Editing Article 77 GDPR

From GDPRhub

Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.

Latest revision Your text
Line 209: Line 209:
 
Many DPAs provide forms that ensure that a complainant includes all relevant information as suggested in the last sentence of Recital 141 GDPR.
 
Many DPAs provide forms that ensure that a complainant includes all relevant information as suggested in the last sentence of Recital 141 GDPR.
  
=== Right to a formal complaint ===
+
=== 1. Right to a formal complaint ===
  
==== Requirements ====
+
==== 1.1 Requirements ====
 
Article 77(1) GDPR only has two requirements: (1) A data subject must consider that (2) his or her personal data has been processed in violation of GDPR.
 
Article 77(1) GDPR only has two requirements: (1) A data subject must consider that (2) his or her personal data has been processed in violation of GDPR.
  
===== Data subject =====
+
===== 1.1.1. Data subject =====
 
The complainant must be a data subject within the meaning of Article 4(1) GDPR, i.e. an identified or identifiable natural person.
 
The complainant must be a data subject within the meaning of Article 4(1) GDPR, i.e. an identified or identifiable natural person.
  
 
As only an investigation of the facts can determine if the data of the complainant has actually been processed, the complainant must de facto only allege that he or she qualifies as a data subject. This is especially relevant in cases where the complainant is not even capable of assessing his or her status as a data subject – e.g. when a controller has simply ignored an access request under Article 15 GDPR and the complainant has no knowledge on whether the controller actually processes his or her personal data.
 
As only an investigation of the facts can determine if the data of the complainant has actually been processed, the complainant must de facto only allege that he or she qualifies as a data subject. This is especially relevant in cases where the complainant is not even capable of assessing his or her status as a data subject – e.g. when a controller has simply ignored an access request under Article 15 GDPR and the complainant has no knowledge on whether the controller actually processes his or her personal data.
  
===== Alleged infringement =====
+
===== 1.1.2. Alleged infringement =====
 
The data subject must at least allege that his or her data is processed in violation of the GDPR. The letter of the law requires that the processing of personal data relating to the data subject infringe the GDPR.  
 
The data subject must at least allege that his or her data is processed in violation of the GDPR. The letter of the law requires that the processing of personal data relating to the data subject infringe the GDPR.  
  
Line 240: Line 240:
 
* the provisions on data transfers to a third countries or international organisations under Chapter V of the GDPR (Article 44 et seqq. GDPR).
 
* the provisions on data transfers to a third countries or international organisations under Chapter V of the GDPR (Article 44 et seqq. GDPR).
  
==== Jurisdiction for filing the case ====
+
==== 1.2. Jurisdiction for filing the case ====
  
===== A(ny) DPA =====
+
===== 1.2.1. A(ny) DPA =====
 
The GDPR only requires that a supervisory authority (DPA) is addressed by the complaint. This general rule is only limited by a non-exhaustive list of possible DPAs. This means that a complainant may file a complaint with any DPA in the EEA, independent of location.<ref>Kühling/Buchner/Bergt GDPR Art. 77 margin number 9.</ref>
 
The GDPR only requires that a supervisory authority (DPA) is addressed by the complaint. This general rule is only limited by a non-exhaustive list of possible DPAs. This means that a complainant may file a complaint with any DPA in the EEA, independent of location.<ref>Kühling/Buchner/Bergt GDPR Art. 77 margin number 9.</ref>
  
===== Habitual residence =====
+
===== 1.2.2. Habitual residence =====
 
The most common place to lodge a complaint is the home jurisdiction of the complainant. The habitual residence is defined in different EU laws and requires a legal right to residence and an objective assessment of the factual residence. Especially in cross border cases, data subjects might want to choose to lodge complaints at the place of their habitual residence, at this allows for the data subject to file the complaint in (one of) the official languages of the relevant Member State, rather than the official language of the Member State that the controller is based in.  
 
The most common place to lodge a complaint is the home jurisdiction of the complainant. The habitual residence is defined in different EU laws and requires a legal right to residence and an objective assessment of the factual residence. Especially in cross border cases, data subjects might want to choose to lodge complaints at the place of their habitual residence, at this allows for the data subject to file the complaint in (one of) the official languages of the relevant Member State, rather than the official language of the Member State that the controller is based in.  
  
===== Place of work =====
+
===== 1.2.3. Place of work =====
 
Similar to the habitual residence, complainants can lodge a complaint at their work place. It is not required that the complaint has any connection to the place of work.
 
Similar to the habitual residence, complainants can lodge a complaint at their work place. It is not required that the complaint has any connection to the place of work.
  
===== Place of alleged infringement =====
+
===== 1.2.4. Place of alleged infringement =====
 
The complaint can be lodged at the place of the alleged infringement. This clause is a typical form of jurisdiction that is aimed at aligning location of the decision maker with the location of facts.<blockquote><u>Example:</u> The DPA that is close to a CCTV camera may be best placed to gather factual evidence on the CCTV system, without the need to request mutual assistance from other DPAs.</blockquote>
 
The complaint can be lodged at the place of the alleged infringement. This clause is a typical form of jurisdiction that is aimed at aligning location of the decision maker with the location of facts.<blockquote><u>Example:</u> The DPA that is close to a CCTV camera may be best placed to gather factual evidence on the CCTV system, without the need to request mutual assistance from other DPAs.</blockquote>
  
===== Cross country cases =====
+
===== 1.2.5. Cross country cases =====
 
The option to lodge a case with any DPA does not mean that the DPA with which the case has been lodged necessarily decides about the case. Which DPA actually handles the case is subject to Article 55 and 56 GDPR. In any case the DPA with which the complaint has been lodged remains a “supervisory authority concerned” under Article 4(22)(c) GDPR and the point of contact for the data subject (“one stop shop”).  
 
The option to lodge a case with any DPA does not mean that the DPA with which the case has been lodged necessarily decides about the case. Which DPA actually handles the case is subject to Article 55 and 56 GDPR. In any case the DPA with which the complaint has been lodged remains a “supervisory authority concerned” under Article 4(22)(c) GDPR and the point of contact for the data subject (“one stop shop”).  
  
=== Duty to inform the data subject ===
+
=== 2. Duty to inform the data subject ===
  
==== Progress and outcome ====
+
==== 2.1. Progress and outcome ====
 
Under Article 77(2) GDPR “''the supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78.''” This provision only addresses the DPA with which the complaint has been lodged but not the DPA ultimately handling the case under Article 55 and 56 GDPR (which might be the same or a different DPA).
 
Under Article 77(2) GDPR “''the supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78.''” This provision only addresses the DPA with which the complaint has been lodged but not the DPA ultimately handling the case under Article 55 and 56 GDPR (which might be the same or a different DPA).
  
 
The DPA’s report on the progress must include information on the possibility for a judicial remedy under Article 78(2) GDPR, its report on the outcome should contain information on the possibility for a judicial remedy under Article 78(1) GDPR.
 
The DPA’s report on the progress must include information on the possibility for a judicial remedy under Article 78(2) GDPR, its report on the outcome should contain information on the possibility for a judicial remedy under Article 78(1) GDPR.
  
==== Timeline and frequency of information ====
+
==== 2.2. Timeline and frequency of information ====
 
Article 77(2) does not stipulate a deadline by which the data subject has to be initially informed about the progress of the complaint, nor does it contain rules on the frequency of such “progress reports”. Read in connection with Article 57(1)(f) GDPR (“[…] ''inform the complainant of the progress and the outcome of the investigation within a reasonable period,'' […]”) , the DPA must inform the data subject within a reasonable period.
 
Article 77(2) does not stipulate a deadline by which the data subject has to be initially informed about the progress of the complaint, nor does it contain rules on the frequency of such “progress reports”. Read in connection with Article 57(1)(f) GDPR (“[…] ''inform the complainant of the progress and the outcome of the investigation within a reasonable period,'' […]”) , the DPA must inform the data subject within a reasonable period.
  

Please note that all contributions to GDPRhub are considered to be released under the Creative Commons Attribution-NonCommercial-ShareAlike (see GDPRhub:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To edit this page, please answer the question that appears below (more info):

Cancel Editing help (opens in new window)