Accessibility Tools




> Who can complain to the EDPS?

Anyone who considers that their rights have been infringed when a European Union institution or body has processed data relating to them can lodge a complaint with the EDPS. Staff members of these institutions and bodies can lodge a complaint without acting through official channels.

> How a complaint can be submitted to the EDPS?

A complaint can be lodged with the EDPS using the complaint submission form . This form can be completed electronically. Please ensure that all relevant information is included in the complaint form. To help avoid unnecessary delay please attach any evidence supporting your allegations (email exchanges, letters, screen prints, etc.).

Before lodging the complaint please be aware of the following:

  • The processing of personal data carried out in the EU by national authorities or private entities fall outside the competence of the EDPS. The EDPS is not an appeal authority against the decisions of the national Data Protection Authorities. The EDPS is only competent to deal with complaints against EU institutions and bodies.
  • A complaint can only relate to the processing of personal data. The EDPS is not competent to deal with cases of general maladministration, to modify the content of the documents that you want to challenge or to grant financial compensation for damages. In particular, complaints aiming to use the EDPS to review or to annul individual decisions of the EU administration not related to the processing of personal data are not admissible. In such cases you should contact either the European Ombudsman or the competent Court.
  • Complainants are recommended to contact the EDPS only after having first contacted the controller and/or the Data Protection Officer (DPO) of the institution or body concerned. However, complaints can also be lodged directly with the EDPS if this is deemed necessary.
  • You can only complain about an alleged violation of your rights related to the protection of your personal data. Only EU staff can complain about an alleged violation whether the complainant is directly concerned by the processing of the data or not.
  • Your complaint will be treated confidentially but please see the note under question 8 of the form for further details.

The Q&A section of the website has been developed to include frequently asked questions to the EDPS, which may also be of interest before lodging a complaint.

> How does the EDPS deal with complaints?

Each complaint received by the EDPS is examined. The preliminary examination of the complaint is specifically designed to verify whether a complaint fulfils the conditions for further inquiry, including whether there are sufficient grounds for an inquiry. If a complaint is found admissible, the EDPS will carry out an inquiry to the extent which he finds appropriate. The decision is sent to the complainant as well as to the controller who is responsible for the processing of data. The supervisory powers of the EDPS are broad; ranging from simply giving advice to data subjects through warning or admonishing the controller (Article 47 of Regulation (EC) No 45/2001), to imposing a ban on the processing or referring the matter to the Court of Justice.

In all phases of the handling of a complaint, the EDPS strictly complies with the principles of proportionality and reasonability. The EDPS undertakes all actions necessary for the handling of a complaint in a selective manner, using the available resources according to the criteria of adequacy and good administration, whilst at the same time considering the other tasks performed by the EDPS as well as budgetary constraints.
Therefore, the EDPS, guided by principles of transparency and non discrimination undertakes appropriate actions taking into account:

  • the nature and gravity of the alleged breach of data protection rules;
  • the importance of the prejudice that one or more data subjects have or may have suffered as result of the violation;
  • the potential overall importance of the case, also in relation to the other public and/or private interests involved;
  • the likelihood of establishing that the infringement has occurred;
  • the exact date when events happened, any conduct which is no longer yielding effects, the removal of these effects or an appropriate guarantee of such a removal.

At the initial stage of examination, the EDPS will verify whether there are sufficient grounds for an inquiry. A complaint that addresses facts which are manifestly insignificant, or issues the investigation of which would require disproportionate efforts, will not be further investigated. The initial examination includes an analysis of which other options are available to deal with the issue, either by you or the EDPS. In these cases you will be informed about such other means of action. In the absence of any kind of correspondence from the EDPS to the complainant within six months of receiving the complaint, the complaint is deemed as rejected, in accordance with Article 34(3) of the EDPS Rules of Procedure.

In order to ensure the consistent treatment of complaints concerning data protection and to avoid unnecessary duplication, the European Ombudsman and the EDPS have signed a Memorandum of Understanding. Among other things, it stipulates that a complaint that has already been brought forward should not be reopened by the other institution unless significant new evidence is submitted.

> Can the EDPS decision be challenged?

Any interested party can ask for a review by the EDPS of his decision within one month of the decision date. Concerned parties may also appeal directly against the decision to the Court of Justice.

Important security information  

The EDPS is committed to ensure high level of security for the information communicated to us. In particular the on-line complaints submission form uses Hypertext Transfer Protocol Secure (HTTPS) to secure the communication over the internet network. However, please be aware that communication by internet, including email, is not fully secure and information transferred can be potentially intercepted and accessed by persons external to the EDPS. Please also note that the EDPS IT infrastructure is managed by the European Parliament and is subject to security measures of the European Parliament, which are implemented by the Parliament independently of the EDPS and over which the EDPS has no control.

  • 26 May 2016

    Time for Europe's data protection authorities to raise their game. Read the new blog post by Giovanni Buttarelli.

  • 24 May 2016

    Data protection for the digital generation: the countdown to the GDPR begins. Read the EDPS Annual Report 2015 and the press release.

  • 23 May 2016

    To celebrate Europe Day, the EU institutions will hold the annual EU Open Day on 28 May 2016. The EDPS stand will be located on the first floor of the European Parliament, so make sure you pass by and check out our fun and interactive activities! More information about EU Open Day and the EDPS stand can be found on the EDPS Events page.

  • 20 May 2016

    Key Challenges for Privacy in the Digital Age. Read the speech by Giovanni Buttarelli given at Europol - EIPA conference on Privacy in the Digital Age of Encryption and Anonymity Online.

  • 19 May 2016

    New Regulation boosts the roles of EDPS and Europol. Read the press release.

  • 26 May 2016

    Spring Conference, Participation and keynote speech by Giovanni Buttarelli, Budapest, Hungary

  • 26 May 2016

    Spring Conference, Participation and speech by Wojciech Wiewiórowski on GDPR – what next? Practical implications for national legislators, DPAs, data controllers, Budapest, Hungary

  • 25 May 2016

    Wojciech Wiewiórowski visits the European Institute of Innovation and Technology, Budapest, Hungary

  • 25 May 2016

    General Data Protection Regulation and Startups, Speech by Giovanni Buttarelli, European Parliament, Brussels, Belgium

  • 25 May 2016

    AmCham EU’s Plenary Meeting, Keynote speech by Giovanni Buttarelli, Brussels, Belgium

  • 24 May 2016

    Giovanni Buttarelli presents the EDPS Annual Report 2015 to the LIBE Committee, European Parliament, Brussels, Belgium

  • 23 May 2016

    Association of Corporate Counsel Annual Conference, Giovanni Buttarelli gives a keynote speech on EU Data Protection Regulation, Rome, Italy

  • 23 May 2016

    Cyber 2016: Evolving Threats, Security Developments and Improving Cooperation, Chatham House Cyber Conference, Speech and panel discussion by Wojciech Wiewiórowski on Data Protection, Privacy and National Security, London, UK