A Data Subject Filed a Complaint Against Us

You have just been notified that a data subject has filed a complaint about your company with a supervisory authority. The complaint may concern a DSAR response, a privacy notice, a cookie banner, a marketing communication, or any other aspect of your privacy practices.

This page covers what this notification means, how to respond, and how to manage the matter to a quick resolution.

What this notification means

Under GDPR Article 77, data subjects have the right to lodge a complaint with a supervisory authority. Member state supervisory authorities receive thousands of complaints per year. Most do not result in formal investigations, but they all require a response.

When you receive notification of a complaint, the supervisory authority typically does one of three things:

  • Refers the complaint back. The authority has reviewed the complaint and determined it is unfounded, the data subject did not exhaust internal remedies, or the matter falls outside their jurisdiction. In this case, no further action is required from you.

  • Requests information. The authority asks for your account of the matter and supporting documentation. This is the most common scenario for substantive complaints.

  • Opens an investigation. The authority has decided to formally investigate the matter, often with specific information requests and longer timelines. This is reserved for matters they consider serious.

The notification will tell you which path the authority has chosen.

The first 48 hours

Read the complaint carefully. Identify what the data subject is alleging and what evidence they have provided.

Determine whether the complaint has factual basis. Sometimes complaints arise from miscommunication or misunderstanding. Sometimes they reveal genuine problems with your privacy practices.

Pull your relevant records. If the complaint concerns a DSAR, pull the original DSAR and your response. If it concerns marketing communications, pull the consent records. If it concerns a cookie banner, pull the version that was active.

Identify your DPO contact for the response. The supervisory authority will expect to deal with your DPO or designated privacy contact.

Do not contact the data subject directly to dispute the complaint. This can be perceived as harassment or retaliation. Communicate with the data subject only through proper channels and only as needed to resolve the matter.

Responding to the supervisory authority

The response to a substantive complaint should include:

  • Acknowledgment. Acknowledge receipt of the complaint and confirm your DPO contact.

  • Factual response. Provide your account of the matter with supporting documentation. Be precise and complete. Do not speculate.

  • Specific response to each allegation. Address each point the data subject has raised.

  • Demonstrate compliance. Where possible, demonstrate that your practices comply with GDPR. If the matter concerns a DSAR, show your DSAR response process. If the matter concerns marketing consent, show your consent capture and management.

  • Acknowledge issues if they exist. If the complaint reveals a real problem with your practices, acknowledge it and propose remediation. Authorities generally view companies that acknowledge and fix problems more favorably than those that deny everything.

  • Commit to specific actions. If remediation is appropriate, commit to specific actions with deadlines.

What to avoid

Defensive overreaction. Some companies respond to complaints with extensive legal denials. This can be appropriate when the complaint is unfounded but is counterproductive when there is a legitimate concern.

Acknowledging more than necessary. Conversely, do not acknowledge problems that do not exist. Each acknowledgment can be referenced in future matters.

Communicating informally with the supervisory authority. Casual communications can become evidence. Formal written communications through your DPO are the right channel.

Delaying response. Authorities generally give 2 to 6 weeks for response. Missing the deadline elevates the matter.

Retaliating against the data subject. This is itself a violation and creates much larger problems.

Specific common complaint scenarios

DSAR complaint. The data subject claims your DSAR response was inadequate. Response: provide the original DSAR documentation, demonstrate that your response was complete or acknowledge specific gaps and offer remediation.

Marketing complaint. The data subject claims they receive marketing without consent or after unsubscribing. Response: provide consent capture records, demonstrate your unsubscribe process, acknowledge any specific failures.

Cookie complaint. The data subject claims your cookie banner is non-compliant. Response: provide the active cookie banner version, demonstrate consent capture, acknowledge specific issues if they exist.

Data sharing complaint. The data subject claims you shared their data inappropriately. Response: demonstrate your lawful basis for the sharing, show the relevant DPA or transfer mechanism, acknowledge specific gaps if they exist.

Right to erasure complaint. The data subject claims you have not deleted their data after a deletion request. Response: provide your deletion process documentation, demonstrate the deletion was performed or explain why it was refused (with legal basis), acknowledge gaps if they exist.

When the matter escalates

If the supervisory authority opens a formal investigation, the matter has elevated. At that point:

  • Engage outside privacy counsel for legal privilege.

  • Treat all communications as evidence.

  • Continue full cooperation while preserving legal arguments where appropriate.

  • Consider whether the matter is likely to result in formal corrective measures, fines, or public statements.

Most complaints do not escalate to formal investigation. The threshold for escalation is typically a pattern of issues, a particularly serious single issue, or evidence of bad faith.

How Engage Compliance helps

Complaint response is a core part of fractional DPO services. We coordinate the entire response including factual investigation, response drafting, ongoing correspondence with the authority, and follow-up remediation.

For matters that escalate to formal investigation, we coordinate with outside privacy counsel for legal aspects while continuing to handle operational response.

For non-clients with a single complaint, we engage on focused project basis.

Get started

If you have received notification of a data subject complaint, book a consultation. We can typically engage within a few days.