Issues

In the past years we have identified more than 60 procedural issues that we have experienced first-hand in daily operations. We have summarized them on the page below. Many of these issues are symptoms of an underlying procedural problem.

Admissibility – Substantive requirement: prior request to the controller

Article(s) involved (national, EU, or other): Article 77, 80 GDPR

Problem

Some SAs reject complaints where the data subject has not made a prior request to the controller in the context of the exercise of his or her rights under Article 15 to 22 of the GDPR. As a result, in some Member States, complaints are only admissible after (1) the data subject has provided a written request to the controller and (2) the 1-month period foreseen under Article 12(3) GDPR for the controller to answer has passed.
When the issue is precisely that the data subject cannot identify the controller or contact the latter because of a lack of information, the SA should not be able to reject a complaint on the basis that a prior request has not been made.

Ideal Solution

Article 77 GDPR should clarify that the exercise by the data subjects of one of their rights under Article 15 to 22 is not a prerequisite for filing a complaint with an SA, or should clarify if and in which cases such a prior request must be made. 

Proposed Solution

The GDPR does not seem to require an attempt to agree with a controller, but Concept 2 would allow to ensure that the national law of the filing SA is relevant for any rules on the admissability of the law and other SAs may not review the admissability, including such pre-conditions.

Reference to specific noyb case:

Spanish Supreme Court n° 1039/2022

Reference to EDPB documents / table:

SEDPB document 6/2000

National Issues

National Issues