DocuGov.ai
DocuGov.ai
🛡️ Consumer & Regulatory Complaintsinternational

File a GDPR or Data Protection Complaint

Data protection complaints have surged since the GDPR came into effect in 2018, giving individuals powerful rights over their personal data. The GDPR (and UK GDPR post-Brexit) grants rights including access to your data (Article 15), rectification (Article 16), erasure or right to be forgotten (Article 17), restriction of processing (Article 18), data portability (Article 20), and the right to object (Article 21). When organizations violate these rights, you can file a complaint with your national data protection authority (DPA). In the UK, the ICO handles complaints. In Germany, each Bundesland has a Landesdatenschutzbeauftragter. In France, the CNIL is the supervisory authority. In Poland, the UODO (Prezes Urzedu Ochrony Danych Osobowych) handles complaints. DPAs have the power to investigate, order compliance, and impose significant fines (up to 20 million EUR or 4% of global turnover). DocuGov.ai helps you generate a professional complaint letter.

Generate This Letter NowLearn more

Understanding your situation

An organization has violated your data protection rights and you want to file a formal complaint. Common data protection complaint scenarios: - Subject access request (SAR) ignored or refused: You submitted a request to access your personal data but the organization did not respond within the statutory timeframe (1 month under GDPR) or refused without valid grounds. - Data breach affecting your personal data: An organization suffered a data breach that exposed your personal information (financial data, health records, passwords, identity documents). You want to ensure proper notification and remediation. - Unlawful data processing: An organization is processing your personal data without a valid legal basis (consent, contract, legitimate interest, legal obligation). This includes selling your data to third parties without consent. - Right to erasure refused: You requested deletion of your personal data (right to be forgotten) but the organization refused without valid grounds or continued to process your data after the request. - Unwanted direct marketing: You are receiving marketing communications (email, phone, SMS, post) despite not consenting or after withdrawing consent or registering with a preference service (TPS in UK, Robinson-Liste in DE). - Consent not properly obtained: An organization claims consent as its legal basis for processing, but consent was not freely given, specific, informed, or unambiguous as required by Article 7 GDPR. - Data shared with third parties without authorization: Your personal data was shared with third parties (employers, insurers, credit agencies, marketing companies) without your knowledge or consent. - Inaccurate data not corrected: You requested correction of inaccurate personal data but the organization has not complied. - Automated decision-making without safeguards: Decisions significantly affecting you were made solely by automated processing (including profiling) without the required human review or safeguards under Article 22.

What you need to prepare

  • Details of the organization that violated your rights (name, address, data protection officer contact)
  • Description of the personal data involved and the violation
  • Copies of your original request to the organization (SAR, erasure request, etc.) with proof of delivery
  • The organization's response (or evidence of non-response after the statutory deadline)
  • Evidence of the violation (marketing emails, data breach notification, screenshots)
  • Timeline of events (when you submitted requests, when deadlines passed, when violations occurred)
  • Any reference numbers or case numbers from correspondence with the organization
  • Evidence of harm or distress caused by the violation
  • Records of any previous complaints to the organization's DPO

Deadline

GDPR: Organizations must respond to SARs within 1 month. DPA complaints: No strict deadline but act promptly. UK ICO: No formal deadline but recommends complaining within 3 months of the last meaningful response from the organization. Germany: No formal deadline. France: CNIL complaint at any time. File your complaint after giving the organization a reasonable opportunity to respond (typically 1 month).

🏛️ Authority

ICO (UK), CNIL (FR), Landesdatenschutzbeauftragter (DE), UODO (PL), Agencia Espanola de Proteccion de Datos (ES), national DPA of the country where the organization is based or where you reside

⚖️ Legal basis

EU: GDPR (Regulation 2016/679), particularly Articles 12-22 (data subject rights), Article 77 (right to lodge a complaint). UK: UK GDPR, Data Protection Act 2018. Germany: BDSG. France: Loi Informatique et Libertes. Poland: ustawa o ochronie danych osobowych.

Expert tips

  1. 1Always complain to the organization first and give them the statutory period (1 month) to respond before escalating to the DPA. Most DPAs require evidence that you tried to resolve the issue directly.
  2. 2Be specific in your complaint: identify the exact right that was violated, the date of your request, the deadline that passed, and what the organization did or failed to do.
  3. 3For subject access requests, send your request in writing with proof of identity. Cite GDPR Article 15 specifically. The organization must respond within 1 month.
  4. 4For unwanted marketing, withdraw your consent in writing and cite Article 21 GDPR (right to object to direct marketing). The organization must stop processing immediately, with no exceptions.
  5. 5For data breaches, check whether the organization notified you as required. Under Article 34 GDPR, organizations must notify affected individuals of high-risk breaches without undue delay.
  6. 6Document the harm caused by the violation: financial loss, emotional distress, time spent, identity theft risk. This supports both your DPA complaint and any potential compensation claim.
  7. 7You can file a complaint with the DPA of the country where you reside, where you work, or where the alleged violation took place. Choose the most convenient for you.
  8. 8Consider whether you also have a right to compensation under Article 82 GDPR. Compensation claims can be pursued through the courts independently of the DPA complaint.
  9. 9For organizations based outside the EU/UK, check whether they have a designated EU representative under Article 27 GDPR. If not, this is an additional violation.
  10. 10Use the DPA's online complaint form if available (ICO, CNIL, UODO all have online portals). This ensures your complaint is properly logged and tracked.

Ready to create your document?

Generate a professional letter in minutes

Generate This Letter Now

Related cases

FOI Follow-Up and Appeal After a Rejected Request

international

Complain About Unauthorized Fees or Charges

international

Request Access to Your Medical Records

international