Supervisory data protection authorities

The supervisory data protection authorities are an important institution for data protection. As independent bodies, their task is to ensure compliance with data protection laws, in particular the GDPR.

A number of powers are conferred on them for this purpose. Firstly, the supervisory authorities have control powers which enable them to check whether a controller complies with applicable data protection law. They can, for example, request the list of processing activities and other information they need for their tasks and even have access to the premises of the company (see Art. 58(1) GDPR).
If the authority determines a misconduct of the controller, it will first instruct them to cease said activity and to adhere to the law. Depending on the seriousness of the offense, it can also impose fines if necessary.

For you as a consumer, the supervisory authorities primarily offer straightforward help if you want to defend yourself against a company or other organisation that incorrectly processes your data. If you believe that a data controller is violating your privacy rights, you can contact the supervisory authorities at any time and ask them to address your concerns.
This is much easier for you than the alternative of taking legal action against the controller. The work of the authority is even free for you (see Art. 57(3) GDPR).

The One Stop Shop principle and the competence of the supervisory authorities

Before the introduction of the GDPR, there were some uncertainties as to which supervisory authority would be responsible in a particular case. This problem is solved with the GDPR.

First of all, Art. 56(1) GDPR establishes the so-called “One Stop Shop” principle which defines that the supervisory data protection authority at a company’s headquarters is responsible for them.

But the procedure has also been significantly simplified for consumers. Until now, you had to contact the authority responsible for the controller you wanted to complain against. This requirement creates problems in particular when the company is located in another country and potential language barriers come into play.
Art. 77(1) GDPR now specifies, however, that a data subject can also contact the supervisory data protection authority in their own country (in concrete terms, this is referred to as the “Member State of his or her habitual residence, place of work or place of the alleged infringement”).

It should be noted that this principle only regulates which authority you contact. The supervisory authority in your country will then get in touch with the one in the controller’s country and ask them to deal with your case. The contact point for you, however, will always remain the authority in your country, so you do not have to worry about filing complaints against companies from other countries.

Which supervisory authority should I contact?

So, if you have a complaint or other question and would like to seek the help of a supervisory data protection authority, the question remains as to which one you should contact. In general, even the “wrong” authority will forward you to the right one, but it is of course easier and faster if you contact the correct one directly.

In principle, there is at least one data protection supervisory authority in each country. Unfortunately, it is not always that simple. Art. 51 GDPR allows for the establishment of more than one supervisory authority within a single country. This is for example the case in Germany.

In order to make it easier for you to find the supervisory authority responsible for you, we have designed the supervisory authority finder. All you need to do is answer a few questions about where you live and, if applicable, the nature of your enquiry and we will then suggest the authority you should contact.
Like most features on datarequests.org, all processing only happens on your own computer, so your answers will never even reach us.

If you would rather do the research yourself, have a look at our list of data protection authorities. The European Data Protection Board also has a list but note that this one only includes the authorities at the national level.

Complaints for requests done through datarequests.org

If you have made a request to a company via datarequests.org and have received no or only an unsatisfactory answer, we can make it even easier for you to complain to the supervisory authority.

In the “My requests” feature, you can see an overview of all your requests—provided you have not disabled it. Next to each request, there are buttons that you can use to send reminders and complaints concerning this request via our generator.

Sending a complaint through datarequests.org
Sending a complaint through datarequests.org
written by Benjamin Altpeter (Chairperson of Datenanfragen.de e. V.)
on