Admissibility – Substantive requirement: prior request to the controller
Article(s) involved (national, EU, or other): Article 77, 80 GDPR
Problem
Some SAs reject complaints where the data subject has not made a prior request to the controller in the context of the exercise of his or her rights under Article 15 to 22 of the GDPR. As a result, in some Member States, complaints are only admissible after (1) the data subject has provided a written request to the controller and (2) the 1-month period foreseen under Article 12(3) GDPR for the controller to answer has passed.
When the issue is precisely that the data subject cannot identify the controller or contact the latter because of a lack of information, the SA should not be able to reject a complaint on the basis that a prior request has not been made.
Ideal Solution
Article 77 GDPR should clarify that the exercise by the data subjects of one of their rights under Article 15 to 22 is not a prerequisite for filing a complaint with an SA, or should clarify if and in which cases such a prior request must be made.
Proposed Solution
The GDPR does not seem to require an attempt to agree with a controller, but Concept 2 would allow to ensure that the national law of the filing SA is relevant for any rules on the admissability of the law and other SAs may not review the admissability, including such pre-conditions.