may take.
Contacting the organisation in question
If individuals believe that their data protection rights have been violated by your organisation, they may contact you directly. If your organisation has appointed a data protection officer, the contact details of the DPO have to be made available in your privacy statement.
Complaining to a data protection authority
An individual also has the right to lodge a complaint with a data protection authority of an EEA Member State; this includes the EU countries + Iceland, Liechtenstein and Norway.
Depending on the circumstances, individuals can turn to a data protection authority of an EEA Member State, in particular, to:
- the data protection authority of the EEA Member State where they habitually reside;
- the data protection authority of the EEA Member State where they work; or
- the data protection authority of the EEA Member State where their right to personal data has not been respected, for example the country where the organisation that has committed the alleged breach has its headquarters.
A data protection authority should handle an individual’s complaint within three months of receiving it. This includes updating the complainant with the progress or outcome of the complaint.
Read more about the powers a data protection authority has when investigating a complaint
If the data protection authority fails to handle the complaint or the individual is not satisfied with the decision of the data protection authority, the individual can bring this matter to the national court where the data protection authority is located.
Check out the complete list of the EU and EEA data protection authorities
Bringing a matter to court
If an individual believes that their right to the protection of personal data has not been respected by your organisation, they can also bring this matter to the courts of the country where your organisation is established. In case of a private organisation, individuals can also refer to the courts of their habitual residence.
Read more
Receiving compensation
If an individual’s privacy rights have been infringed by your organisation, they are entitled to receive compensation from your organisation for the damage they have suffered.
Read more
Support from not-for-profit organisations
Individuals have the right to seek help and support from not-for-profit organisations or bodies active in EEA countries for lodging a complaint or for bringing a matter to the court on their behalf.
Read more
Individuals’ remedies in practice
Here are the steps that individuals could consider, if they believe that your organisation is not respecting their privacy rights.
- Contact your data protection officer - if a DPO has been appointed. to express their concerns.
- Contact the data protection authority of the EEA country where they reside, or work, or where the alleged infringement took place.
- If necessary, individuals can seek support for their action from a not-for-profit organisation, established in an EEA country.
- If unsatisfied with the decision of the data protection authority, individuals may lodge a complaint against it with the national courts of that authority.
- Without prejudice to any of the above, an individual can also bring a case against your organisation in the courts of the country where your organisation is established or, in the case of private organisations, in the courts of the country of the individual’s habitual residence.