Article 77
Right to lodge a complaint with a supervisory authority

Official
Texts
Guidelines
& Caselaw
Review of
EU Regulation
Review of
Nat. Regulation
Show the recitals of the Regulation related to article 77 keyboard_arrow_down Hide the recitals of the Regulation related to article 77 keyboard_arrow_up

(7) Those developments require a strong and more coherent data protection framework in the Union, backed by strong enforcement, given the importance of creating the trust that will allow the digital economy to develop across the internal market. Natural persons should have control of their own personal data. Legal and practical certainty for natural persons, economic operators and public authorities should be enhanced.

(141) Every data subject should have the right to lodge a complaint with a single supervisory authority, in particular in the Member State of his or her habitual residence, and the right to an effective judicial remedy in accordance with Article 47 of the Charter if the data subject considers that his or her rights under this Regulation are infringed or where the supervisory authority does not act on a complaint, partially or wholly rejects or dismisses a complaint or does not act where such action is necessary to protect the rights of the data subject. The investigation following a complaint should be carried out, subject to judicial review, to the extent that is appropriate in the specific case. The supervisory authority should inform the data subject of the progress and the outcome of the complaint within a reasonable period. If the case requires further investigation or coordination with another supervisory authority, intermediate information should be given to the data subject. In order to facilitate the submission of complaints, each supervisory authority should take measures such as providing a complaint submission form which can also be completed electronically, without excluding other means of communication.

(142) Where a data subject considers that his or her rights under this Regulation are infringed, he or she should have the right to mandate a not-for-profit body, organisation or association which is constituted in accordance with the law of a Member State, has statutory objectives which are in the public interest and is active in the field of the protection of personal data to lodge a complaint on his or her behalf with a supervisory authority, exercise the right to a judicial remedy on behalf of data subjects or, if provided for in Member State law, exercise the right to receive compensation on behalf of data subjects. A Member State may provide for such a body, organisation or association to have the right to lodge a complaint in that Member State, independently of a data subject's mandate, and the right to an effective judicial remedy where it has reasons to consider that the rights of a data subject have been infringed as a result of the processing of personal data which infringes this Regulation. That body, organisation or association may not be allowed to claim compensation on a data subject's behalf independently of the data subject's mandate.

(143) Any natural or legal person has the right to bring an action for annulment of decisions of the Board before the Court of Justice under the conditions provided for in Article 263 TFEU. As addressees of such decisions, the supervisory authorities concerned which wish to challenge them have to bring action within two months of being notified of them, in accordance with Article 263 TFEU. Where decisions of the Board are of direct and individual concern to a controller, processor or complainant, the latter may bring an action for annulment against those decisions within two months of their publication on the website of the Board, in accordance with Article 263 TFEU. Without prejudice to this right under Article 263 TFEU, each natural or legal person should have an effective judicial remedy before the competent national court against a decision of a supervisory authority which produces legal effects concerning that person. Such a decision concerns in particular the exercise of investigative, corrective and authorisation powers by the supervisory authority or the dismissal or rejection of complaints. However, the right to an effective judicial remedy does not encompass measures taken by supervisory authorities which are not legally binding, such as opinions issued by or advice provided by the supervisory authority. Proceedings against a supervisory authority should be brought before the courts of the Member State where the supervisory authority is established and should be conducted in accordance with that Member State's procedural law. Those courts should exercise full jurisdiction, which should include jurisdiction to examine all questions of fact and law relevant to the dispute before them.

Where a complaint has been rejected or dismissed by a supervisory authority, the complainant may bring proceedings before the courts in the same Member State. In the context of judicial remedies relating to the application of this Regulation, national courts which consider a decision on the question necessary to enable them to give judgment, may, or in the case provided for in Article 267 TFEU, must, request the Court of Justice to give a preliminary ruling on the interpretation of Union law, including this Regulation. Furthermore, where a decision of a supervisory authority implementing a decision of the Board is challenged before a national court and the validity of the decision of the Board is at issue, that national court does not have the power to declare the Board's decision invalid but must refer the question of validity to the Court of Justice in accordance with Article 267 TFEU as interpreted by the Court of Justice, where it considers the decision invalid. However, a national court may not refer a question on the validity of the decision of the Board at the request of a natural or legal person which had the opportunity to bring an action for annulment of that decision, in particular if it was directly and individually concerned by that decision, but had not done so within the period laid down in Article 263 TFEU.

(144) Where a court seized of proceedings against a decision by a supervisory authority has reason to believe that proceedings concerning the same processing, such as the same subject matter as regards processing by the same controller or processor, or the same cause of action, are brought before a competent court in another Member State, it should contact that court in order to confirm the existence of such related proceedings. If related proceedings are pending before a court in another Member State, any court other than the court first seized may stay its proceedings or may, on request of one of the parties, decline jurisdiction in favour of the court first seized if that court has jurisdiction over the proceedings in question and its law permits the consolidation of such related proceedings. Proceedings are deemed to be related where they are so closely connected that it is expedient to hear and determine them together in order to avoid the risk of irreconcilable judgments resulting from separate proceedings.

(145) For proceedings against a controller or processor, the plaintiff should have the choice to bring the action before the courts of the Member States where the controller or processor has an establishment or where the data subject resides, unless the controller is a public authority of a Member State acting in the exercise of its public powers.

There is no recital in the Directive related to article 77.

The GDPR

Like the Directive, Article 77 of the Regulation enables any person concerned by data processing to lodge a complaint with a supervising authority if the data subject considers that the processing of personal data relating to him or her infringes this Regulation. Any infringement of the Regulation may therefore justify such a complaint.

In its first draft, the second paragraph of Article 77 specified also the organizations entitled to lodge a complaint on behalf of the data subject, even irrespective of any claim of the data subject, in case of personal data breach. However, this element was not retained in the final version of the text. 

Which supervisory authority a data subject may report to for determination is not strictly specified. According to paragraph 1, data subject shall have the right to lodge a complaint with a supervisory authority competent of his or her habitual residence, place of work or place of the alleged infringement.

The supervisory authority receiving the lodged complaint  shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 of the Regulation (paragraph 2).

The Directive

The Directive already required Member States to implement a procedure for lodging a complaint with the supervisory authority. Thus any person or an association representing that person may lodge a complaint concerning the protection of his or her rights and freedoms in regard to the processing of personal data. This may in particular consist of a request for verification of the lawfulness of processing. Pursuant to Article 28 (4), the person concerned shall be informed of the outcome of the claim or that a check has taken place.

Potential issues

In countries where the authority had no decision-making power, an increase in complaints may be expected, as this situation will lead to a decision likely to be appealed. The problem is then to determine what will be the procedure before the national authority which should not be overly complicated and/or costly as this may discourage the data subject from pursuing a complaint.

Regulation
1e 2e

Art. 77

1.   Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.

2.   The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78.

1st proposal close

Art. 73 

1. Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority in any Member State if they consider that the processing of personal data relating to them does not comply with this Regulation.

2. Any body, organisation or association which aims to protect data subjects’ rights and interests concerning the protection of their personal data and has been properly constituted according to the law of a Member State shall have the right to lodge a complaint with a supervisory authority in any Member State on behalf of one or more data subjects if it considers that a data subject’s rights under this Regulation have been infringed as a result of the processing of personal data.

3. Independently of a data subject's complaint, any body, organisation or association referred to in paragraph 2 shall have the right to lodge a complaint with a supervisory authority in any Member State, if it considers that a personal data breach has occurred.

2nd proposal close

Art. 73

1. Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a single supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement, if the data subject considers that the processing of personal data relating to him or her does not comply with this Regulation.

2. (…)

3. (…)

4. (…)

5. The supervisory authority to which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 74 (…).

Directive close

Art. 28

(…)

4. Each supervisory authority shall hear claims lodged by any person, or by an association representing that person, concerning the protection of his rights and freedoms in regard to the processing of personal data. The person concerned shall be informed of the outcome of the claim.

Each supervisory authority shall, in particular, hear claims for checks on the lawfulness of data processing lodged by any person when the national provisions adopted pursuant to Article 13 of this Directive apply. The person shall at any rate be informed that a check has taken place.

Complaints with the Data Protection Authority

§ 24 DSG

(1) Every data subject has the right to lodge a complaint with the Data Protection Authority if the data subject is of the opinion that the processing of the personal data concerning the data subject infringes the General Data Protection Regulation or § 1 or Chapter 1, Article 2.

(2) The complaint must contain:

  1. the description of the right considered to have been infringed,
  2. to the extent reasonable, the description of the legal entity or the executive body or officer that is deemed to be responsible for the alleged infringement (respondent to the complaint),
  3. the facts from which the infringement is derived,
  4. the reasons for which the unlawfulness is alleged,
  5. the request to find that the alleged infringement has been committed, and
  6. the details which are necessary in order to decide whether the complaint has been lodged in due time.

(3) A complaint must be accompanied by the request on which it is based and the answer of the respondent to the complaint, if any. In the case of a complaint, the Data Protection Authority shall provide further assistance on request of the data subject.

(4) The right to have a complaint dealt with expires if the intervening party does not lodge the complaint within a year after having gained knowledge of the incident that gave rise to the complaint, but no later than within three years after the incident allegedly occurred. Late complaints shall be rejected.

(5) To the extent the complaint is shown to be justified, it is to be granted. If an infringement can be attributed to a private-sector controller, the controller shall be instructed to comply with the complainant’s requests for information, rectification, erasure, restriction or data communication to the extent required to eliminate the infringement that has been found to exist. To the extent that the complaint is not found to be justified, it shall be rejected.

(6) A respondent to the complaint can subsequently eliminate the alleged infringement until the end of the proceedings before the Data Protection Authority by complying with the complainant’s requests. If the Data Protection Authority deems the complaint to be settled thereby, it shall hear the complainant on this. Simultaneously, the complainant is to be informed that the Data Protection Authority will informally end the proceedings unless the complainant states reasons, within a reasonable period, why the complainant still considers the originally alleged infringement or at least parts of it as not having been eliminated. If such a statement by the complainant modifies the merits of the case (§ 13 para 8 of the General Administrative Procedure Act), the original complaint is to be deemed withdrawn and simultaneously a new complaint to be deemed lodged. In this case the original complaint procedure is also to be ended informally and the complainant is to be informed thereof. Late statements are to be ignored.

(7) The data subject shall be informed by the Data Protection Authority of the progress and the outcome of the investigation within three months of filing the complaint.

(8) Each data subject can apply to the Federal Administrative Court if the Data Protection Authority does not handle a complaint or does not inform the data subject within three months of the progress or outcome of the complaint lodged.

(9) To the extent required, the Data Protection Authority can engage official experts to assist in the proceedings.

(10) The term allowed for the decision pursuant to § 73 of the General Administrative Procedure Act shall not include:

  1. the time during which proceedings are suspended until a final decision on a preliminary issue has been made;
  2. the duration of proceedings pursuant to Articles 56, 60 and 63 of the General Data Protection Regulation.

Accompanying measures in the complaint procedure

§ 25 DSG

(1) If, in the context of a complaint, the complainant satisfactorily demonstrates a serious infringement of his or her interests in confidentiality which deserve protection due to the processing of the complainant’s personal data, the Data Protection Authority may proceed according to § 22 para. 4.

(2) If the correctness of personal data is disputed in proceedings, the respondent to the complaint shall submit, by the end of the proceedings, a note stating that the correctness is disputed. If required, the Data Protection Authority shall order, by an administrative decision pursuant to § 57 para. 1 of the General Administrative Procedure Act, such note to be submitted at the request of the complainant.

(3) If a controller invokes a restriction pursuant to Article 23 of the General Data Protection Regulation in relation to the Data Protection Authority, the Data Protection Authority shall examine the lawfulness of the application of the restrictions. If the Data Protection Authority comes to the conclusion that it was not justified in keeping the processed personal data secret from the data subject, the disclosure of the data shall be ordered by an administrative decision. If the administrative decision by the Data Protection Authority is not complied with within eight weeks, the Data Protection Authority shall disclose the personal data to the data subject and shall communicate to the data subject the desired information or inform the data subject of the personal data that have already been rectified or erased.

(4) Administrative decisions that permit the transfer of data abroad shall be revoked once the legal or factual prerequisites for the issue of the permit no longer apply.


Public-sector and private-sector controllers​

§ 26 DSG

(1) Irrespective of § 5 para (3), public-sector controllers are all controllers

  1. that are established in legal structures of public law, in particular also as an executive officer of a territorial authority, or
  2. as far as they execute laws despite having been incorporated according to private law.

(2) Public-sector controllers have the status of a party in proceedings before the Data Protection Authority.

(3) Public-sector controllers can lodge complaints with the Federal Administrative Court and final complaints with the Supreme Administrative Court.

(4) Controllers which are not within the scope of para. 1 are considered to be private-sector controllers according to this federal law.


Complaints with the Federal Administrative Court

§ 27 DSG

(1) The Federal Administrative Court shall decide through a panel of judges on complaints against administrative decisions on the ground of a breach of the duty to provide information pursuant to § 24 para. 7 and the duty to reach a decision of the Data Protection Authority.

[...]

Old law close

All of the following in force until May 25, 2018:


Legal Remedies

Duties of Supervision of the Data Protection Authority

§ 30 DSG 2000

(1) Anyone shall have the right to lodge an application with the Data Protection Authority because of an alleged infringement of his rights or obligations concerning him pursuant to this federal law by a controller or processor.

(2) The Data Protection Authority shall have the right to examine data applications in case of reasonable suspicion of an infringement of the rights and obligations mentioned in para. 1. It can order the controller or processor of the examined data application to give all necessary clarifications and to grant access to data applications and relevant documents.

(2a) In case an application admissible according to para 1 or a reasonable suspicion according to para 2 refers to a data application (filing system) subject to the obligation of notification, the Data Protection Authority may examine whether the notification obligation has been fulfilled and eventually proceed according to §§ 22 and 22a.

(3) Data applications subject to prior checking pursuant to § 18 para. 2 may be examined without a suspicion of illegal data use. The same applies to those fields of the government where a public sector controller claims that § 26 para. 5 and § 27 para. 5 are to be applied.

(4) For purposes of the inspection, the Data Protection Authority shall have the right, after having informed the owner of said rooms and the controller (processor), to enter rooms where data applications are carried out, operate data processing equipment, run the processing to be examined and to make copies of the storage media to the extent absolutely required for the exercise of the right to examination. The controller (processor) shall render the assistance necessary for the examination. The supervisory rights are to be exercised in a way that least interferes with the rights of the controller (processor) and third parties.

(5) Information acquired by the Data Protection Authority or its representatives during any examination shall be used only for supervisory purposes in the context of the execution of data protection regulations. This includes the use for purposes of litigation at courts by the person involved or the Data Protection Authority according to § 22. Incidentally, the obligation to confidentiality also exists before courts and administrative authorities, in particular fiscal authorities, with the reservation that, if the examination leads to probable cause to believe that a crime according to §§ 51 and 52 of this federal law or a criminal act according to §§ 118a, 119, 119a, 126a to 126c, 148a or §278a of the Criminal Code, Federal Law Gazette No. 60/1974, or any crime punishable with more than five years of imprisonment has been committed, a report shall be made and requests for assistance according to § 76 Code of Criminal Procedure, Federal Law Gazette No. 631/1974 regarding such crimes and offences shall be complied with.

(6) To establish the rightful state, the Data Protection Authority can issue recommendations, unless measures according to §§ 22 and 22a or para 6a are to be taken an appropriate period for compliance shall be set if required. If a recommendation is not obeyed within the set period, the Data Protection Authority shall, depending on the kind of transgression and ex officio,

1. press criminal charge pursuant to §§ 51 or 52, or

2. in case of severe transgressions by a private sector controller file a lawsuit before the competent court of law pursuant to § 32 para. 5, or

3. in case of a transgression by an organ of a territorial corporate body, involve the competent highest authority. This authority shall within an appropriate period, not exceeding twelve weeks, takes measures to ensure that the recommendation of the Data Protection Authority is complied with or inform the Data Protection Authority why the recommendation is not complied with. The reason may be publicised by the Data Protection Commission in an appropriate manner as far as not contrary to official secrecy.

(6a) In case the operation of a data application causes an serious and immediate danger to interests of secrecy of the data subject deserving protection (imminent danger) the Data Protection Authority may prohibit the continuation of the data application by ruling in accordance with § 57 para. 1 of the General Administrative Procedure Act 1991 – AVG, Federal Law Gazette No. 51/1991. The continuation may also be prohibited only partially if this technically possible, gives a meaningful result with regard to the purpose of the data application and is sufficient to eliminate the risk. If the ban is not complied with the offence is to be reported according to § 52 para 1 sub-para 3. If a ban under this para has become final, any running procedure for correction according to § 22a para 2 is to be discontinued informally. According to the extent of the ban the data application is to be deleted from the register.

(7) The intervening party shall be informed as to how his intervention was dealt with.


Complaint before the Data Protection Authority

§ 31 DSG 2000

(1) The Data Protection Authority shall decide on complaints of persons or group of persons who allege to have been infringed in their right for information according to § 26 or § 50 para 1 third phrase or in their right to be informed about an automatically processed individual decision according to § 49 para 3 insofar as the request for information (the application for information or disclosure) does not concern the use of data for acts in the service of legislation or jurisdiction.

(2) Furthermore, the Data Protection Authority shall decide on complaints of persons or groups of persons who allege to have been infringed in their right to secrecy (§ 1 para 1) or in their right to correction or deletion (§§ 27 and 28), to the extent the right is not to be asserted under § 32 para 1 before a court or is not directed against an organ in the service of legislation or jurisdiction.

(3) The complaint must contain:

1. the description of the right considered to be infringed,

2. to the extent reasonable, the description of the legal entity or the organ, which is deemed to be responsible for the alleged infringement (opponent of the complaint),

3. the facts from which the infringement is derived,

4. the reasons for which the unlawfulness is alleged,

5. the request to determine the alleged infringement and

6. the details which are necessary in order to decide whether the complaint has been filed in due time.

(4) A complaint according to para 1 must be accompanied by the pertinent request for information (the application for information or presentation) and a reply by the opponent to the complaint, if any. A complaint according to para 2 must be accompanied by the pertinent request for correction or deletion and an answer of the opponent to the complaint, if any.

(5) The control rights granted to the Data Protection Authority according to § 30 paras 2 to 4 also apply to the complaint procedure according to para 1 and 2 vis-a-vis the opponent to the complaint. Also, the duty of confidentiality according to § 30 para 5 applies to this procedure.

(6) In case of filing of an admissible complaint according to paras 1 or 2 a control procedure instituted on an application based on § 30 para 1 on the same issue is to be discontinued merely by giving information (§ 30 para 7). Nevertheless, the Data Protection Authority may proceed even when the complaint procedure is pending ex officio according to § 30 para 2, if reasonable suspicion exists on an infringement of obligations under the data protection provisions beyond the case of complaint. § 30 para 3 remains unaffected.

(7) To the extent a complaint according to paras 1 or 2 is shown to be justified, it is to be granted and the infringement to be stated. If a stated infringement of the right of information (para 1) falls under the responsibility of a controller in the private sector, he/she, upon request, in addition, is to be instructed to give – again – an answer to the request for information according to § 26 para 4, 5 or 10, in the extent required, to eliminate the infringement having been stated. To the extent the complaint is not found to be justified, it is to be rejected.

(8) An opponent against whom a complaint has been filed for infringement of rights according to §§ 26 to 28, may, till the end of the proceedings before the data protection commission, by communicating with the complaining person according to § 26 para 4 or § 27 para 5, subsequently eliminate the alleged infringement. If the data protection commission deems the complaint to be settled by such reactions of the opponent to the complaint, it shall hear the person complaining on this. Simultaneously he/she is to be informed, that the Data Protection Authority will informally end the procedure, if he/she does not establish within an adequate period, for which reason he/she still does not consider the originally alleged infringement to be eliminated at least partially. If such answer of the person complaining modifies the merits of the case (§ 13 para 8 of the General Administrative Procedure Act 1991 – AVG) the original complaint is to be deemed withdrawn and simultaneously a new complaint to be deemed filed. In this case the original complaint procedure is also to be ended informally and the person complaining to be informed correspondingly. Related answers are to be ignored.


Accompanying measures in the complaint procedure

§ 31a DSG 2000

(1) In so far an admissible complaint according to § 31 para 2 refers to a data application subject to the obligation of notification, the Data Protection Authority may examine whether the obligation for notification has been fulfilled and eventually proceed according to §§ 22 and 22a.

(2) If the person complaining establishes a prima facie case of serious infringement to his/her interests for confidentiality deserving protection within the frame of a complaint according to § 31 para 2 by use of his/her data, the Data Protection Authority may proceed according to § 30 para 6a.

(3) If in a proceeding according to § 31 para 2 the correctness of data is controversial, the opponent to the complaint shall place a note of the dispute till the proceedings are terminated. If necessary, upon request of the person complaining, the Data Protection Authority shall order this done by provisional rulings.

(4) If a public sector controller invokes § 26 para. 5 or § 27 para. 5 before the Data Protection Authority concerning a complaint because of an infringement of the rights to information, rectification and erasure, the Data Protection Authority shall, after having examined the necessity of confidentiality, safeguard the protected public interests during the proceedings. If the Data Protection Authority comes to the conclusion that it was not justified to keep the processed data secret from the data subject, the disclosure of the data shall be ordered by a ruling. If no appeal is made and the ruling of the Data Protection Authority is not complied within eight weeks, the Data Protection Authority itself shall carry out the disclosure to the data subject and shall communicate to him the desired information or inform him which data have been rectified or erased. In proceedings according to § 30 the first two sentences are to be applied accordingly.


Common Rules

§ 34 DSG 2000

(1) The right to lodge an application according to § 30, a complaint according to § 31 or legal action according to § 32 and claims for damages according to § 33 shall apply only if the charge is filed by the intervening party within a year after having gained knowledge of the incident that gave rise to the complaint and no later than three years after the alleged incident. This is to be communicated to the intervening party in the case of a late application according to § 30; late complaints according to § 31 or legal actions according to § 32 shall be rejected.

(2) Applications according to § 30, complaints according to § 31 or legal action according to § 32 and claims for damages according to § 33 can be filed not only because of an alleged infringement of this federal law, but also based on an infringement of data protection provisions of another member state of the European Union, insofar as these provisions are applicable in Austria according to § 3.

(3) If a case to be adjudicated by the Data Protection Authority by applying the national provisions of another member state of the European economic area pursuant to § 3, the Data Protection Authority shall ask the competent foreign supervisory authority for assistance.

(4) The Data Protection Authority shall render inter-authority assistance to the independent supervisory authorities of the signatory states of the European economic area upon request.

close