The right to lodge a data protection complaint: OK, but then what? An empirical study of current practices under the GDPR

Access to data protection remedies constitutes a core element of the enforcement of the General Data Protection Regulation (GDPR).15 Individuals confronted with a data protection infringement have the right to turn directly to the judiciary (Article 79 of the GDPR), but they have also the right to lodge a complaint with a Data Protection Authority (DPA) (Article 77 of the GDPR). They can lodge a complaint at the Member State of their habitual residence, of their place of work, or of the Member State of the place of the alleged data protection infringement. Data subjects also have the right to an effective judicial remedy against the decisions of DPAs, as well as in case of lack of action or lack
of information about the outcome or progress of their complaint (Article 78 of the GDPR). Individuals can decide to mandate certain civil society organisations to represent them in front of DPAs, or in front of courts (Article 80 of the GDPR).
Data protection remedies are directly linked to two fundamental rights of the European Union (EU): the right to the protection of personal data and the right to an effective judicial remedy, enshrined in Articles 8 and 47 of the EU Charter of Fundamental Rights, respectively. Data protection remedies are at the crossroads of the exercise of individuals' rights and the obligations imposed on DPAs.