Article 77 GDPR

← Article 77 - Right to lodge a complaint with a supervisory authority →

Chapter 1: General provisions Article 1: Subject-matter and objectives Article 2: Material scope Article 3: Territorial scope Article 4: Definitions Chapter 2: Principles Article 5: Principles relating to processing of personal data Article 6: Lawfulness of processing Article 7: Conditions for consent Article 8: Conditions applicable to child’s consent in relation to information society services Article 9: Processing of special categories of personal data Article 10: Processing of personal data relating to criminal convictions and offences Article 11: Processing which does not require identification Chapter 3: Rights of the data subject Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject Article 13: Information to be provided where personal data are collected from the data subject Article 14: Information to be provided where personal data have not been obtained from the data subject Article 15: Right of access by the data subject Article 16: Right to rectification Article 17: Right to erasure (‘right to be forgotten’) Article 18: Right to restriction of processing Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing Article 20: Right to data portability Article 21: Right to object Article 22: Automated individual decision-making, including profiling Article 23: Restrictions Chapter 4: Controller and processor Article 24: Responsibility of the controller Article 25: Data protection by design and by default Article 26: Joint controllers Article 27: Representatives of controllers or processors not established in the Union Article 28: Processor Article 29: Processing under the authority of the controller or processor Article 30: Records of processing activities Article 31: Cooperation with the supervisory authority Article 32: Security of processing Article 33: Notification of a personal data breach to the supervisory authority Article 34: Communication of a personal data breach to the data subject Article 35: Data protection impact assessment Article 36: Prior consultation Article 37: Designation of the data protection officer Article 38: Position of the data protection officer Article 39: Tasks of the data protection officer Article 40: Codes of conduct Article 41: Monitoring of approved codes of conduct Article 42: Certification Article 43: Certification bodies Chapter 5: Transfers of personal data Article 44: General principle for transfers Article 45: Transfers on the basis of an adequacy decision Article 46: Transfers subject to appropriate safeguards Article 47: Binding corporate rules Article 48: Transfers or disclosures not authorised by Union law Article 49: Derogations for specific situations Article 50: International cooperation for the protection of personal data Chapter 6: Supervisory authorities Article 51: Supervisory authority Article 52: Independence Article 53: General conditions for the members of the supervisory authority Article 54: Rules on the establishment of the supervisory authority Article 55: Competence Article 56: Competence of the lead supervisory authority Article 57: Tasks Article 58: Powers Article 59: Activity reports Chapter 7: Cooperation and consistency Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned Article 61: Mutual assistance Article 62: Joint operations of supervisory authorities Article 63: Consistency mechanism Article 64: Opinion of the Board Article 65: Dispute resolution by the Board Article 66: Urgency procedure Article 67: Exchange of information Article 68: European Data Protection Board Article 69: Independence Article 70: Tasks of the Board Article 71: Reports Article 72: Procedure Article 73: Chair Article 74: Tasks of the Chair Article 75: Secretariat Article 76: Confidentiality Chapter 8: Remedies, liability and penalties Article 77: Right to lodge a complaint with a supervisory authority Article 78: Right to an effective judicial remedy against a supervisory authority Article 79: Right to an effective judicial remedy against a controller or processor Article 80: Representation of data subjects Article 81: Suspension of proceedings Article 82: Right to compensation and liability Article 83: General conditions for imposing administrative fines Article 84: Penalties Chapter 9: Specific processing situations Article 85: Processing and freedom of expression and information Article 86: Processing and public access to official documents Article 87: Processing of the national identification number Article 88: Processing in the context of employment Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes Article 90: Obligations of secrecy Article 91: Existing data protection rules of churches and religious associations Chapter 10: Delegated and implementing acts Article 92: Exercise of the delegation Article 93: Committee procedure Chapter 11: Final provisions Article 94: Repeal of Directive 95: /46: /EC Article 95: Relationship with Directive 20: 02: /58: /EC Article 96: Relationship with previously concluded Agreements Article 97: Commission reports Article 98: Review of other Union legal acts on data protection Article 99: Entry into force and application

Legal Text

Article 77 - Right to lodge a complaint with a supervisory authority

1. Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.

2. The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78.

Relevant Recitals

Recital 141: Right to Lodge a Complaint and Right to an Effective Judicial Remedy

Every data subject should have the right to lodge a complaint with a single supervisory authority, in particular in the Member State of his or her habitual residence, and the right to an effective judicial remedy in accordance with Article 47 of the Charter if the data subject considers that his or her rights under this Regulation are infringed or where the supervisory authority does not act on a complaint, partially or wholly rejects or dismisses a complaint or does not act where such action is necessary to protect the rights of the data subject. The investigation following a complaint should be carried out, subject to judicial review, to the extent that is appropriate in the specific case. The supervisory authority should inform the data subject of the progress and the outcome of the complaint within a reasonable period. If the case requires further investigation or coordination with another supervisory authority, intermediate information should be given to the data subject. In order to facilitate the submission of complaints, each supervisory authority should take measures such as providing a complaint submission form which can also be completed electronically, without excluding other means of communication.

Commentary

Article 77(1) GDPR stipulates the data subject’s right to lodge a complaint with a supervisory authority (“SA”) in case of GDPR violations. Article 77(2) GDPR places the SA with which the complaint has been lodged under an obligation to inform the complainant on the progress and the outcome of the complaint. Both Article 77(1) and (2) GDPR are directly applicable and do not require transposition into national law. However, the details of the complaints procedure are subject to Member State law, which must observe the requirements and objectives of the GDPR.^[1] Many SAs provide forms that ensure that a complainant includes all relevant information as suggested in the last sentence of Recital 141 GDPR.

(1) Right to a formal complaint

Under Article 77(1) GDPR, every data subject shall have the right to lodge a complaint with a SA, in particular in the Member State of their habitual residence, place of work or place of the alleged infringement, if the data subject considers that the processing of personal data relating to them infringes the GDPR.

Without prejudice to any administrative or judicial remedy

The right to file a complaint under Article 77(1) does not limit any other administrative or judicial remedies available. The supervisory authority cannot redirect the complainant to pursue another remedy. Furthermore, lodging a complaint with a supervisory authority does not impact the eligibility or validity of other remedies. For instance, a data subject can still initiate legal proceedings against a controller or processor (as per Article 79) irrespective of whether a complaint has been lodged with a supervisory authority, either concurrently or independently.^[2]

CJEU: The CJEU has recently clarified that "Article 77(1), Article 78(1) and Article 79(1) of Regulation (EU) 2016/679 [...] must be interpreted as permitting the remedies provided for in Article 77(1) and Article 78(1) of that regulation, on the one hand, and Article 79(1) thereof, on the other, to be exercised concurrently with and independently of each other. It is for the Member States, in accordance with the principle of procedural autonomy, to lay down detailed rules as regards the relationship between those remedies in order to ensure the effective protection of the rights guaranteed by that regulation and the consistent and homogeneous application of its provisions, as well as the right to an effective remedy before a court or tribunal as referred to in Article 47 of the Charter of Fundamental Rights."^[3]

The decision of whether to choose the complaint procedure or another remedy lies with the affected individual and may be influenced by practicality or efficiency aspects, in addition to legal considerations.

The data subject

The provision requires that the "data subject considers that the processing of personal data relating to him or her infringes the Regulation." From this perspective, the essential condition is that the controller, joint controller, or processor has processed or is processing the personal data of the data subject in a manner that violates the Regulation. Consequently, if no data processing has ever occurred, there is obviously no basis for filing a complaint.

However, this interpretation should not lead to extreme outcomes. There are certain situations where, even in the absence of data processing, a complaint may still seem justifiable, avoiding systematically unacceptable interpretations. First, consider, for example, the case of the privacy policy under Article 13 of the GDPR. This information is typically provided before the data processing begins, and yet, there is no doubt that the right to information under Article 13 is a fundamental right and a violation of it can be subject to a complaint to the supervisory authority. Second, a similar situation arises with Article 15(1) of the GDPR, which grants the data subject the right to obtain "from the controller confirmation as to whether or not personal data concerning him or her are being processed." If the controller fails to respond to such a request, a clear violation of the GDPR occurs. Once again, there is no doubt that the data subject can file a complaint under Article 77 of the GDPR, simply due to not having received such a response, regardless of whether any personal data processing has actually taken place or is ongoing. Third, another scenario is when a controller, upon being informed of the data subject's intention to take legal action for unlawful data processing, intentionally deletes the data to avoid potential liabilities, thus violating Article 17(3)(e) of the GDPR. In this case, indeed, no ongoing data processing exists, and a strict application of Article 77 would lead to the complaint being deemed inadmissible. However, once again, such a conclusion would be entirely unacceptable.

In light of the above, it must be concluded that, in general terms, a complaint under Article 77 is only admissible when there is ongoing processing of personal data related to the complainant. Nevertheless, in certain specific situations, such as those mentioned above, which have the character of "lex specialis" in relation to the general provision of Article 77, the complaint remains admissible.

Shall have the right to lodge a complaint

The complaint to the SA can be lodged informally. In accordance with Article 57(2) GDPR, the SAs shall facilitate the submission of complaints, in particular through an online form or other similar channels. As part of the obligation to facilitate, SAs shall communicate their contact options clearly and use as many means of communication as possible.^[4] An obligation on the complainant to provide information and, if necessary, to prove their identity exists only to the extent necessary to verify their right to lodge a complaint. In principle, the SA is also obliged to deal with anonymous complaints. Insisting on the indication of name and address, for example, should not be necessary on a regular basis. On this issue, it should be noted that a copy of an ID card has no probative value, since copies of ID cards are very easy to obtain or create and can be manipulated or generated electronically. Identification systems based on the eIDAS Regulation, however, easy online identification throughout the EU.^[5]

content

If the data subject considers there is an infringement

The data subject must at least allege that their data is processed in violation of the GDPR. Contrary to the prevailing opinion among legal scholars,^[6] some SAs have taken the stance that the right to lodge a complaint is limited to violations of data subject rights under Chapter III of the GDPR (“Rights of the data subject“).^[7]

For the following reasons, the academic opinion provides the more compelling arguments. First, the language of Article 77(1) GDPR does not contain any limitations to violations of Chapter III rights. Second, Article 8(2) Charter of Fundamental Rights of the EU (“CFR”) already foresees that personal data “must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law.” These requirements are laid down in detail in Articles 5 to 10 GDPR. In light of Article 41 and Article 47 CFR, limiting complaints to the violation of Chapter III GDPR would therefore violate not only the GDPR but also primary EU law. Third, a limitation to violations of Chapter III rights would also result in massive enforcement deficiencies. A data subject would have no possibility to have certain processing activities reviewed by a SA. For example, a processing activity that is based on an algorithm that produces incorrect data on a regular basis could not be addressed under Article 16 GDPR as Article 16 GDPR can only be invoked to rectify existing inaccurate data but not to stop the ongoing creation of incorrect data that is based on existing correct data. In this case, the data subject would have to rely directly on the principle of accuracy under Article 5(1)(d) GDPR in conjunction with Articles 24 and 25 GDPR and ask the SA to order the controller to bring the processing operation into compliance with the GDPR under Article 58(2)(d) GDPR or even ban it under Article 58(2)(f) GDPR.

Therefore, complaints under Article 77 GDPR should extend to a broad range of violations concerning, inter alia: the principles of data processing (Article 5 GDPR), the lawfulness of processing (Articles 6, 9 and 10 GDPR), the conditions for consent (Articles 7 and 8 GDPR), information under Article 11(2) GDPR, provisions of Chapter III of the GDPR (Articles 12 to 22 GDPR), the duty to communicate a personal data breach to the data subject (Article 34 GDPR), the provisions on data transfers to third countries or international organisations under Chapter V of the GDPR (Article 44 et seq. GDPR).^[8]

With a(ny) supervisory authority

The GDPR only requires that a SA is addressed by the complaint. This general rule is only limited by a non-exhaustive list of possible SAs. This means that a complainant may file a complaint with any SA in the European Economic Area, independent of location.^[9]

Habitual residence

The most common place to lodge a complaint is the home jurisdiction of the complainant. The habitual residence is defined in different EU laws and requires a legal right to residence and an objective assessment of the factual residence. Especially in cross border cases, data subjects might want to choose to lodge complaints at the place of their habitual residence, as this allows for the data subject to file the complaint in (one of) the official languages of the relevant Member State, rather than the official language of the Member State that the controller is based in.

Place of work

Similar to the habitual residence, complainants can lodge a complaint before the SA of their work place. It is not required that the complaint has any connection to the place of work.

Place of alleged infringement

The complaint can also be lodged before the SA of the place of the alleged infringement. This clause is a typical form of jurisdiction that is aimed at aligning the location of the decision maker with the location of facts. Example: The SA that is closest to a CCTV camera may be best placed to gather factual evidence on the CCTV system, without the need to request mutual assistance from other SAs.

Cross country cases

The option to lodge a complaint with any SA does not mean that the SA with which the case has been lodged necessarily decides about the case. Which SA actually handles the case is subject to Article 55 and 56 GDPR. In any case the SA with which the complaint has been lodged remains a “supervisory authority concerned” under Article 4(22)(c) GDPR and the point of contact for the data subject (“one-stop shop”).

(2) Duty to inform the data subject

Under Article 77(2) GDPR, “the supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78.” This provision only addresses the SA with which the complaint has been lodged but not the SA ultimately handling the case under Articles 55 and 56 GDPR (which might be the same or a different SA). The SA’s report on the progress as well as the final decision must include information on the possibility for a judicial remedy under Article 78(2) GDPR and Article 78(1) GDPR respectively.

Timeline and frequency of information

Article 77(2) GDPR does not stipulate a deadline by which the data subject has to be initially informed about the progress of the complaint, nor does it contain rules on the frequency of such “progress reports”. Read in conjunction with Article 57(1)(f) GDPR (“[…] inform the complainant of the progress and the outcome of the investigation within a reasonable period, […]”) , the SA must inform the data subject within a reasonable period.

Moreover, under Article 78(2) GDPR, a data subject has the right to an effective judicial remedy where the SA that is competent pursuant to Article 55 and 56 GDPR does not inform the data subject within three months on the progress or outcome of the complaint lodged pursuant to Article 77 GDPR. It must be noted that other than Article 77(2) GDPR, Article 78(2) does not address the SA with which the complaint has been lodged but rather the SA that is competent to handle the case under Articles 55 and 56 GDPR.

Thus, if the SA with which the complaint has been lodged is also competent to handle the case under Article 55 GDPR, the SA has to inform the data subject within three months after receipt of the complaint on its progress or outcome under Article 78(2) GDPR. Vice versa, if the SA with which the complaint has been lodged is not competent to handle the case (but rather the lead SA under Article 56 is), then the SA with which the complaint has been lodged must inform the data subject under Article 77(2) GDPR.

The first information usually is an acknowledgement of receipt and a notice that the case has been forwarded to an (alleged) lead LSA. Although there is no specific deadline for this information, the three-month period of Article 78(2) GDPR should be applied per analogiam. As soon as the lead SA is established (which very often takes longer than three months), it must inform the data subject within three months after receipt of the complaint on its progress or outcome under Article 78(2) GDPR. For practical reasons, the SA with which the complaint has been lodged usually informs the data subject on behalf of the lead SA on this.

Decisions

→ You can find all related decisions in Category:Article 77 GDPR

References

↑ Bergt, in Kühling, Buchner, DS-GVO BDSG, Article 77 GDPR, margin number 26 (C.H. Beck 2020, 3rd edition). This includes that the lodging of a complaint and its handling by a SA shall be free of charge for the data subject (Article 57(3) GDPR).
↑ Pötters, Werkmeister in Gola, DS-GVO, Article 77 GDPR, margin number 4 (C.H. Beck 2022, 3rd edition).
↑ CJEU - C-132/21 - Nemzeti Adatvédelmi és Információszabadság Hatóság (available here).
↑ Bailey, in Kühling, Buchner, DS-GVO BDSG, Article 77 GDPR, margin number 11 (C.H. Beck 2020, 3rd Edition)
↑ Bailey, in Kühling, Buchner, DS-GVO BDSG, Article 77 GDPR, margin number 11 (C.H. Beck 2020, 3rd Edition)
↑ Bergt, in Kühling, Buchner, DS-GVO BDSG, Article 77 GDPR, margin number 10 (Beck 2020, 3rd edition); Nemitz in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 77 GDPR, margin number 16 (Beck 2018, 2nd edition); von Lewinksi in Auernhammer, DSGVO BDSG, Article 77 GDPR, margin number 2 (Carl Heymanns 2018, 6nd edition).
↑ Datenschutzbehörde, 13 September 2018, das Bundesministerium für Europa, Integration und Äußeres, das Bundeskanzleramt, DSB-D123.070/0005-DSB/2018, (available here).
↑ Schweiger in Knyrim, DatKomm, Article 77 GDPR, margin number 11 (as of 22.4.2021, rdb.at).
↑ Bergt in Kühling, Buchner, DS-GVO BDSG, Article 77 GDPR, margin number 9 (Beck 2020, 3rd edition).

[1] Bergt, in Kühling, Buchner, DS-GVO BDSG, Article 77 GDPR, margin number 26 (C.H. Beck 2020, 3rd edition). This includes that the lodging of a complaint and its handling by a SA shall be free of charge for the data subject (Article 57(3) GDPR).

[2] Pötters, Werkmeister in Gola, DS-GVO, Article 77 GDPR, margin number 4 (C.H. Beck 2022, 3rd edition).

[3] CJEU - C-132/21 - Nemzeti Adatvédelmi és Információszabadság Hatóság (available here).

[4] Bailey, in Kühling, Buchner, DS-GVO BDSG, Article 77 GDPR, margin number 11 (C.H. Beck 2020, 3rd Edition)

[5] Bailey, in Kühling, Buchner, DS-GVO BDSG, Article 77 GDPR, margin number 11 (C.H. Beck 2020, 3rd Edition)

[6] Bergt, in Kühling, Buchner, DS-GVO BDSG, Article 77 GDPR, margin number 10 (Beck 2020, 3rd edition); Nemitz in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 77 GDPR, margin number 16 (Beck 2018, 2nd edition); von Lewinksi in Auernhammer, DSGVO BDSG, Article 77 GDPR, margin number 2 (Carl Heymanns 2018, 6nd edition).

[7] Datenschutzbehörde, 13 September 2018, das Bundesministerium für Europa, Integration und Äußeres, das Bundeskanzleramt, DSB-D123.070/0005-DSB/2018, (available here).

[8] Schweiger in Knyrim, DatKomm, Article 77 GDPR, margin number 11 (as of 22.4.2021, rdb.at).

[9] Bergt in Kühling, Buchner, DS-GVO BDSG, Article 77 GDPR, margin number 9 (Beck 2020, 3rd edition).

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]