The right to lodge a data protection complaint: OK, but then what? An empirical study of current practices under the GDPR

Gloria Gonzalez Fuster, Jef Ausloos, Damian Bons, Lee A. Bygrave, Bárbara da Rosa Lazarotto, Laura Drechsler, Olga Gkotsopoulou, Christopher Hristov, Kristina Irion, Lina Jasmontaite, Charlotte Kroese, Orla Lynskey, Maria Magierska

Research output: Book/ReportCommissioned reportResearch

Abstract

Access to data protection remedies constitutes a core element of the enforcement of the General Data Protection Regulation (GDPR).15 Individuals confronted with a data protection infringement have the right to turn directly to the judiciary (Article 79 of the GDPR), but they have also the right to lodge a complaint with a Data Protection Authority (DPA) (Article 77 of the GDPR). They can lodge a complaint at the Member State of their habitual residence, of their place of work, or of the Member State of the place of the alleged data protection infringement. Data subjects also have the right to an effective judicial remedy against the decisions of DPAs, as well as in case of lack of action or lack
of information about the outcome or progress of their complaint (Article 78 of the GDPR). Individuals can decide to mandate certain civil society organisations to represent them in front of DPAs, or in front of courts (Article 80 of the GDPR).
Data protection remedies are directly linked to two fundamental rights of the European Union (EU): the right to the protection of personal data and the right to an effective judicial remedy, enshrined in Articles 8 and 47 of the EU Charter of Fundamental Rights, respectively. Data protection remedies are at the crossroads of the exercise of individuals' rights and the obligations imposed on DPAs.
Original languageEnglish
PublisherAccess Now
Commissioning bodyAccess Now
Number of pages69
Publication statusPublished - Jun 2022

Fingerprint

Dive into the research topics of 'The right to lodge a data protection complaint: OK, but then what? An empirical study of current practices under the GDPR'. Together they form a unique fingerprint.

Cite this