> Who can complain to the EDPS?
Anyone who considers that their rights have been infringed when a European Union institution or body has processed data relating to them can lodge a complaint with the EDPS. Staff members of these institutions and bodies can lodge a complaint without acting through official channels.
> How a complaint can be submitted to the EDPS?
A complaint can be lodged with the EDPS using the complaint submission form . This form can be completed electronically. Please ensure that all relevant information is included in the complaint form. To help avoid unnecessary delay please attach any evidence supporting your allegations (email exchanges, letters, screen prints, etc.).
Before lodging the complaint please be aware of the following:
The Q&A section of the website has been developed to include frequently asked questions to the EDPS, which may also be of interest before lodging a complaint.
> How does the EDPS deal with complaints?
Each complaint received by the EDPS is examined. The preliminary examination of the complaint is specifically designed to verify whether a complaint fulfils the conditions for further inquiry, including whether there are sufficient grounds for an inquiry. If a complaint is found admissible, the EDPS will carry out an inquiry to the extent which he finds appropriate. The decision is sent to the complainant as well as to the controller who is responsible for the processing of data. The supervisory powers of the EDPS are broad; ranging from simply giving advice to data subjects through warning or admonishing the controller (Article 47 of Regulation (EC) No 45/2001), to imposing a ban on the processing or referring the matter to the Court of Justice.
In all phases of the handling of a complaint, the EDPS strictly complies with the principles of proportionality and reasonability. The EDPS undertakes all actions necessary for the handling of a complaint in a selective manner, using the available resources according to the criteria of adequacy and good administration, whilst at the same time considering the other tasks performed by the EDPS as well as budgetary constraints.
Therefore, the EDPS, guided by principles of transparency and non discrimination undertakes appropriate actions taking into account:
At the initial stage of examination, the EDPS will verify whether there are sufficient grounds for an inquiry. A complaint that addresses facts which are manifestly insignificant, or issues the investigation of which would require disproportionate efforts, will not be further investigated. The initial examination includes an analysis of which other options are available to deal with the issue, either by you or the EDPS. In these cases you will be informed about such other means of action. In the absence of any kind of correspondence from the EDPS to the complainant within six months of receiving the complaint, the complaint is deemed as rejected, in accordance with Article 34(3) of the EDPS Rules of Procedure.
In order to ensure the consistent treatment of complaints concerning data protection and to avoid unnecessary duplication, the European Ombudsman and the EDPS have signed a Memorandum of Understanding. Among other things, it stipulates that a complaint that has already been brought forward should not be reopened by the other institution unless significant new evidence is submitted.
> Can the EDPS decision be challenged?
Any interested party can ask for a review by the EDPS of his decision within one month of the decision date. Concerned parties may also appeal directly against the decision to the Court of Justice.
Important security information
The EDPS is committed to ensure high level of security for the information communicated to us. In particular the on-line complaints submission form uses Hypertext Transfer Protocol Secure (HTTPS) to secure the communication over the internet network. However, please be aware that communication by internet, including email, is not fully secure and information transferred can be potentially intercepted and accessed by persons external to the EDPS. Please also note that the EDPS IT infrastructure is managed by the European Parliament and is subject to security measures of the European Parliament, which are implemented by the Parliament independently of the EDPS and over which the EDPS has no control.
GDPR requires DPOs: EU institutions leading by example. Read the latest blogpost by Wojciech Wiewiórowski.
Counterterrorism and Data Privacy: A European Perspective. Read the speech by Giovanni Buttarelli given at to the symposium on Governing Intelligence: Transnational Approaches to Oversight and Security, hosted by the Center on Law and Security and the Woodrow Wilson International Center for Scholars.
Ethics at the Root of Privacy and as the Future of Data Protection. Read the address by Giovanni Buttarelli given at event hosted by Berkman Center for Internet and Society at Harvard University and the MIT Internet Policy Initiative and the MIT Media Lab.
On 16 June 2016 the EDPS will meet the civil society organisations to discuss the state of data protection and privacy in the EU. Read more and sign up here!
Privacy: The Competitive Advantage, Speech by Wojciech Wiewiórowski, London, UK
Conference on General Data Protection Regulation, Speech by Giovanni Buttarelli (via video), Copenhagen, Denmark
39th DPO meeting hosted by Eurofound, Introductory speech by Wojciech Wiewiórowski, Dublin, Ireland
European Data Protection Days, Keynote by Giovanni Buttarelli on Enduring values and sustainable solutions: The GDPR as a catalyst for individual digital rights across the globe and participation in a discussion on Chances, challenges and the latest developments in international data protection, Berlin, Germany
Intelligence Oversight Conference, New York University School of Law, Speech by Giovanni Buttarelli, New York, USA
Giovanni Buttarelli visits the Congress, Washington, D.C., USA
10th Annual Digital Regulation Forum, Policies for the Digital Single Market; an Evolution or a Revolution?, Interactive Panel Discussion: How does the emergence of online platforms affect the Digital Single Market?, Speech by Wojciech Wiewiórowski, London, UK
Annual Congress of Italian DPOs (ASSO), Speech by Giovanni Buttarelli (via video), Milan, Italy