top of page


File a GDPR complaint: what are the consequences?


With the emergence of theGDPR-legislationeveryone attaches more and more value to his or her privacy. Many companies are therefore (rightly) concerned about customer satisfaction with the protection of their personal data. Can anyone file a GDPR complaint? And what are the consequences of that? The privacy experts at Mr. Franklin explain the possible scenarios.


Legal obligation for companies to operate in compliance with GDPR


Since 2018, theGDPR legislationfor all entities that process personal data, in all member states of the European Union.

Personal dataare data with which living natural persons can be identified (for example, an IP address, telephone number, e-mail address and the like). Their processing can entail a significant privacy risk for those involved.

The term "processingis by lawgenerously filled in, which makes the probability very real thatyour company tooto the processing of personal data. Inthis blog postfrom mr. Franklin you can read what awaits the company if it does not guarantee GDPR-compliant data protection.

Can you just file a GDPR complaint?


Without prejudice to other options for administrative appeal or legal remedies, the data subject mayfile a complaint with the supervisory authority, if he believes that the processing of his personal data has infringed the GDPR legislation.

Before submitting a complaint, the Data Protection Authority (GBA) recommends that ainformation- or amediation requestto submit. An information request can provide an answer to specific questions about the protection of personal data. A request for mediation is appropriate if the complainant prefers an amicable solution.

If these two options do not yield the desired result, one can also use oneto file a complaint. The Disputes Chamber will deal with the complaint. You may be assisted in this by alawyer, although this is not mandatory.

Before submitting a complaint, the data subject must first beexercised rights. If the exercise of these rights has not produced the intended result, it is appropriate to lodge a complaint. In some cases, the Data Protection Authority advises to consult the data controller.


How can one submit a GDPR complaint?


The practical part of filing a complaint isvery simple. Anyone can download, complete, sign and send the complaint form. In principle, thecontact details of the data subjectbe stated when submitting the complaint. In very exceptional cases, the complaint is possibleanonymouslybeing treated.

Note: a complaint can also be madeshelved. This happens if the complaint does not meet certain conditions. On the website of the Data Protection Authority you will find theguidelines of the dismissal policy.

Anker 1
Anker 2

What can the supervisory authority do? 


Data Protection Authority (GBA) is thesupervisory authorityon the protection of personal data. It is therefore theGBAwho inspects complaints or requests in the first instance.

Information request


If there is oneinformation requestsubmitted, the Data Protection Authority will respond within 1 month. In certain cases and if the GBA deems it useful, aresearchbe set. This investigation is progressingcompletely internal, which means that the information seeker has no insight into the course or the results of the procedure.

However, such an investigation can result insanctionsimposed on the company.

Request for mediation

Instead, if you choose onemediation request, then the Data Protection Authority will try aagreementto be reached between the applicant and the company in question. If it is not possible to reach an agreement, the Data Protection Authority can convert the request for mediation into acomplaint. This requires the consent of the data subject.

Handling a complaint

Ato file a complaintis the most far-reaching procedure. That is why there are certain formalities involved and the handling of a complaint takes a lot of time. In addition, the Disputes Chamber of the Data Protection Authority is not obliged to deal with every complaint on the merits. This means thatnot all complaintscontent are examined.

If the Disputes Chamber is of the opinion that the complaint should be further assessed, the complainant will be invited toconclusionsto put down. As mentioned earlier, assistance from thelawyernot required in this procedure. Nevertheless, we advise everyone to hire a legal GDPR expert.

The Disputes Chamber of the GBA cancertain sanctionsimpose damages on the infringing company, but does not have the power to award damages to the complainant. A fine is in order.

Duration of treatment

The GBA reports that the flow of incoming complaints has increased enormously recently. It will therefore take several months before the Disputes Chamber will review the complaint. If an additional investigation or inspection has to be carried out, the duration of the procedure will increase all the more. Anyone who submits a complaint should therefore not expect an immediate response.

Anker 3

Who is Mr. Franklin?


mr. Franklin stands forinnovativeandqualitativeservice. We attach great importance to continuous improvement of our expertise.

mr. Franklin has three certified DPOs; all three have thembroad experiencein all kinds of companies and governments. Among other things, Mr. Franklin has been appointed as a DPO at companies in the healthcare sector, IT companies, online advertising companies, companies in the legal sector such as law firms, bailiffs' offices and notaries and (suppliers to) governments.

How can a DPO help?


A Data Protection Officer (DPO) is aindependent personThatmonitors compliance with the GDPR within a company. Sometimes a Data Protection Officer is also referred to as a data protection officer.

Governments and their employees, IT companies and platforms that host data, companies that process a lot of sensitive personal data, such as law firms, medical practices and bailiffs' offices, must appoint a DPO. This is required by law in order to guarantee the high quality of data protection.

Many companies also set oneexternal Data Protection Officerto ensure that data processing is GDPR-compliant. In this way, a company can reduce the risk of GDPR complaints and thus avoid hefty fines. More about DPO as a servicecan be found here.

Why choose GDPR services from Mr. Franklin?


We offerall-in-one GDPR formulasagainst againstfixed pricesto set up a GDPR and security policy within your company. The needs of your staff, your way of working and your personal expectations are taken into account.

More than 250 companies have already preceded you. onour websitecan you thefeedback about our servicesfind. Feel free to contact us without obligation so that we can see together how your company can be made GDPR-proof.

Anker 4


bottom of page