13.2 File a Complaint — Regulatory Bodies
Module 13: Help, Resources & Where to Go Next
Where to go when something has gone wrong: complaint portals by jurisdiction, what to expect, and how to prepare an effective complaint.
Learning Material
1 pagesFile a Complaint — Regulatory Bodies
If an organisation has violated your data protection rights, you have the right to complain to a regulator — and regulators are required to take your complaint seriously. Here is where to go, organised by jurisdiction.
Before You File: What to Include in Any Complaint
A well-prepared complaint moves faster. Include: (1) your full name and contact details; (2) the name and address of the organisation you are complaining about; (3) a clear description of what happened, in chronological order; (4) the right you believe was violated; (5) any supporting documents — copies of your request, the organisation's response (or silence), relevant communications; (6) what remedy you are seeking.
European Union
File with the national DPA of your country of residence, or with the DPA of the country where the organisation is established. Find your national DPA via the EDPB member list: edpb.europa.eu/about-edpb/members_en
- Germany — BfDI (bfdi.bund.de): handles federal matters and coordinates with 16 state DPAs (Landesbehörden). The relevant state DPA depends on where you live and where the company is based.
- France — CNIL (cnil.fr): online complaint form in French; typically acknowledges within 2 weeks and responds within 3 months.
- Ireland — Data Protection Commission (dataprotection.ie): lead supervisor for many large US tech companies (Google, Meta, Apple, LinkedIn) whose EU headquarters are in Ireland. High-volume caseload; complex cases may take 1–2 years.
- Spain — AEPD (äpd.es): accepts complaints in Spanish; known for relatively swift preliminary responses.
Typical EU timeline: 3–9 months for straightforward cases; longer for complex or cross-border investigations.
United Kingdom
ICO Complaint Portal (ico.org.uk/make-a-complaint) Before filing, you must first contact the organisation directly and give them a reasonable time to respond (usually 30 days). The ICO asks that you raise the issue with the organisation first. ICO targets a response within 3 months. It can issue fines and enforcement notices.
United States
- FTC — Report Fraud (reportfraud.ftc.gov): covers general unfair or deceptive trade practices, including privacy violations. Reports contribute to enforcement investigations; individual remedies are rare.
- California AG — CCPA Complaints (oag.ca.gov/privacy/ccpa): California residents can report CCPA violations. The AG can pursue civil enforcement.
- HHS OCR — HIPAA Complaints (hhs.gov/hipaa/filing-a-complaint): for health data violations. File within 180 days of the violation. OCR investigates and can impose penalties.
Canada
OPC — Report a Concern (priv.gc.ca/en/report-a-concern) The OPC accepts complaints under PIPEDA and the Privacy Act. Mediation is offered; if unresolved, the Commissioner can make recommendations and refer to Federal Court. Timelines: typically 6–12 months.
Brazil
ANPD (gov.br/anpd) Brazil's national DPA under the LGPD. Complaint portal available in Portugüse. The ANPD is still building enforcement capacity; expect longer timelines in early cases.
Australia
OAIC — Privacy Complaints (oaic.gov.au/privacy/privacy-complaints) First contact the organisation; if unresolved, the OAIC accepts formal complaints. Conciliation is the primary mechanism. Investigation timelines: 3–12 months.
South Africa
Information Regulator (inforegulator.org.za) Complaint form available online. The Regulator can investigate, issue enforcement notices, and refer for criminal prosecution in serious cases.
Japan & Singapore
- Japan — Personal Information Protection Commission (ppc.go.jp/en): accepts complaints in Japanese; English materials available.
- Singapore — PDPC (pdpc.gov.sg): complaints via online portal; the PDPC has enforcement powers and publishes decisions.
Escalation Path
If a DPA dös not act or you disagree with their decision: (1) ask for an internal review; (2) complain to the DPA's oversight body (e.g., an ombudsman); (3) seek judicial review in your national courts; (4) consider strategic litigation support from organisations like noyb or EPIC (see Topic 13.3).