Article 77 GDPR: Difference between revisions

From GDPRhub
 
(38 intermediate revisions by 8 users not shown)
Line 185: Line 185:


== Legal Text ==
== Legal Text ==
<br /><center>'''Article 77 - Right to lodge a complaint with a supervisory authority'''</center><br />
<br /><center>'''Article 77 - Right to lodge a complaint with a supervisory authority'''</center>


<span id="1">1.  Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.</span>
<span id="1">1.  Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.</span>
Line 192: Line 192:


== Relevant Recitals==
== Relevant Recitals==
<span id="r141">
{{Recital/141 GDPR}}
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 141:''' Right to lodge a complaint - Article 77(1)</div>
<div class="mw-collapsible-content">
Every data subject should have the right to lodge a complaint with a single supervisory authority, in particular in the Member State of his or her habitual residence, and the right to an effective judicial remedy in accordance with Article 47 of the Charter if the data subject considers that his or her rights under this Regulation are infringed or where the supervisory authority does not act on a complaint, partially or wholly rejects or dismisses a complaint or does not act where such action is necessary to protect the rights of the data subject. The investigation following a complaint should be carried out, subject to judicial review, to the extent that is appropriate in the specific case. The supervisory authority should inform the data subject of the progress and the outcome of the complaint within a reasonable period. If the case requires further investigation or coordination with another supervisory authority, intermediate information should be given to the data subject. In order to facilitate the submission of complaints, each supervisory authority should take measures such as providing a complaint submission form which can also be completed electronically, without excluding other means of communication.
</div></div>


== Commentary ==
== Commentary ==
Article 77(1) GDPR stipulates the data subject’s right to lodge a complaint with a supervisory authority (“''SA''”) in case of GDPR violations. Article 77(2) GDPR places the SA with which the complaint has been lodged under an obligation to inform the complainant on the progress and the outcome of the complaint. Both Article 77(1) and (2) GDPR are directly applicable and do not require transposition into national law. However, the details of the complaints procedure are subject to Member State law, which must observe the requirements and objectives of the GDPR.<ref>''Bergt'', in Kühling, Buchner, DS-GVO BDSG, Article 77 GDPR, margin number 26 (C.H. Beck 2020, 3rd edition).  This includes that the lodging of a complaint and its handling by a SA shall be free of charge for the data subject ([[Article 57 GDPR|Article 57(3) GDPR]]).</ref> Many SAs provide forms that ensure that a complainant includes all relevant information as suggested in the last sentence of Recital 141 GDPR.
=== (1) Right to a formal complaint ===
Under Article 77(1) GDPR, every data subject shall have the right to lodge a complaint with a SA, in particular in the Member State of their habitual residence, place of work or place of the alleged infringement, if the data subject considers that the processing of personal data relating to them infringes the GDPR.


=== Overview ===
==== Without prejudice to any administrative or judicial remedy ====
Article 77'''(1)''' GDPR stipulates the data subject’s right to lodge a complaint with a DPA if the data subject suspects a GDPR violation regarding personal data relating to him or her; Article 77'''(2)''' GDPR places the DPA with which the complaint has been lodged under an obligation to inform the complainant on the progress and the outcome of the complaint.


Both Article 77(1) and (2) GDPR are directly applicable and do not require transposition into national law. However, the details of the complaints procedure are subject to Member State law, which must observe the requirements and objectives of the GDPR.<ref>Kühling/Buchner/Bergt GDPR Art. 77 margin number 26.</ref>
The right to file a complaint under Article 77(1) does not limit any other administrative or judicial remedies available. For instance, a data subject can still initiate legal proceedings against a controller or processor (as per Article 79 GDPR) irrespective of whether a complaint has been lodged with a supervisory authority, either concurrently or independently.<ref>''Pötters, Werkmeister'' in Gola, DS-GVO, Article 77 GDPR, margin number 4 (C.H. Beck 2022, 3rd edition).</ref> Lodging a complaint with a supervisory authority does not impact the eligibility or validity of other remedies.<blockquote><u>CJEU</u>: The CJEU has clarified in [[CJEU - C-132/21 - Nemzeti Adatvédelmi és Információszabadság Hatóság|C-132/21]] that "''Article 77(1), Article 78(1) and Article 79(1) of Regulation (EU) 2016/679 [...] must be interpreted as permitting the remedies provided for in Article 77(1) and Article 78(1) of that regulation, on the one hand, and Article 79(1) thereof, on the other, to be exercised concurrently with and independently of each other. It is for the Member States, in accordance with the principle of procedural autonomy, to lay down detailed rules as regards the relationship between those remedies in order to ensure the effective protection of the rights guaranteed by that regulation and the consistent and homogeneous application of its provisions, as well as the right to an effective remedy before a court or tribunal as referred to in Article 47 of the Charter of Fundamental Rights.''"<ref>CJEU - C-132/21 - Nemzeti Adatvédelmi és Információszabadság Hatóság (available [[CJEU - C-132/21 - Nemzeti Adatvédelmi és Információszabadság Hatóság|here]]).</ref></blockquote>The decision of whether to choose the complaint procedure or another remedy lies with the affected individual and may be influenced by practicality or efficiency aspects, in addition to legal considerations. Some of these aspects may be, legal costs, procedural expediency, the presence or absence of procedural rights including the right to be heard throughout the proceedings.


Under Article 57(3) GDPR, the lodging of a complaint and its handling by a DPA shall be free of charge for the data subject, which must be respected by the national procedural law.
==== The data subject shall have the right to lodge a complaint ====
The General Data Protection Regulation (GDPR) grants data subjects the right to file a "''complaint''" with a supervisory authority. Contrary to what some scholars argue, we do not believe that this right amounts to a mere "''petition''" to the authority, leaving it to act or not according to its own priorities.


Many DPAs provide forms that ensure that a complainant includes all relevant information as suggested in the last sentence of Recital 141 GDPR.
Beyond the literal wording (the law speaks of a "''complaint''" not a "''petition''"), there are several elements  suggesting that a complaint obliges the authority to take action and make a decision on the specific issues raised by the complainant.


=== Right to a formal complaint ===
To begin with, the protection of personal data is a fundamental right of the individual, and the right to a favorable decision through a complaint is one of the fundamental elements to ensure such protection. Scattered throughout the GDPR are numerous elements supporting this interpretation.


==== Requirements ====
To cite a few, Article 57(1)(f) requires that the supervisory authority "''handle complaints lodged by a data subject''," "''investigate, to the extent appropriate, the subject matter of the complaint''" and "''inform the complainant of the progress and the outcome of the investigation within a reasonable period.''" The letter of the law is clear. Once ''any'' complaint is received, the supervisory authority must take action to reach a decision, of any kind, even if it is ultimately a rejection.
Article 77(1) GDPR only has two requirements: (1) A data subject must consider that (2) his or her personal data has been processed in violation of GDPR.


===== Data subject =====
Article 60(9) GDPR points towards the same conclusion when it considers the possibility that "''parts''" of the complaint may be acted upon while others can be "''dismissed''." The complaint under Article 77 GDPR is not a mere "petition" that the supervisory authority can freely consider and manage at its discretion. Otherwise, the provisions of Article 78(1) and (2) of the GDPR would not make much sense. These articles guarantee the data subject an effective judicial remedy not only against a decision by the SA (Article 78(1) GDPR) but also in cases where the supervisory authority does not handle the case or otherwise issue any formal decision (Article 78(2) GDPR).
The complainant must be a data subject within the meaning of Article 4(1) GDPR, i.e. an identified or identifiable natural person.


As only an investigation of the facts can determine if the data of the complainant has actually been processed, the complainant must de facto only allege that he or she qualifies as a data subject. This is especially relevant in cases where the complainant is not even capable of assessing his or her status as a data subject – e.g. when a controller has simply ignored an access request under Article 15 GDPR and the complainant has no knowledge on whether the controller actually processes his or her personal data.
The European Data Protection Board (EDPB) openly confirms this interpretation in an internal document later published on its website, stating that "''for all admitted complaints that are not withdrawn, supervisory authorities must provide an outcome specifying the facts and legal considerations for, e.g., rejecting the complaint or dismissing the complaint, i.e., not investigating it further, with a view to make it a legally attackable act''."<ref>Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, p. 13 and 15 (available [https://edpb.europa.eu/system/files/2022-07/internal_edpb_document_022021_on_sas_duties_in_relation_to_alleged_gdpr_infringements_en.pdf here]).</ref>


===== Alleged infringement =====
===== Lodging a complaint shall not require particular formalities =====
The data subject must at least allege that his or her data is processed in violation of the GDPR. The letter of the law requires that the processing of personal data relating to the data subject infringe the GDPR.  
The meaning of the term 'complaint' is not defined by Article 77, nor by the GDPR in general. Given the lack of a strict legal definition, this word must necessarily be interpreted in a broad way, with the only exclusion of those cases where a data subject is not lamenting any negative situation specifically affecting him or her. In terms of object, the content of a complaint is not restricted to the 'rights of the data subject' that form the object of Chapter 3 of the GDPR.<ref>Tambou, in Spiecker gen. Döhmann, Papakonstantinou, Hornung, De Hert, General Data Protection Regulation, Article 77, margin number 21 (Nomos Verlagsgesellschaft 2023, 1st edition)</ref>


Contrary to the prevailing opinion among legal scholars,<ref>Kühling/Buchner/Bergt GDPR Art. 77 margin number 10; Ehmann/Selmayr/Nemitz DS-GVO Art. 77 margin number 16; Auernhammer/von Lewinksi GDPR Art. 77 margin number 2; DatKomm/Schweiger GDPR Art. 77 margin number 11.</ref> some DPAs have taken the stance that the right to lodge a complaint is limited to violations of data subject rights under Chapter III of the GDPR (“Rights of the data subject“)<ref>E.g. the Austrian DPA, 13.09.2018, DSB-D123.070/0005-DSB/2018 (ECLI:AT:DSB:2018:DSB.D123.070.0005.DSB.2018).</ref>. The academic opinion seems more convincing for the following reasons:
It follows from this very broad notion of complaint that the GDPR does not impose any particular form requirement, either. Additional elements may be imposed by national law in light of the principle of procedural autonomy of the Member States - especially for reasons of consistency with national administrative systems and provided that effectiveness of the EU law is not impaired. However, from a purely European perspective, the only requirements that can be inferred by the GDPR are those who qualify the request as a complaint, namely the identity of the complainant, a minimal description of the facts giving rise to the violation and what the data subject expects from the authority. Reference to legal provisions is not mandatory, as the data subject may be not knowledgeable about the law and its technicalities. In theory, the controller could also be omitted, especially whenever the data subject does not know its identity. However, to specify the name of the latter may be necessary for the SA to understand the complaint and act on it. In this case, the name of the controller must also be provided.  


First, the language of Article 77(1) GDPR does not contain any limitations to violations of Chapter III rights.
With regard to the modalities of the lodging, Article 57(2) GDPR imposes a duty of facilitation stating that the SAs shall provide for both electronic and 'traditional' means to lodge complaints.


Second, Article 8(2) CFR already foresees that personal data “''must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law.''” These requirements are laid down in detail in Article 5 to 10 GDPR. In light of Article 41 and Article 47 CFR, limiting complaints to the violation of Chapter III GDPR would therefore violate not only the GDPR but also primary EU law.
The idea that prior interaction with the controller is a necessary requirement for the lodging of a complaint with the SA does not find any confirmation in the text of the GDPR. In practice, this interaction may be often required by the nature of the complaint, such as in an unanswered access or erasure request. However, outside these cases and as long as a similar requirement is not established at the national level, a SA has no power to dismiss a complaint on the only basis that the data subject did not reach out to the controller in the first place. It has to be stressed that the lodging itself does not preclude further communications between data subject and controller, nor the possibility to close the case in an amicable way.  


Third, a limitation to violations of Chapter III rights would also result in massive enforcement deficiencies. A data subject would have no possibility to have certain processing activities reviewed by a DPA. For example, a processing activity that is based on an algorithm that produces incorrect data on a regular basis could not be addressed under Article 16 GDPR as Article 16 can only be invoked to rectify existing inaccurate data but not to stop the ongoing creation of incorrect data that is based on existing correct data. In this case, the data subject would have to rely directly on the principle of accuracy under Article 5(1)(d) GDPR in connection with Article 24, 25 GDPR and ask the DPA to order the controller to bring the processing operation into compliance with the GDPR under Article 58(2)(d) GDPR or even ban it under Article 58(2)(f) GDPR.
Concerning the time for the lodging of a complaint, the GDPR does not establish any particular limitation. However, some Member States have established deadlines, starting e.g. from the moment when the violation became known to the data subject.<ref>See e.g. the [https://www.ris.bka.gv.at/NormDokument.wxe?Abfrage=Bundesnormen&Gesetzesnummer=10001597&Artikel=2&Paragraf=24&Anlage=&Uebergangsrecht= Austrian Datenschutzgesetz Art. 2 § 24], which establishes a 1-year deadline</ref> Also this element can be read in light of the principle of procedural autonomy.  


Therefore, complaints under Article 77 GDPR should extend to a broad range of violations concerning, amongst the others:<ref>See especially DatKomm/Schweiger GDPR Art. 77 margin number 11.</ref>
==== In case there is a processing of personal data which infringes the Regulation ====
The provision requires that a complaint can be filed when the "''data subject considers that the processing of personal data relating to him or her infringes the Regulation''." From this perspective, the essential conditions are two. First, there must be a processing of personal data relating to a specific individual. Second, the processing must infringe the GDPR.  


* the principles of data processing (Article 5 GDPR),
===== Processing of personal data =====
* the lawfulness of processing (Article 6, 9 and 10 GDPR),
The controller, joint controller, or processor must have processed the personal data of the data subject. Consequently, if no data processing has ever occurred, there is obviously no basis for filing a complaint. However, this interpretation should not lead to extreme outcomes.
* the conditions for consent (Article 7 and 8 DGPR),
* information under Article 11(2) GDPR,
* provisions of Chapter III of the GDPR (Article 12 to 22 GDPR),
* the duty to communicate a personal data breach to the data subject (Article 34 GDPR),
* the provisions on data transfers to a third countries or international organisations under Chapter V of the GDPR (Article 44 et seqq. GDPR).


==== Jurisdiction for filing the case ====
First and foremost, by virtue of the favor granted to them for submitting the complaint, it is not required for the data subject to provide an objective and robust demonstration of the ongoing processing. The case must certainly be contextualized, allowing the Supervisory Authority (SA) to initiate, if deemed necessary, the appropriate investigations. In any event, the level of detail required for substantiation is unquestionably lower compared to what is stipulated in civil procedures, as it is incumbent upon the SA to develop its own legal assessment.<ref>''Boehm'' in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 77 GDPR, margin number 6 (C.H. Beck 2019).</ref>


===== A(ny) DPA =====
Moreover, there are certain situations where, even in the absence of data processing, a complaint may still seem justifiable, avoiding systematically unacceptable interpretations. First, consider, for example, the case of the privacy policy under Article 13 of the GDPR. This information is typically provided before the data processing begins, and yet, there is no doubt that the right to information under Article 13 is a fundamental right and a violation of it can be subject to a complaint to the supervisory authority. Second, a similar situation arises with Article 15(1) of the GDPR, which grants the data subject the right to obtain "''from the controller confirmation as to whether or not personal data concerning him or her are being processed''." If the controller fails to respond to such a request, a clear violation of the GDPR occurs. Once again, there is no doubt that the data subject can file a complaint under Article 77 of the GDPR, simply due to not having received such a response, regardless of whether any personal data processing has actually taken place or is ongoing. Third, another scenario is when a controller, upon being informed of the data subject's intention to take legal action for unlawful data processing, intentionally deletes the data to avoid potential liabilities, thus violating Article 17(3)(e) of the GDPR. In this case, indeed, no ongoing data processing exists, and a strict application of Article 77 would lead to the complaint being deemed inadmissible. However, once again, such a conclusion would be entirely unacceptable.
The GDPR only requires that a supervisory authority (DPA) is addressed by the complaint. This general rule is only limited by a non-exhaustive list of possible DPAs. This means that a complainant may file a complaint with any DPA in the EEA, independent of location.<ref>Kühling/Buchner/Bergt GDPR Art. 77 margin number 9.</ref>
 
Hence, in general terms, a complaint under Article 77 is only admissible when there is ongoing processing of personal data related to the complainant. No hard evidence about this shall be provided by the data subject. Nevertheless, in certain situations specifically foreseen in the law ("''lex specialis''"), the complaint remains admissible even if no processing occurred.
 
===== An infringement of the Regulation =====
The data subject must at least allege that their data is processed in violation of the GDPR. Contrary to the prevailing opinion among legal scholars,<ref>''Bergt'', in Kühling, Buchner, DS-GVO BDSG, Article 77 GDPR, margin number 10 (Beck 2020, 3rd edition); ''Nemitz'' in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 77 GDPR, margin number 16 (Beck 2018, 2nd edition); ''von Lewinksi'' in Auernhammer, DSGVO BDSG, Article 77 GDPR, margin number 2 (Carl Heymanns 2018, 6nd edition).</ref> some SAs have taken the stance that the right to lodge a complaint is limited to violations of data subject rights under Chapter III of the GDPR (“''Rights of the data subject''“).<ref>Datenschutzbehörde, 13 September 2018, das Bundesministerium für Europa, Integration und Äußeres, das Bundeskanzleramt, DSB-D123.070/0005-DSB/2018, (available [https://www.ris.bka.gv.at/Dokumente/Dsk/DSBT_20180913_DSB_D123_070_0005_DSB_2018_00/DSBT_20180913_DSB_D123_070_0005_DSB_2018_00.pdf here]).</ref> 
 
For the following reasons, the academic opinion provides the more compelling arguments. First, the language of Article 77(1) GDPR does not contain any limitations to violations of Chapter III rights. Second, Article 8(2) Charter of Fundamental Rights of the EU (“''CFR''”) already foresees that personal data “''must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law.''” These requirements are laid down in detail in [[Article 5 GDPR|Articles 5]] to [[Article 10 GDPR|10]] GDPR. In light of Article 41 and Article 47 CFR, limiting complaints to the violation of Chapter III GDPR would therefore violate not only the GDPR but also primary EU law. Third, a limitation to violations of Chapter III rights would also result in massive enforcement deficiencies. A data subject would have no possibility to have certain processing activities reviewed by a SA. For example, a processing activity that is based on an algorithm that produces incorrect data on a regular basis could not be addressed under [[Article 16 GDPR]] as [[Article 16 GDPR|Article 16]] GDPR can only be invoked to rectify existing inaccurate data but not to stop the ongoing creation of incorrect data that is based on existing correct data. In this case, the data subject would have to rely directly on the principle of accuracy under [[Article 5 GDPR|Article 5(1)(d) GDPR]] in conjunction with [[Article 24 GDPR|Articles 24]] and [[Article 25 GDPR|25 GDPR]] and ask the SA to order the controller to bring the processing operation into compliance with the GDPR under [[Article 58 GDPR|Article 58(2)(d) GDPR]] or even ban it under [[Article 58 GDPR|Article 58(2)(f)]] GDPR.
 
Therefore, complaints under Article 77 GDPR should extend to a broad range of violations concerning, ''inter alia'': the principles of data processing ([[Article 5 GDPR]]), the lawfulness of processing ([[Article 6 GDPR|Articles 6]], [[Article 9 GDPR|9]] and [[Article 10 GDPR|10 GDPR]]), the conditions for consent ([[Article 7 GDPR|Articles 7]] and [[Article 8 GDPR|8 GDPR]]), information under [[Article 11 GDPR|Article 11(2) GDPR]], provisions of Chapter III of the GDPR ([[Article 12 GDPR|Articles 12]] to [[Article 22 GDPR|22 GDPR]]), the duty to communicate a personal data breach to the data subject ([[Article 34 GDPR]]), the provisions on data transfers to third countries or international organisations under Chapter V of the GDPR ([[Article 44 GDPR|Article 44]] et seq. GDPR).<ref>''Schweiger'' in Knyrim'','' DatKomm, Article 77 GDPR, margin number 11 (as of 22.4.2021, rdb.at).</ref>
 
==== With a(ny) supervisory authority ====
The GDPR only requires that a SA is addressed by the complaint. This general rule is only limited by a non-exhaustive list of possible SAs. This means that a complainant may file a complaint with any SA in the European Economic Area, independent of location.<ref>''Bergt'' in Kühling, Buchner, DS-GVO BDSG, Article 77 GDPR, margin number 9 (Beck 2020, 3rd edition).</ref>


===== Habitual residence =====
===== Habitual residence =====
The most common place to lodge a complaint is the home jurisdiction of the complainant. The habitual residence is defined in different EU laws and requires a legal right to residence and an objective assessment of the factual residence. Especially in cross border cases, data subjects might want to choose to lodge complaints at the place of their habitual residence, at this allows for the data subject to file the complaint in (one of) the official languages of the relevant Member State, rather than the official language of the Member State that the controller is based in.  
The most common place to lodge a complaint is the home jurisdiction of the complainant. The habitual residence is defined in different EU laws and requires a legal right to residence and an objective assessment of the factual residence. Especially in cross border cases, data subjects might want to choose to lodge complaints at the place of their habitual residence, as this allows for the data subject to file the complaint in (one of) the official languages of the relevant Member State, rather than the official language of the Member State that the controller is based in.


===== Place of work =====
===== Place of work =====
Similar to the habitual residence, complainants can lodge a complaint at their work place. It is not required that the complaint has any connection to the place of work.
Similar to the habitual residence, complainants can lodge a complaint before the SA of their work place. It is not required that the complaint has any connection to the place of work.


===== Place of alleged infringement =====
===== Place of alleged infringement =====
The complaint can be lodged at the place of the alleged infringement. This clause is a typical form of jurisdiction that is aimed at aligning location of the decision maker with the location of facts.<blockquote><u>Example:</u> The DPA that is close to a CCTV camera may be best placed to gather factual evidence on the CCTV system, without the need to request mutual assistance from other DPAs.</blockquote>


The complaint can also be lodged before the SA of the place of the alleged infringement. This clause is a typical form of jurisdiction that is aimed at aligning the location of the decision maker with the location of facts. Example: The SA that is closest to a CCTV camera may be best placed to gather factual evidence on the CCTV system, without the need to request mutual assistance from other SAs.
===== Cross country cases =====
===== Cross country cases =====
The option to lodge a case with any DPA does not mean that the DPA with which the case has been lodged necessarily decides about the case. Which DPA actually handles the case is subject to Article 55 and 56 GDPR. In any case the DPA with which the complaint has been lodged remains a “supervisory authority concerned” under Article 4(22)(c) GDPR and the point of contact for the data subject (“one stop shop”).
The option to lodge a complaint with any SA does not mean that the SA with which the case has been lodged necessarily decides about the case. Which SA actually handles the case is subject to [[Article 55 GDPR|Article 55]] and [[Article 56 GDPR|56 GDPR]]. In any case the SA with which the complaint has been lodged remains a “''supervisory authority concerned''” under [[Article 4 GDPR|Article 4(22)(c) GDPR]] and the point of contact for the data subject (“''one-stop shop''”).  
 
=== Duty to inform the data subject ===
 
==== Progress and outcome ====
Under Article 77(2) GDPR “''the supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78.''” This provision only addresses the DPA with which the complaint has been lodged but not the DPA ultimately handling the case under Article 55 and 56 GDPR (which might be the same or a different DPA).
 
The DPA’s report on the progress must include information on the possibility for a judicial remedy under Article 78(2) GDPR, its report on the outcome should contain information on the possibility for a judicial remedy under Article 78(1) GDPR.


==== Timeline and frequency of information ====
=== (2) Duty to inform the data subject ===
Article 77(2) does not stipulate a deadline by which the data subject has to be initially informed about the progress of the complaint, nor does it contain rules on the frequency of such “progress reports”. Read in connection with Article 57(1)(f) GDPR (“[] ''inform the complainant of the progress and the outcome of the investigation within a reasonable period,'' []”) , the DPA must inform the data subject within a reasonable period.
Under Article 77(2) GDPR, “''the supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78.''” This provision only addresses the SA with which the complaint has been lodged but not the SA ultimately handling the case under [[Article 55 GDPR|Articles 55]] and [[Article 56 GDPR|56 GDPR]] (which might be the same or a different SA). The SA’s report on the progress as well as the final decision must include information on the possibility for a judicial remedy under Article 78(2) GDPR and [[Article 78 GDPR|Article 78(1) GDPR]] respectively.


Moreover, under Article 78(2) GDPR a data subject has the right to an effective judicial remedy where the DPA which is competent pursuant to Article 55 and 56 GDPR does not inform the data subject within three months on the progress or outcome of the complaint lodged pursuant to Article 77 GDPR. It must be noted, that other than Article 77(2) GDPR, Article 78(2) does not address the DPA with which the complaint has been lodged but rather the DPA that is competent to handle the case under Article 55 and 56 GDPR.
Article 77(2) GDPR does not stipulate a deadline by which the data subject has to be initially informed about the progress of the complaint, nor does it contain rules on the frequency of such “''progress reports''”. Read in conjunction with [[Article 57 GDPR|Article 57(1)(f)]] GDPR (“[…] ''inform the complainant of the progress and the outcome of the investigation within a reasonable period,'' […]”) , the SA must inform the data subject within a reasonable period.


This results in the following scenarios:
Moreover, under [[Article 78 GDPR|Article 78(2) GDPR]], a data subject has the right to an effective judicial remedy where the SA that is competent pursuant to [[Article 55 GDPR|Article 55]] and [[Article 56 GDPR|56 GDPR]] does not inform the data subject within three months on the progress or outcome of the complaint lodged pursuant to Article 77 GDPR. It must be noted that other than Article 77(2) GDPR, [[Article 78 GDPR|Article 78(2)]] does not address the SA with which the complaint has been lodged but rather the SA that is competent to handle the case under [[Article 55 GDPR|Articles 55]] and [[Article 56 GDPR|56 GDPR]].


* The DPA with which the complaint has been lodged is also competent to handle the case under Article 55 GDPR: In this case, the DPA has to inform the data within three months after receipt of the complaint on its progress or outcome under Article 78(2) GDPR.
Thus, if the SA with which the complaint has been lodged is also competent to handle the case under [[Article 55 GDPR]], the SA has to inform the data subject within three months after receipt of the complaint on its progress or outcome under [[Article 78 GDPR|Article 78(2) GDPR]]. ''Vice versa'', if the SA with which the complaint has been lodged is not competent to handle the case (but rather the lead SA under [[Article 56 GDPR|Article 56]] is), then the SA with which the complaint has been lodged must inform the data subject under Article 77(2) GDPR.
* The DPA with which the complaint has been lodged is not competent to handle the case but rather the lead DPA under Article 56 is:
** The DPA with which the complaint has been lodged must inform the data subject under Article 77(2) GDPR. The first information usually is an acknowledgement of receipt and a notice that the case has been forwarded to an (alleged) lead LSA. Although there is no specific deadline for this information, the three-month period of Article 78(2) GDPR should be applied ''per analogiam.''
** As soon as the lead DPA is established (which very often takes longer than three months), it must inform the data subject within three months after receipt of the complaint on its progress or outcome under Article 78(2) GDPR. For practical reasons the DPA with which the complaint has been lodged usually informs the data subject on behalf of the lead DPA on this.


The first information usually is an acknowledgement of receipt and a notice that the case has been forwarded to an (alleged) lead LSA. Although there is no specific deadline for this information, the three-month period of [[Article 78 GDPR|Article 78(2)]] GDPR should be applied ''per analogiam.'' As soon as the lead SA is established (which very often takes longer than three months), it must inform the data subject within three months after receipt of the complaint on its progress or outcome under [[Article 78 GDPR|Article 78(2)]] GDPR. For practical reasons, the SA with which the complaint has been lodged usually informs the data subject on behalf of the lead SA on this.
== Decisions ==
== Decisions ==
→ You can find all related decisions in [[:Category:Article 77 GDPR]]
→ You can find all related decisions in [[:Category:Article 77 GDPR]]

Latest revision as of 09:51, 19 March 2024

Article 77 - Right to lodge a complaint with a supervisory authority
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 77 - Right to lodge a complaint with a supervisory authority

1. Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.

2. The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78.

Relevant Recitals

Recital 141: Right to Lodge a Complaint and Right to an Effective Judicial Remedy
Every data subject should have the right to lodge a complaint with a single supervisory authority, in particular in the Member State of his or her habitual residence, and the right to an effective judicial remedy in accordance with Article 47 of the Charter if the data subject considers that his or her rights under this Regulation are infringed or where the supervisory authority does not act on a complaint, partially or wholly rejects or dismisses a complaint or does not act where such action is necessary to protect the rights of the data subject. The investigation following a complaint should be carried out, subject to judicial review, to the extent that is appropriate in the specific case. The supervisory authority should inform the data subject of the progress and the outcome of the complaint within a reasonable period. If the case requires further investigation or coordination with another supervisory authority, intermediate information should be given to the data subject. In order to facilitate the submission of complaints, each supervisory authority should take measures such as providing a complaint submission form which can also be completed electronically, without excluding other means of communication.

Commentary

Article 77(1) GDPR stipulates the data subject’s right to lodge a complaint with a supervisory authority (“SA”) in case of GDPR violations. Article 77(2) GDPR places the SA with which the complaint has been lodged under an obligation to inform the complainant on the progress and the outcome of the complaint. Both Article 77(1) and (2) GDPR are directly applicable and do not require transposition into national law. However, the details of the complaints procedure are subject to Member State law, which must observe the requirements and objectives of the GDPR.[1] Many SAs provide forms that ensure that a complainant includes all relevant information as suggested in the last sentence of Recital 141 GDPR.

(1) Right to a formal complaint

Under Article 77(1) GDPR, every data subject shall have the right to lodge a complaint with a SA, in particular in the Member State of their habitual residence, place of work or place of the alleged infringement, if the data subject considers that the processing of personal data relating to them infringes the GDPR.

Without prejudice to any administrative or judicial remedy

The right to file a complaint under Article 77(1) does not limit any other administrative or judicial remedies available. For instance, a data subject can still initiate legal proceedings against a controller or processor (as per Article 79 GDPR) irrespective of whether a complaint has been lodged with a supervisory authority, either concurrently or independently.[2] Lodging a complaint with a supervisory authority does not impact the eligibility or validity of other remedies.

CJEU: The CJEU has clarified in C-132/21 that "Article 77(1), Article 78(1) and Article 79(1) of Regulation (EU) 2016/679 [...] must be interpreted as permitting the remedies provided for in Article 77(1) and Article 78(1) of that regulation, on the one hand, and Article 79(1) thereof, on the other, to be exercised concurrently with and independently of each other. It is for the Member States, in accordance with the principle of procedural autonomy, to lay down detailed rules as regards the relationship between those remedies in order to ensure the effective protection of the rights guaranteed by that regulation and the consistent and homogeneous application of its provisions, as well as the right to an effective remedy before a court or tribunal as referred to in Article 47 of the Charter of Fundamental Rights."[3]

The decision of whether to choose the complaint procedure or another remedy lies with the affected individual and may be influenced by practicality or efficiency aspects, in addition to legal considerations. Some of these aspects may be, legal costs, procedural expediency, the presence or absence of procedural rights including the right to be heard throughout the proceedings.

The data subject shall have the right to lodge a complaint

The General Data Protection Regulation (GDPR) grants data subjects the right to file a "complaint" with a supervisory authority. Contrary to what some scholars argue, we do not believe that this right amounts to a mere "petition" to the authority, leaving it to act or not according to its own priorities.

Beyond the literal wording (the law speaks of a "complaint" not a "petition"), there are several elements suggesting that a complaint obliges the authority to take action and make a decision on the specific issues raised by the complainant.

To begin with, the protection of personal data is a fundamental right of the individual, and the right to a favorable decision through a complaint is one of the fundamental elements to ensure such protection. Scattered throughout the GDPR are numerous elements supporting this interpretation.

To cite a few, Article 57(1)(f) requires that the supervisory authority "handle complaints lodged by a data subject," "investigate, to the extent appropriate, the subject matter of the complaint" and "inform the complainant of the progress and the outcome of the investigation within a reasonable period." The letter of the law is clear. Once any complaint is received, the supervisory authority must take action to reach a decision, of any kind, even if it is ultimately a rejection.

Article 60(9) GDPR points towards the same conclusion when it considers the possibility that "parts" of the complaint may be acted upon while others can be "dismissed." The complaint under Article 77 GDPR is not a mere "petition" that the supervisory authority can freely consider and manage at its discretion. Otherwise, the provisions of Article 78(1) and (2) of the GDPR would not make much sense. These articles guarantee the data subject an effective judicial remedy not only against a decision by the SA (Article 78(1) GDPR) but also in cases where the supervisory authority does not handle the case or otherwise issue any formal decision (Article 78(2) GDPR).

The European Data Protection Board (EDPB) openly confirms this interpretation in an internal document later published on its website, stating that "for all admitted complaints that are not withdrawn, supervisory authorities must provide an outcome specifying the facts and legal considerations for, e.g., rejecting the complaint or dismissing the complaint, i.e., not investigating it further, with a view to make it a legally attackable act."[4]

Lodging a complaint shall not require particular formalities

The meaning of the term 'complaint' is not defined by Article 77, nor by the GDPR in general. Given the lack of a strict legal definition, this word must necessarily be interpreted in a broad way, with the only exclusion of those cases where a data subject is not lamenting any negative situation specifically affecting him or her. In terms of object, the content of a complaint is not restricted to the 'rights of the data subject' that form the object of Chapter 3 of the GDPR.[5]

It follows from this very broad notion of complaint that the GDPR does not impose any particular form requirement, either. Additional elements may be imposed by national law in light of the principle of procedural autonomy of the Member States - especially for reasons of consistency with national administrative systems and provided that effectiveness of the EU law is not impaired. However, from a purely European perspective, the only requirements that can be inferred by the GDPR are those who qualify the request as a complaint, namely the identity of the complainant, a minimal description of the facts giving rise to the violation and what the data subject expects from the authority. Reference to legal provisions is not mandatory, as the data subject may be not knowledgeable about the law and its technicalities. In theory, the controller could also be omitted, especially whenever the data subject does not know its identity. However, to specify the name of the latter may be necessary for the SA to understand the complaint and act on it. In this case, the name of the controller must also be provided.

With regard to the modalities of the lodging, Article 57(2) GDPR imposes a duty of facilitation stating that the SAs shall provide for both electronic and 'traditional' means to lodge complaints.

The idea that prior interaction with the controller is a necessary requirement for the lodging of a complaint with the SA does not find any confirmation in the text of the GDPR. In practice, this interaction may be often required by the nature of the complaint, such as in an unanswered access or erasure request. However, outside these cases and as long as a similar requirement is not established at the national level, a SA has no power to dismiss a complaint on the only basis that the data subject did not reach out to the controller in the first place. It has to be stressed that the lodging itself does not preclude further communications between data subject and controller, nor the possibility to close the case in an amicable way.

Concerning the time for the lodging of a complaint, the GDPR does not establish any particular limitation. However, some Member States have established deadlines, starting e.g. from the moment when the violation became known to the data subject.[6] Also this element can be read in light of the principle of procedural autonomy.

In case there is a processing of personal data which infringes the Regulation

The provision requires that a complaint can be filed when the "data subject considers that the processing of personal data relating to him or her infringes the Regulation." From this perspective, the essential conditions are two. First, there must be a processing of personal data relating to a specific individual. Second, the processing must infringe the GDPR.

Processing of personal data

The controller, joint controller, or processor must have processed the personal data of the data subject. Consequently, if no data processing has ever occurred, there is obviously no basis for filing a complaint. However, this interpretation should not lead to extreme outcomes.

First and foremost, by virtue of the favor granted to them for submitting the complaint, it is not required for the data subject to provide an objective and robust demonstration of the ongoing processing. The case must certainly be contextualized, allowing the Supervisory Authority (SA) to initiate, if deemed necessary, the appropriate investigations. In any event, the level of detail required for substantiation is unquestionably lower compared to what is stipulated in civil procedures, as it is incumbent upon the SA to develop its own legal assessment.[7]

Moreover, there are certain situations where, even in the absence of data processing, a complaint may still seem justifiable, avoiding systematically unacceptable interpretations. First, consider, for example, the case of the privacy policy under Article 13 of the GDPR. This information is typically provided before the data processing begins, and yet, there is no doubt that the right to information under Article 13 is a fundamental right and a violation of it can be subject to a complaint to the supervisory authority. Second, a similar situation arises with Article 15(1) of the GDPR, which grants the data subject the right to obtain "from the controller confirmation as to whether or not personal data concerning him or her are being processed." If the controller fails to respond to such a request, a clear violation of the GDPR occurs. Once again, there is no doubt that the data subject can file a complaint under Article 77 of the GDPR, simply due to not having received such a response, regardless of whether any personal data processing has actually taken place or is ongoing. Third, another scenario is when a controller, upon being informed of the data subject's intention to take legal action for unlawful data processing, intentionally deletes the data to avoid potential liabilities, thus violating Article 17(3)(e) of the GDPR. In this case, indeed, no ongoing data processing exists, and a strict application of Article 77 would lead to the complaint being deemed inadmissible. However, once again, such a conclusion would be entirely unacceptable.

Hence, in general terms, a complaint under Article 77 is only admissible when there is ongoing processing of personal data related to the complainant. No hard evidence about this shall be provided by the data subject. Nevertheless, in certain situations specifically foreseen in the law ("lex specialis"), the complaint remains admissible even if no processing occurred.

An infringement of the Regulation

The data subject must at least allege that their data is processed in violation of the GDPR. Contrary to the prevailing opinion among legal scholars,[8] some SAs have taken the stance that the right to lodge a complaint is limited to violations of data subject rights under Chapter III of the GDPR (“Rights of the data subject“).[9]

For the following reasons, the academic opinion provides the more compelling arguments. First, the language of Article 77(1) GDPR does not contain any limitations to violations of Chapter III rights. Second, Article 8(2) Charter of Fundamental Rights of the EU (“CFR”) already foresees that personal data “must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law.” These requirements are laid down in detail in Articles 5 to 10 GDPR. In light of Article 41 and Article 47 CFR, limiting complaints to the violation of Chapter III GDPR would therefore violate not only the GDPR but also primary EU law. Third, a limitation to violations of Chapter III rights would also result in massive enforcement deficiencies. A data subject would have no possibility to have certain processing activities reviewed by a SA. For example, a processing activity that is based on an algorithm that produces incorrect data on a regular basis could not be addressed under Article 16 GDPR as Article 16 GDPR can only be invoked to rectify existing inaccurate data but not to stop the ongoing creation of incorrect data that is based on existing correct data. In this case, the data subject would have to rely directly on the principle of accuracy under Article 5(1)(d) GDPR in conjunction with Articles 24 and 25 GDPR and ask the SA to order the controller to bring the processing operation into compliance with the GDPR under Article 58(2)(d) GDPR or even ban it under Article 58(2)(f) GDPR.

Therefore, complaints under Article 77 GDPR should extend to a broad range of violations concerning, inter alia: the principles of data processing (Article 5 GDPR), the lawfulness of processing (Articles 6, 9 and 10 GDPR), the conditions for consent (Articles 7 and 8 GDPR), information under Article 11(2) GDPR, provisions of Chapter III of the GDPR (Articles 12 to 22 GDPR), the duty to communicate a personal data breach to the data subject (Article 34 GDPR), the provisions on data transfers to third countries or international organisations under Chapter V of the GDPR (Article 44 et seq. GDPR).[10]

With a(ny) supervisory authority

The GDPR only requires that a SA is addressed by the complaint. This general rule is only limited by a non-exhaustive list of possible SAs. This means that a complainant may file a complaint with any SA in the European Economic Area, independent of location.[11]

Habitual residence

The most common place to lodge a complaint is the home jurisdiction of the complainant. The habitual residence is defined in different EU laws and requires a legal right to residence and an objective assessment of the factual residence. Especially in cross border cases, data subjects might want to choose to lodge complaints at the place of their habitual residence, as this allows for the data subject to file the complaint in (one of) the official languages of the relevant Member State, rather than the official language of the Member State that the controller is based in.

Place of work

Similar to the habitual residence, complainants can lodge a complaint before the SA of their work place. It is not required that the complaint has any connection to the place of work.

Place of alleged infringement

The complaint can also be lodged before the SA of the place of the alleged infringement. This clause is a typical form of jurisdiction that is aimed at aligning the location of the decision maker with the location of facts. Example: The SA that is closest to a CCTV camera may be best placed to gather factual evidence on the CCTV system, without the need to request mutual assistance from other SAs.

Cross country cases

The option to lodge a complaint with any SA does not mean that the SA with which the case has been lodged necessarily decides about the case. Which SA actually handles the case is subject to Article 55 and 56 GDPR. In any case the SA with which the complaint has been lodged remains a “supervisory authority concerned” under Article 4(22)(c) GDPR and the point of contact for the data subject (“one-stop shop”).

(2) Duty to inform the data subject

Under Article 77(2) GDPR, “the supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78.” This provision only addresses the SA with which the complaint has been lodged but not the SA ultimately handling the case under Articles 55 and 56 GDPR (which might be the same or a different SA). The SA’s report on the progress as well as the final decision must include information on the possibility for a judicial remedy under Article 78(2) GDPR and Article 78(1) GDPR respectively.

Article 77(2) GDPR does not stipulate a deadline by which the data subject has to be initially informed about the progress of the complaint, nor does it contain rules on the frequency of such “progress reports”. Read in conjunction with Article 57(1)(f) GDPR (“[…] inform the complainant of the progress and the outcome of the investigation within a reasonable period, […]”) , the SA must inform the data subject within a reasonable period.

Moreover, under Article 78(2) GDPR, a data subject has the right to an effective judicial remedy where the SA that is competent pursuant to Article 55 and 56 GDPR does not inform the data subject within three months on the progress or outcome of the complaint lodged pursuant to Article 77 GDPR. It must be noted that other than Article 77(2) GDPR, Article 78(2) does not address the SA with which the complaint has been lodged but rather the SA that is competent to handle the case under Articles 55 and 56 GDPR.

Thus, if the SA with which the complaint has been lodged is also competent to handle the case under Article 55 GDPR, the SA has to inform the data subject within three months after receipt of the complaint on its progress or outcome under Article 78(2) GDPR. Vice versa, if the SA with which the complaint has been lodged is not competent to handle the case (but rather the lead SA under Article 56 is), then the SA with which the complaint has been lodged must inform the data subject under Article 77(2) GDPR.

The first information usually is an acknowledgement of receipt and a notice that the case has been forwarded to an (alleged) lead LSA. Although there is no specific deadline for this information, the three-month period of Article 78(2) GDPR should be applied per analogiam. As soon as the lead SA is established (which very often takes longer than three months), it must inform the data subject within three months after receipt of the complaint on its progress or outcome under Article 78(2) GDPR. For practical reasons, the SA with which the complaint has been lodged usually informs the data subject on behalf of the lead SA on this.

Decisions

→ You can find all related decisions in Category:Article 77 GDPR

References

  1. Bergt, in Kühling, Buchner, DS-GVO BDSG, Article 77 GDPR, margin number 26 (C.H. Beck 2020, 3rd edition). This includes that the lodging of a complaint and its handling by a SA shall be free of charge for the data subject (Article 57(3) GDPR).
  2. Pötters, Werkmeister in Gola, DS-GVO, Article 77 GDPR, margin number 4 (C.H. Beck 2022, 3rd edition).
  3. CJEU - C-132/21 - Nemzeti Adatvédelmi és Információszabadság Hatóság (available here).
  4. Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, p. 13 and 15 (available here).
  5. Tambou, in Spiecker gen. Döhmann, Papakonstantinou, Hornung, De Hert, General Data Protection Regulation, Article 77, margin number 21 (Nomos Verlagsgesellschaft 2023, 1st edition)
  6. See e.g. the Austrian Datenschutzgesetz Art. 2 § 24, which establishes a 1-year deadline
  7. Boehm in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 77 GDPR, margin number 6 (C.H. Beck 2019).
  8. Bergt, in Kühling, Buchner, DS-GVO BDSG, Article 77 GDPR, margin number 10 (Beck 2020, 3rd edition); Nemitz in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 77 GDPR, margin number 16 (Beck 2018, 2nd edition); von Lewinksi in Auernhammer, DSGVO BDSG, Article 77 GDPR, margin number 2 (Carl Heymanns 2018, 6nd edition).
  9. Datenschutzbehörde, 13 September 2018, das Bundesministerium für Europa, Integration und Äußeres, das Bundeskanzleramt, DSB-D123.070/0005-DSB/2018, (available here).
  10. Schweiger in Knyrim, DatKomm, Article 77 GDPR, margin number 11 (as of 22.4.2021, rdb.at).
  11. Bergt in Kühling, Buchner, DS-GVO BDSG, Article 77 GDPR, margin number 9 (Beck 2020, 3rd edition).