I just love the DPA and their blatant GDPR noncompliance
So 3 months and 2 days ago I sent a complaint to the DPA about an organization that is:
Illegally and indiscriminately processing personal data without consent or any basis defined under article 6(1) GDPR;
Unlawfully and indefinitely retaining that data, which violates article 5(1)(e) GDPR;
and Wilfully refusing to comply with pursuant to articles 12, 13, 14, 17, 18, 21 GDPR.
According to Article 78(2) GDPR (and their website), they must handle the complaint or inform the data subject within three months on the progress or outcome of the complaint, which they have not.
From experience Noyb isn’t really any better, they just go after the cases that would give them more money and media attention instead of taking action against actual large scale GDPR infringing organizations.
So 3 months and 2 days ago I sent a complaint to the DPA about an organization that is:
Illegally and indiscriminately processing personal data without consent or any basis defined under article 6(1) GDPR;
Unlawfully and indefinitely retaining that data, which violates article 5(1)(e) GDPR;
and Wilfully refusing to comply with pursuant to articles 12, 13, 14, 17, 18, 21 GDPR.
According to Article 78(2) GDPR (and their website), they must handle the complaint or inform the data subject within three months on the progress or outcome of the complaint, which they have not.
From what I’ve seen online, they could take as long as 4-5 years to even do anything, I still don’t know what to do next, so I don’t really have any good advice for you.
At least in my state, DPAs are often understaffed and overwhelmed with work, like many public authorities. I found out that it actually makes a big difference which DPA you send your complaint to, since processing times can vary a lot. You have the right to file with the DPA where either the institution’s headquarters are located or where you live.
From my experience, some of my complaints have been dragging on for nearly two years, with nothing but occasional emails saying they’re still being processed. Meanwhile, other DPAs managed to respond within just a few weeks. Just this week, I even had a court hearing because I sued a DPA for not taking any action (within 18 months). A decision is expected in February.
My experience is that suing the DPA usually nudges them to review the complaint faster, to avoid a court ruling. In my country, the DPA is for some reason also responsible for whistleblower protection, and last time I had to file multiple court appeals to get them working on my clients complaint. Its true that they are often over-worked and under-qualified for the types of complaints they receive.
In all seriousness though, I’m a minor (13) and I can’t sue anyone nor do I know how to do so (otherwise I would be beating the asses of the organization that illegally processed my data in court), and the entire process just takes a long time. Even if the DPAs can’t do anything from being overworked, sending a semi automatic response when the 3 month limit is almost up would still be better than silence (and I know they are capable of doing so as when I sent them a follow up they wrote back saying I should send complaints through their web form, which I did for my real complaint and thats not even a damn complaint). Also, a few weeks might be a stretch as I have submitted complaints to 2 DPAs and as of now neither have acknowledged or handled my complaints.
These things can take a long time. After 3 months raise the issue again with the DPA. If you still don’t get a response go through the complaints process of the DPA. If that doesn’t work there may be a Government Ombudman or Regulator that you can raise a complaint about the DPA to. In the past I only got responses from a DPA by going through the Ombudman every time. Which they really didn’t like but it got the issue resolved.
Suing a DPA only really makes sense when there’s no other option left. The goal is just to force them to take action in your specific case.
It’s also a financial risk and can drag on for a while. And if you’re thinking about claiming damages from the DPA… yeah, forget it. The bar for that is ridiculously high (okay, jurisdictions may vary).
Luckily, this is more of an exception. Most DPAs respond within a reasonable period, and in many problematic cases, a simple reminder is enough to get things moving.
Well, you mentioned the DPA hasn’t responded for a bit over three months. Suing likely isn’t worth it financially right now. I’d rather send a reminder to the DPA, reiterating your request and noting the missed deadline (consider doing it as registered letter).
Also, if you’re 13, you’re typically not legally capable under national law in most EU countries. A legal representative (like a parent) would usually have to act for you. There are exceptions (e.g., in penology), but they don’t apply here. And as already mentioned: rules vary by country.
