Complaint about data breaches lodged with supervisory authorities
If you believe that the processing of personal data concerning you violates data protection law, you have the right to lodge a complaint with a competent data protection supervisory authority. The competent supervisory authority shall investigate the complaint to an appropriate extent and shall inform you, inter alia, about the progress and the result.
Article 77 (1) of the General Data Protection Regulation (GDPR) grants you the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of personal data concerning you violates the GDPR. The data protection authority is obliged to investigate the complaint to an appropriate extent and to inform you about the progress and results of the complaint, including any judicial remedy. The data protection authority shall inform you about the state of the procedure at the latest after three months. The data protection authority has extensive supervisory powers and is independent in the performance of its tasks and subject only to the law.
The complaint may be lodged with the data protection authority of the country in which you reside or work or where the alleged breach has occurred. If the data protection authority of another Member State is competent for the body you complain about, the German data protection authority will coordinate with the other data protection authority. However, the German data protection authority with which you lodged your complaint remains your contact point, so that you do not have to contact the data protection authority of another EU Member State directly in a foreign language.
However, it should be noted that within Germany there are several data protection authorities with different subject-matter competences:
- The Federal Commissioner for Data Protection and Freedom of Information (BfDI),
- The respective data protection authority of a Federal State (“Land”),
- The so-called specific data supervisory authorities.
There is no hierarchical relationship among these authorities, in particular the BfDI is not competent for supervising the state data protection authorities. On the contrary, the data protection authorities have different subject-matter competences, which are determined by the body against which the complaint is directed.
In addition, Section 60 of the Federal Data Protection Act grants you the right to lodge a complaint with the BfDI if you believe that bodies processing your personal data for the purpose of preventing, investigating, detecting, prosecuting or punishing criminal offences or administrative offences have violated your rights.
The BfDI is competent for the processing activities of the following bodies:
- federal authorities
- other federal public authorities
- common institutions under the Social Code II (“Jobcenter”)
- telecommunications companies
- postal service companies
- companies falling under the Security Clearance Check Act
- nationally active statutory health and care insurance funds, pension insurance institutions and accident insurance agencies
If you believe that one of these bodies violates data protection law when processing personal data concerning you, you can lodge a complaint with the BfDI. Our contact channels, including an online complaint form, can be found here.
The data protection authorities of the Federal States are competent, in particular, for the processing activities of the following bodies:
- authorities of the respective Federal State
- other public bodies of the respective Federal State or municipality
- companies and other non-public bodies which do not fall within the special competence of the BfDI
If you believe that one of these bodies violates data protection law when processing personal data concerning you, you can lodge a complaint with the data protection authority of the Federal State.
There are also specific data protection supervisory authorities for different areas:
Due to the constitutionally guaranteed right of self-determination of religious communities, you must therefore address a complaint to the ecclesiastical data protection officer.
Special rules also apply to data protection for broadcasting and the contribution service of ARD, ZDF and Deutschlandradio. Further information can be found here. Compliance with data protection regulations at public service broadcasters (e.g. ARD and ZDF) is monitored in particular by broadcasting data protection officers. In Berlin, Brandenburg, Bremen and Hesse, the respective data protection commissioners of the Federal States are competent for data protection in the broadcasters’ administrative area.
Special rules must also be taken into account with regard to data protection in relation to the press. Inquiries and complaints regarding data protection at editorial companies can be addressed to:
Deutscher Presserat [“German Press Council”]
Postfach [“PO Box”] 10 05 49
Tel.: + 49 30 367 007-0
Fax: + 49 30 367 007-20