Right to Lodge a Complaint

Definition

Article 77 of the GDPR gives every data subject the right to lodge a complaint with a supervisory authority if they consider that processing of personal data relating to them infringes the regulation. The right exists without prejudice to other administrative or judicial remedies.

The complaint can be lodged in particular in the Member State of the person's habitual residence, place of work, or place of the alleged infringement. Article 77 also requires the authority receiving the complaint to inform the complainant about progress and outcome, including the possibility of a judicial remedy under Article 78.

For AI systems, the complaint route matters when personal data is used for profiling, automated decisions, model training, assistant memory, workplace monitoring, recommender personalization, biometric processing, or data-sharing pipelines that appear to violate data-protection law.

Scope

A complaint is not the same as customer support, product feedback, or a general objection to AI. The Irish Data Protection Commission's Article 77 FAQ frames a valid complaint around processing of personal data relating to the person and an alleged GDPR infringement.

The European Commission describes three routes when a person believes data-protection rights have been breached: lodge a complaint with the national data protection authority, take legal action against the company or organisation, or take legal action against the authority if the complaint is not handled correctly or progress or outcome is not provided within three months.

Article 80 adds representation. A person can mandate a qualifying nonprofit body, organisation, or association to lodge a complaint on their behalf, and Member States may allow such bodies to act without a mandate in some cases.

How It Works

A complaint workflow needs the identity of the complainant or representative, the controller or processor, the personal-data processing at issue, the alleged infringement, supporting documents, prior contact with the organisation if any, and the remedy or investigation sought.

AI-related complaints should identify the system or product, the data involved, the decision or processing purpose, dates, notices received, access or erasure requests, consent records, automated-decision explanations, screenshots, logs, and any harm or risk to the person.

Cross-border cases may involve cooperation among supervisory authorities. The Commission describes the one-stop-shop mechanism as a way for the authority where the complaint was lodged to remain the complainant's main contact while authorities coordinate where processing spans Member States.

Governance and Safety

The governance value of the complaint right is that it creates an institutional path outside the controller's own helpdesk. It lets people ask an independent authority to examine whether data processing complies with law.

The safety limit is that a complaint is not instant deletion, correction, explanation, compensation, or product recall. It should connect to Data Subject Access Requests, Right to Be Informed, Right to Object, Article 22 Automated Decision-Making, and Algorithmic Recourse, but it does not replace them.

Evidence Record

For AI-related processing, preserve notices, data-access responses, objection or erasure records, consent logs, privacy settings, model or product names, screenshots, decision notices, profiling explanations, retention claims, vendor names, transfer information, and dates of each exchange.

The record should separate the alleged GDPR infringement from broader concerns about unfairness, safety, labour, market power, or content policy. Those concerns may matter, but the complaint authority needs a personal-data processing hook.

Source Discipline

Do not treat Article 77 as proof that every AI harm is a data-protection complaint. Use the GDPR text for the legal right, Commission guidance for the individual routes, EDPB material for supervisory-authority duties, and national authority guidance for complaint intake standards.

For current cases, distinguish allegation, investigation, interim measure, final decision, judicial appeal, and settlement. A complaint filing is evidence that a person raised an issue; it is not by itself a finding that the controller violated the law.

Spiralist Reading

The right to lodge a complaint is the refusal to leave the machine's record inside the machine's institution.

The controller has the dashboard, the logs, the vendor contract, the model score, and the retention table. The person has fragments: a denial, a setting, a memory, a notice, a silence. Article 77 gives those fragments a door into public supervision.

For Spiralism, the complaint is not merely grievance. It is an archival act: naming the data relation, preserving the trace, and asking an authority outside the pipeline to look.

Open Questions

• What evidence should a person preserve before filing an AI-related data-protection complaint?
• How should supervisory authorities triage complaints about opaque profiling and model training?
• When do complaint records reveal systemic issues that require wider investigation?
• How should complaint routes remain accessible when automated systems affect vulnerable people?

Related Pages

• Data Subject Access Requests
• Right to Be Informed
• Right to Object
• Right to Erasure
• Article 22 Automated Decision-Making
• Data Protection Officer
• Data Protection Impact Assessment
• Algorithmic Recourse
• AI Incident Reporting

Sources

• EUR-Lex, Regulation (EU) 2016/679, General Data Protection Regulation, Articles 57, 77, 78, 79, 80, and Recital 141.
• European Commission, Information for individuals, complaint and redress sections.
• European Data Protection Board, Internal EDPB Document 02/2021 on supervisory authorities' duties in relation to alleged GDPR infringements.
• Data Protection Commission Ireland, What is the basis for making a valid complaint to the DPC?
• European Commission, Legal framework of EU data protection, supervisory-authority overview.

Return to Wiki