The General Data Protection Regulation (GDPR), different from some other privacy laws, allows individuals to report a GDPR breach to responsible data protection authorities (DPA). However, up till now, the process was complicated for cross-border issues. To solve these issues, the European Data Protection Board (EDPB) introduced a new tool- a cross-border complaint template.
On June 21, 2023, the European Data Protection Board (EDPB) announced the implementation of a complaint template for individuals regarding privacy issues for cases, involving multiple countries. The EDPB also introduced the finalized version of its recommendations on the application for approval. The template aims to simplify cross-border complaint submission and handling by Data Protection Authorities (DPA) of different countries.
Template Complaint form and Template Acknowledgement of receipt could be found here.
Individuals should report the personal data breach within 72 hours of having become aware of it. Supplementary information could be provided within four weeks.
Cross-Border Complaint Template
The EDPB announced the new complaint template that should aim to facilitate the submission of complaints by individuals and the subsequent handling by DPAs of different countries to handle them efficiently. It is supposed to encourage better cooperation among DPAs and save time when dealing with cross-border cases.
Note the template takes into account the different laws and practices in each country. DPAs can use this tool and adjust it to fit their specific national requirements.
This template can be used by individuals, filing the complaint by themselves, or by a legal representative or an organization acting on individuals’ behalf, that submits the complaint on their behalf.
The EDPB also introduced a template acknowledgment of receipt. This document will provide the complainant with general information on the next steps after you submit your complaint. It also highlights the right to challenge a DPA’s decision in court.
For the DPAs it’s not an obligation – the EDPB highlighted that DPAs should use the complaint template on a voluntary basis. The DPA can adapt it to their respective national requirements.
The EDPB has also finalized recommendations for Controller Binding Corporate Rules (BCR-C), merging the existing BCR-C criteria for approval with the standard application form for BCR-C. These recommendations provide a clear application form and explain what data should be included in BCR-Cs. The recommendation also secures that everyone follows the rules set out in the recent Schrems II ruling. The purpose of the EDPB is to make sure that all organizations have the same opportunity to apply for BCR-Cs.
In particular, the aim of the recommendations is to:
- Provide an updated standard application form for the approval of BCR-Cs.
- Clarify the necessary content of BCR-Cs and provide a further explanation.
- differentiate between the information included in a BCR-C and what must be presented to the BCR lead data protection authority during the application process.
These recommendations are based on the agreements reached by DPAs during BCR approval procedures since the implementation of the GDPR, while also ensuring alignment with the requirements set by the CJEU’s Schrems II ruling.
If you already have BCR-Cs in place or are prepared for it and are planning to apply for BCR-Cs, you should review and adjust them accordingly to the new recommendations. You can update your BCR-Cs during the application process or as part of your annual update in 2024.
Frequently Asked Questions
Can an individual report the GDPR breach?
How do I complain about the GDPR data breach?
First, complain directly to the organization involved. Give it one month to respond to your complaint or request. If you are unsatisfied with their response or don't understand it- ask the organization involved for clarification. If it fails to provide a response that fits both parts- complain to the data protection authority (DPA) of your country of residence. CookieScript CMP makes sure you protect users’ data and helps you to prevent the data breaches.
Can you be fined personally for a data breach?
How to file a GDPR data breach complaint for cross-border cases?
In a case of data breach, you could file a complaint for the DPA of your country of residence in the EU. In the case of cross-border cases for the data breach, you could use the cross-border Template Complaint form and Template Acknowledgement of receipt. On June 21, 2023, the European Data Protection Board (EDPB) announced the implementation of a complaint template for individuals regarding privacy issues for cross-border cases. CookieScript CMP makes sure you protect users’ data and helps you to prevent the data breaches.
How do I report a breach of GDPR in Europe?