Responding to a Privacy Regulator Inquiry

A letter has arrived from your privacy regulator. The Autoriteit Persoonsgegevens, the ICO, the CNIL, the DPC, or another supervisory authority is asking questions, requesting information, or has opened a formal investigation. How you respond in the first weeks shapes the entire trajectory of the matter.

This page covers the practical response process, what to do and not do, and when you need outside help.

The categories of regulator contact

Not every letter from a regulator is a major event. The contacts you might receive include:

A general information request related to a complaint. The regulator has received a complaint from an individual and is gathering facts. These are common and usually resolve quickly with a clear response.

A specific information request related to a sector-wide investigation. The regulator is investigating a category of activity (for example, cookie compliance, AI use, child data) and your company is part of a wider sample.

A breach follow-up inquiry. You filed an Article 33 breach notification and the regulator is asking follow-up questions.

A formal investigation opening notice. The regulator has decided to formally investigate your practices, typically with broader information requests and longer timelines.

A statement of objections or preliminary findings. The regulator has reached preliminary conclusions and is giving you the opportunity to respond before final decision.

The seriousness ranges from routine to existential. The response approach scales accordingly.

Step 1: Read the letter carefully

Identify exactly what the regulator is asking for. Common patterns:

Specific factual information about your processing activities. Documentary evidence: privacy notices, internal policies, Records of Processing Activities, DPIAs. Specific responses to allegations from a complaint. Information about a particular data subject's interactions with your company. Statistics on data subject rights requests, breaches, or other compliance metrics.

Identify the deadline. Some requests have 2-week deadlines; some have 6-week or longer deadlines. Calendar the deadline immediately and start the response work from there backward.

Identify the regulator's stated basis. Is this related to a specific complaint? A broader investigation? Their own initiative? The basis affects how you frame your response.

Step 2: Engage your DPO and your legal team

Privacy regulator inquiries should be handled by your DPO with legal counsel involvement. Both are typically needed. The DPO has operational privacy knowledge and existing relationship with the regulator (often). Legal counsel can advise on legal privilege, scope of disclosure, and litigation positioning if the matter escalates.

If you do not have a DPO, this is the moment to engage one. Regulator inquiries handled without a DPO often result in incomplete or unfocused responses that escalate the matter.

If the matter is potentially serious (high penalty exposure, public profile, or systemic issue), engage outside privacy counsel for legal privilege and litigation strategy.

Step 3: Decide on the response strategy

There are three broad strategies, with different trade-offs:

Cooperative. Engage with the regulator transparently, provide requested information promptly, accept criticism where warranted, and propose remediation. This is the most common approach and is usually the right approach for routine inquiries.

Defensive. Provide minimum required information, assert legal exemptions where applicable, and challenge the regulator's premises where appropriate. This approach is sometimes warranted for inquiries based on incorrect premises or where major exposure exists.

Engaging plus contesting. Cooperate on factual matters while preserving legal arguments on contested issues. This is typical for serious inquiries where some facts are not contested but legal interpretation is.

The choice depends on the substance, the regulator's apparent direction, the exposure, and your evidence position.

Step 4: Prepare the response

Gather the requested documents. Do this rigorously and completely. Failing to disclose relevant documents that the regulator later discovers can transform a routine inquiry into a serious matter.

Draft factual responses to specific questions. Be precise and complete. Do not speculate. Where you do not know something, say so and commit to following up.

Prepare an organized response package. Typical structure: cover letter summarizing the response, specific responses to each question, supporting documents indexed, and request for further dialogue or clarification.

Have the response reviewed by your DPO and legal counsel before sending.

What to avoid

Do not ignore the letter. Failure to respond within the deadline is itself a regulatory finding.

Do not over-disclose. You are required to respond to what is asked, not to volunteer additional information. Particularly avoid disclosing information about other data subjects, other commercial matters, or other regulatory investigations.

Do not destroy or alter documents in response to the inquiry. Document preservation obligations apply from the moment you become aware of the matter. Destruction is itself a regulatory and potentially criminal matter.

Do not communicate with the regulator informally without your DPO's involvement. Casual communications can become evidence later.

Do not make commitments you cannot keep. Promising remediation that you do not implement creates a worse problem than the original inquiry.

Do not admit liability without legal advice. What seems like a reasonable acknowledgment can have serious legal consequences.

Do not assume the inquiry is the whole picture. Regulators often have more information than what they reveal in the initial letter. Treat each inquiry as if the regulator may already know things you do not realize.

Common specific scenarios

Cookie compliance inquiry. The regulator has investigated your cookie banner and found issues. Typical response: acknowledge specific issues, commit to specific remediation, implement promptly, document the remediation.

DSAR complaint follow-up. A data subject has complained about your DSAR response. Typical response: provide the original DSAR documentation, address the complaint specifically, offer remediation where warranted.

Breach investigation. The regulator is investigating a breach you notified. Typical response: provide full chronology, documentation of containment and response, evidence of remediation, demonstration of root cause analysis and prevention.

AI Act inquiry (new). Under the EU AI Act, supervisory authorities including national AI authorities are starting to make inquiries about AI systems. Typical response: provide AI system documentation, risk assessments, transparency information, and conformity evidence.

International transfer inquiry. The regulator is investigating your international transfer mechanisms. Typical response: provide SCCs, Transfer Impact Assessments, evidence of supplementary measures, and current status of transfers.

How Engage Compliance helps

Regulator inquiry response is a core part of fractional DPO services. We coordinate the entire response including liaison with the regulator, document gathering, drafting, internal alignment, and follow-up correspondence.

For matters requiring legal privilege, attorney representation, or litigation strategy, we coordinate with outside privacy counsel.

For companies without a DPO facing a regulator inquiry, we can engage on focused basis for the duration of the inquiry, with optional transition to ongoing fractional DPO services after.

Get started

If you have received a regulator inquiry and need help responding, book a consultation. We can typically engage within a few days, and the cost is almost always justified by the regulatory exposure at stake.