9.4 What to Do When Rights Are Violated

Knowing your rights is half the battle. Knowing how to enforce them when they are violated is the other half. This lesson gives you a clear, practical escalation path — from your first contact with the organisation to regulatory complaints and, if necessary, court action. The system is more accessible than most people realise.

Step 1: Contact the organisation's DPO or privacy team

Start here. Email the organisation's Data Protection Officer or privacy team, clearly stating the right you are invoking, the outcome you expect, and a reasonable deadline (typically two to four weeks). Reference the specific legal basis — GDPR Art. 15, 17, 21, or equivalent. Keep a record of all correspondence. Many issues are resolved at this stage simply because organisations prefer compliance to regulatory attention.

If the organisation dös not have a DPO (required for large-scale processors, public authorities, and processors of sensitive data), write to their legal or compliance department.

Step 2: File a complaint with your national DPA

If the organisation fails to respond, denies your rights without justification, or its response is inadequate, your next step is a formal complaint to your national data protection authority. DPAs have investigative and enforcement powers — they can issue reprimands, orders to comply, and substantial fines (up to €20 million or 4% of global annual turnover under GDPR).

• UK: Information Commissioner's Office (ICO) — online complaint form at ico.org.uk/make-a-complaint/
• Ireland (and many EU multinationals): Data Protection Commission (DPC)
• France: Commission Nationale de l'Informatique et des Libertés (CNIL)
• Germany: Bundesbeauftragter für den Datenschutz und die Informationsfreiheit (BfDI) plus state-level LfDIs
• US: Federal Trade Commission (FTC) for unfair or deceptive practices; state Attorneys General for CCPA enforcement

Expect the complaint process to take three to eighteen months depending on complexity and DPA capacity.

Step 3: Strategic advocacy organisations

For cases with broader public interest implications, organisations exist specifically to support individuals in enforcing privacy rights:

• noyb (None of Your Business) — EU-based; offers a free GDPR complaint submission tool at noyb.eu/en/complaints. noyb has filed hundreds of complaints and driven landmark regulatory actions against Meta, Google, and others.
• Electronic Frontier Foundation (EFF) — US-based; focuses on digital rights litigation and advocacy, particularly in surveillance and free expression cases.
• Privacy International — UK-based global organisation; focuses on state surveillance, data brokers, and government accountability.

These organisations do not guarantee representation in individual cases, but they offer tools, legal analysis, and sometimes direct support for cases they consider strategically significant.

Step 4: Court action

GDPR Art. 82 establishes the right to receive compensation from a controller or processor for material or non-material damage resulting from a GDPR infringement — including distress. You can bring a claim in your national courts without first exhausting the DPA route, although most individuals find regulatory complaints more accessible as a first step.

Your takeaway

The enforcement system is designed to be accessible. You do not need a lawyer to file a DPA complaint or use noyb's tool. Start by documenting everything, try the organisation first, and escalate methodically. Privacy rights that are not exercised exist only on paper.