regulatory-complaints

Responding to Regulatory Complaints

Overview

Under GDPR Article 77, data subjects have the right to lodge a complaint with a supervisory authority (Data Protection Authority / DPA) if they consider that the processing of their personal data infringes the GDPR. When a DPA receives a complaint and contacts the controller, the controller must respond promptly, cooperate fully, and demonstrate compliance. This skill provides the operational procedure for managing regulatory complaints from receipt through resolution.

Legal Foundation

GDPR Article 77 — Right to Lodge a Complaint

Every data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work, or place of the alleged infringement, if the data subject considers that the processing of personal data relating to them infringes the GDPR.

GDPR Article 31 — Cooperation with the Supervisory Authority

The controller and the processor, and where applicable the controller's or the processor's representative, shall cooperate, on request, with the supervisory authority in the performance of its tasks.

GDPR Article 58 — Powers of Supervisory Authorities

Supervisory authorities have investigative powers (Art. 58(1)), corrective powers (Art. 58(2)), and authorisation and advisory powers (Art. 58(3)), including the power to:

• Order the controller to provide information (Art. 58(1)(a))
• Carry out investigations in the form of data protection audits (Art. 58(1)(b))
• Issue warnings, reprimands, and orders (Art. 58(2)(a)-(d))
• Impose administrative fines (Art. 58(2)(i) and Art. 83)

GDPR Article 78 — Right to an Effective Judicial Remedy Against a Supervisory Authority

Data subjects (and controllers) have the right to an effective judicial remedy against legally binding decisions of a supervisory authority.

Regulatory Complaint Response Workflow

Step 1: Receive and Log the Complaint

1. Log the complaint with reference REG-YYYY-NNNN.
2. Record:
   • Supervisory authority (e.g., ICO, CNIL, BfDI, DPC)
   • DPA reference number
   • Date of DPA correspondence
   • Complainant identity (if disclosed by the DPA)
   • Summary of the complaint allegations
   • DPA's specific requests or questions
   • Response deadline set by the DPA
3. Immediately notify the Data Protection Officer.
4. Escalate to the General Counsel if the complaint involves potential enforcement action or fines.

Step 2: Internal Escalation

Complaint Severity	Escalation Level	Response Lead	Timeline
Routine (individual rights exercise issue)	DPO	Privacy Analyst	DPA deadline (typically 28 days)
Significant (systemic compliance issue)	DPO + General Counsel	DPO	DPA deadline, with internal briefing within 48 hours
Critical (potential enforcement/fine)	DPO + General Counsel + CEO	DPO + External Counsel	DPA deadline, with board notification within 24 hours

Step 3: Internal Investigation

1. Review the complaint allegations against internal records:
   • DSAR/rights request register (was the request handled correctly?)
   • Processing records (Art. 30 register)
   • Consent records
   • Data breach register
   • Privacy impact assessments
2. Interview relevant staff members and document their accounts.
3. Collect all supporting evidence (emails, system logs, decision records).
4. Identify any compliance gaps or procedural failures.
5. Assess whether the complaint is substantiated, partially substantiated, or unsubstantiated.

Step 4: Prepare the Response

The DPA response must be:

• Factual: Address each specific allegation or question raised by the DPA.
• Evidenced: Attach supporting documentation.
• Cooperative: Demonstrate willingness to engage per Art. 31.
• Proportionate: Address the complaint scope without volunteering unrelated issues.

Response Structure

1. Acknowledgement: Confirm receipt of the DPA's correspondence, cite the DPA reference number.
2. Background: Provide a brief factual overview of the processing activity and the controller's relationship with the complainant.
3. Response to each allegation: Address each point raised by the DPA with facts and evidence.
4. Compliance evidence: Attach relevant documentation (privacy notice, consent records, DSAR response copies, DPIAs, processing records).
5. Remediation: If any issue is identified, describe the remediation steps taken or planned, with timelines.
6. Cooperation: Confirm willingness to provide any further information the DPA requires.

Step 5: DPO Review and Approval

1. The DPO reviews the draft response for accuracy and completeness.
2. If the complaint involves potential enforcement, external legal counsel reviews the response.
3. Obtain sign-off from the appropriate authority level per Step 2.
4. Submit the response to the DPA before the deadline.

Step 6: Remediation Tracking

If the investigation identifies compliance gaps:

1. Create remediation actions with:
   • Description of the gap
   • Root cause analysis
   • Corrective action
   • Owner (name and role)
   • Target completion date
   • Verification method
2. Track remediation in the compliance action tracker.
3. Report progress to the DPO monthly until all actions are closed.
4. Include remediation status in the next DPA communication if the DPA follows up.

Step 7: DPA Decision and Follow-Up

DPA Outcome	Controller Action
Complaint dismissed / no further action	File and close. Update complaint register.
Informal resolution recommended	Implement DPA's recommendations. Confirm completion to DPA.
Formal reprimand issued (Art. 58(2)(b))	Record on compliance register. Implement required changes. Report to board.
Order to comply issued (Art. 58(2)(c)-(g))	Implement the order within the specified timeframe. Confirm compliance to DPA.
Administrative fine imposed (Art. 83)	Engage external legal counsel. Assess appeal options (Art. 78). Pay or appeal within deadline.
Investigation initiated	Cooperate fully. Appoint response team. Preserve all relevant records.

Step 8: Close and Record

1. Update the complaint register with the final outcome.
2. Record any lessons learned.
3. Feed findings into the compliance improvement programme.
4. Retain all complaint documentation for 6 years from the date of the DPA's final decision.
5. Report complaint outcomes in the annual privacy compliance report to the board.

DPA-Specific Response Requirements

ICO (United Kingdom)

• The ICO typically sends a preliminary enquiry letter requesting the controller's account of events.
• Standard response timeframe: 28 calendar days.
• Correspondence via the ICO's online case management portal or email.
• The ICO may request a formal response under section 142 of the Data Protection Act 2018 (assessment notice).

CNIL (France)

• Initial questionnaire or formal mise en demeure.
• Response timeframe specified in the correspondence (typically 1-3 months).
• Formal responses must be in French.

DPC (Ireland)

• Relevant for organisations with main establishment in Ireland (one-stop-shop mechanism under Art. 56).
• Response timeframe specified in the correspondence.