GDPR Article 77 gives you the right to lodge a complaint with a supervisory authority, if you feel that your data protection rights have been breached.
There are three ways to exercise this right.
The GDPR appoints data protection authorities in each of the EU member states and those in the European Economic Area (EEA). Here's a list of the DPAs in your country.
Each data protection authority is required to investigate and respond to the outcome of your complaint within 3 months. You're allowed to remind them of this obligation and follow up as needed.
Remember, the GDPR only applies to EU residents inside the EU so residents of other parts of the world, like the U.S., cannot rely on this method.
Aggrieved consumers can file a lawsuit against the offending company while they wait for a decision from the DPA, too. This can be done in tandem if you believe your data protection rights have been violated egregiously.
The DPA is bound by law to respond within 3 months to all complaints, and follow a thorough, investigative process. If you believe that they have shirked this responsibility, your best bet is to file a legal complaint against the DPA for an EU court to decide the next steps.
It's possible that folks live and visit multiple countries and suspect that their data was mismanaged across borders. A popular example are fitness apps that track your data and may record your activity across borders. In this case, submit the complaint to the DPA of the country where you are a resident. There's an EU principle known as the 'one-stop-shop mechanism' that coordinates complaints across member countries. This principle will apply if cross-border data management is at play.
Osman Husain
Osman is the content lead at Enzuzo. He has a background in data privacy management via a two-year role at ExpressVPN and extensive freelance work with cybersecurity and blockchain companies. Osman also holds an MBA from the Toronto Metropolitan University.