Accessibility Tools


Our IT services are undergoing scheduled maintenance from 12 to 15 August 2016. Please note that, for technical reasons, we cannot guarantee that the complaints and annexed files submitted during this period will reach us - despite a possible acknowledgement of receipt. Should you not receive any acknowledgement of receipt within 10 working days from submitting your complaint, please do let us know.



> Who can complain to the EDPS?

Anyone who considers that their rights have been infringed when a European Union institution or body has processed data relating to them can lodge a complaint with the EDPS. Staff members of these institutions and bodies can lodge a complaint without acting through official channels.

> How a complaint can be submitted to the EDPS?

A complaint can be lodged with the EDPS using the complaint submission form . This form can be completed electronically. Please ensure that all relevant information is included in the complaint form. To help avoid unnecessary delay please attach any evidence supporting your allegations (email exchanges, letters, screen prints, etc.).

Before lodging the complaint please be aware of the following:

  • The processing of personal data carried out in the EU by national authorities or private entities fall outside the competence of the EDPS. The EDPS is not an appeal authority against the decisions of the national Data Protection Authorities. The EDPS is only competent to deal with complaints against EU institutions and bodies.
  • A complaint can only relate to the processing of personal data. The EDPS is not competent to deal with cases of general maladministration, to modify the content of the documents that you want to challenge or to grant financial compensation for damages. In particular, complaints aiming to use the EDPS to review or to annul individual decisions of the EU administration not related to the processing of personal data are not admissible. In such cases you should contact either the European Ombudsman or the competent Court.
  • Complainants are recommended to contact the EDPS only after having first contacted the controller and/or the Data Protection Officer (DPO) of the institution or body concerned. However, complaints can also be lodged directly with the EDPS if this is deemed necessary.
  • You can only complain about an alleged violation of your rights related to the protection of your personal data. Only EU staff can complain about an alleged violation whether the complainant is directly concerned by the processing of the data or not.
  • Your complaint will be treated confidentially but please see the note under question 8 of the form for further details.

The Q&A section of the website has been developed to include frequently asked questions to the EDPS, which may also be of interest before lodging a complaint.

> How does the EDPS deal with complaints?

Each complaint received by the EDPS is examined. The preliminary examination of the complaint is specifically designed to verify whether a complaint fulfils the conditions for further inquiry, including whether there are sufficient grounds for an inquiry. If a complaint is found admissible, the EDPS will carry out an inquiry to the extent which he finds appropriate. The decision is sent to the complainant as well as to the controller who is responsible for the processing of data. The supervisory powers of the EDPS are broad; ranging from simply giving advice to data subjects through warning or admonishing the controller (Article 47 of Regulation (EC) No 45/2001), to imposing a ban on the processing or referring the matter to the Court of Justice.

In all phases of the handling of a complaint, the EDPS strictly complies with the principles of proportionality and reasonability. The EDPS undertakes all actions necessary for the handling of a complaint in a selective manner, using the available resources according to the criteria of adequacy and good administration, whilst at the same time considering the other tasks performed by the EDPS as well as budgetary constraints.
Therefore, the EDPS, guided by principles of transparency and non discrimination undertakes appropriate actions taking into account:

  • the nature and gravity of the alleged breach of data protection rules;
  • the importance of the prejudice that one or more data subjects have or may have suffered as result of the violation;
  • the potential overall importance of the case, also in relation to the other public and/or private interests involved;
  • the likelihood of establishing that the infringement has occurred;
  • the exact date when events happened, any conduct which is no longer yielding effects, the removal of these effects or an appropriate guarantee of such a removal.

At the initial stage of examination, the EDPS will verify whether there are sufficient grounds for an inquiry. A complaint that addresses facts which are manifestly insignificant, or issues the investigation of which would require disproportionate efforts, will not be further investigated. The initial examination includes an analysis of which other options are available to deal with the issue, either by you or the EDPS. In these cases you will be informed about such other means of action. In the absence of any kind of correspondence from the EDPS to the complainant within six months of receiving the complaint, the complaint is deemed as rejected, in accordance with Article 34(3) of the EDPS Rules of Procedure.

In order to ensure the consistent treatment of complaints concerning data protection and to avoid unnecessary duplication, the European Ombudsman and the EDPS have signed a Memorandum of Understanding. Among other things, it stipulates that a complaint that has already been brought forward should not be reopened by the other institution unless significant new evidence is submitted.

> Can the EDPS decision be challenged?

Any interested party can ask for a review by the EDPS of his decision within one month of the decision date. Concerned parties may also appeal directly against the decision to the Court of Justice.

Important security information  

The EDPS is committed to ensure high level of security for the information communicated to us. In particular the on-line complaints submission form uses Hypertext Transfer Protocol Secure (HTTPS) to secure the communication over the internet network. However, please be aware that communication by internet, including email, is not fully secure and information transferred can be potentially intercepted and accessed by persons external to the EDPS. Please also note that the EDPS IT infrastructure is managed by the European Parliament and is subject to security measures of the European Parliament, which are implemented by the Parliament independently of the EDPS and over which the EDPS has no control.

  • 17 August 2016

    The EDPS, in collaboration with European consumer organisation BEUC, is hosting a joint conference on Big Data: individual rights and smart enforcement. The conference will take place in Brussels on 29 September 2016. For more information on the conference and how to register, visit the EDPS Events page.

  • 05 August 2016

    Our IT services are undergoing scheduled maintenance from 12 to 15 August. Please note that, for technical reasons, we cannot guarantee that the complaints and annexed files submitted during this period will reach us - despite a possible acknowledgement of receipt. Should you not receive any acknowledgement of receipt within 10 working days from submitting your complaint, please do let us know.

  • 25 July 2016

    ePrivacy rules should be smarter, clearer, stronger. Read the EDPS opinion and the press release.

  • 18 July 2016

    Data protection and Whistleblowing in the EU Institutions. Please read the EDPS guidelines and the press release.

  • 15 July 2016

    The EDPS’ free app, EU Data Protection, has been updated! You can now consult the texts of General Data Protection Regulation (REG) 2016/679 and the Directive 2016/680 for the police and criminal justice sector alongside the texts they replace.

  • 26 July 2016

    Fablab on GDPR, Participation of Wojciech Wiewiórowski and Giovanni Buttarelli, Brussels, Belgium

  • 25 July 2016

    Extraordinary Plenary Session of the Article 29 Working Party, Participation of Giovanni Buttarelli, Brussels, Belgium

  • 21 July 2016

    45th Asia Pacific Privacy Authorities Forum, Participation and speeches of Giovanni Buttarelli on Update on EU GDPR and Calibrating Privacy Principles to a Big Data and Digital Society, Singapore

  • 14 July 2016

    Launch of EU Data Protection Whitepaper, British Chamber of Commerce in Denmark, Keynote speech by Giovanni Buttarelli, Brussels, Belgium

  • 07 July 2016

    Marketing and profiling in the European Union, participation and speeches by Giovanni Buttarelli and Wojciech Wiewiórowski, Brussels, Belgium

  • 06 July 2016

    Privacy Laws & Business Annual International Conference, Wojciech Wiewiórowski in panels on Privacy terms and conditions and How data protection rules should be enforced in tandem with competition and consumer policy, Cambridge, UK

  • 06 July 2016

    Confindustria Radio Televisioni General Assembly 2016, Giovanni Buttarelli in a panel on Authority, Markets and Rights, Rome, Italy

  • 30 June 2016

    Reframing Data Transparency, Wojciech Wiewiórowski in a Roundtable Discussion organised by the Centre for Information Policy Leadership and Telefónica, London, UK