In principle, these claims must be asserted with the control authority of the country of residence or domicile of the person concerned. But in an increasingly globalized world, where most processing takes place across borders, the new regulation introduced a single-window system.

In this way, cooperation and coherence mechanisms are foreseen between the control authorities of the different Member States. As a general rule, companies and organizations are subject to the control authority at their main place of business, even if the complaint has been filed with a control authority in another country.

It is important to point out that data subjects must be informed about this right, which will help them to contact the control authority. In addition, the control authorities are obliged to provide forms so that the interested parties can make these types of claims.


The new regulation also gives wide-ranging powers to control authorities, including the Spanish Data Protection Agency (AEPD), which will be empowered to:

• Instruct the person in charge of the file or the person in charge of its treatment (or their representative) to provide all the information necessary for the performance of their duties.
• Conduct investigations in the form of privacy audits.
• Check the certifications issued.
• Gain access to the controller’s or responsible person’s premises (including treatment equipment and agents) in accordance with the rules of procedure.
• Appoint the person in charge or the person in charge of the treatment to stop the infringing behavior, order the deletion or rectification of the data or the limitation or termination of the treatment.

Likewise, the powers of these authorities in the field of sanctions are very far-reaching. The new fines provided for in the aforementioned regulation can amount to up to 20,000,000 euros or 4% of turnover. In less serious cases, however, the fine can be replaced by a warning or a reprimand.


Antonio Linares Gutierrez

Attorney of the Legal Counsel Forum Rechtsanwälte

With the new regulation, more than knowing how to act in the face of a complaint, it is knowing what to do before it arises. It is precisely this proactive and non-reactive character that the European legislator wants to promote. In this way, the data controller is encouraged to foresee the problem and to be able to demonstrate to the AEPD that it has done everything in its power to protect and protect the complainant’s personal data.

If, upon receipt of the complaint, an appropriate GDPR compliance policy has not been implemented, there is little more we can do than cooperate with the AEPD, providing as many records, documents and information as they request and of course entrusting ourselves to the knowledge of one this matter specialized lawyer.

jordi diaz jose

Director of the JDA/SFAI Advisory Division

Anyone whose personal data you may have can report it to the Spanish Data Protection Agency if you find that it does not comply with the regulations.

Reporting is very easy and even cheaper; It only costs a stamp (or not even that if you submit it online) and does not require an attorney or appearing in person at a proceeding.

It is common for the AEPD inspectors to appear at their facilities or receive a request for information on the reported facts.
There is little to do at this point as the violation has already been committed and reported. Do not hinder the inspection action or you will commit another violation. On the contrary, be cooperative; It can help reduce the possible penalty.

James Feliu

LOPD Advisor at DG Legal

Many customers ask us, particularly due to the application of the RGPD, whether the relevant control authority, in this case the AEPD, imposes sanctions.

Of course, checks are carried out and sanctions are also carried out. In fact, the resolutions can be viewed on the AEPD website itself. Of course, in most cases these measures are preceded by a complaint from a citizen and not an official act by the control authority.

In the event of a complaint, we must comply with the request of the AEPD, which may request information or prior documentation or appear in person at the facilities of the notified body, prior notice and always respecting the necessary deadlines. Given the magnitude of the penalties, it’s important to ensure we meet all commitments.