How do national data protection authorities handle EES complaints and what timelines apply?
Executive summary
National data protection authorities (DPAs) investigate complaints under the GDPR using national procedures or a coordinated “one‑stop‑shop” where a lead authority handles cross‑border cases, and complainants should expect initial progress updates within months but full investigations can take many more; EU-level reforms adopted recently set firm upper limits for cross‑border probes (notably 12–15 months depending on procedure) while national deadlines vary [1] [2] [3]. The European Data Protection Supervisor (EDPS) only handles complaints against EU institutions and will redirect complainants to national DPAs when appropriate [4] [5].
1. How complaints reach a DPA and who is competent
Complaints alleging GDPR breaches are lodged with the national DPA of the country where the data subject resides, works or where the alleged infringement occurred, and the DPA will determine admissibility and whether it is the competent authority or must transfer the case; the EDPS is limited to EU institutions and will advise or transfer matters outside its competence to national authorities or other EU bodies [1] [4] [5].
2. One‑stop‑shop and lead authority for cross‑border EEA complaints
When processing affects people in multiple EEA states, the GDPR’s cooperation mechanism designates a single lead supervisory authority (the DPA of the controller’s main establishment) to conduct the investigation while coordinating with concerned DPAs, using formal cooperation rules or a simplified “cooperation procedure” for straightforward cases [1] [6].
3. Timelines: what complainants should expect from national DPAs
Member‑state DPAs generally aim to inform complainants of progress within a short period—EU consumer guidance notes a three‑month timeline to be informed about the outcome or progress—yet national laws differ and many DPAs operate under statutory deadlines that range from about three to six months or, in some jurisdictions, up to a year; practice, however, can be slower and compliance uneven [2] [7].
4. Timelines for cross‑border cases after recent EU rules
To tackle persistent delays, the Council adopted new procedural rules to speed up cross‑border enforcement: simple cooperation procedures should conclude within 12 months, standard coordinated investigations should not exceed 15 months, and the most complex matters may be extended by an additional 12 months—creating EU‑level ceilings where previously timing was more indeterminate [3].
5. Procedure stages and complainant rights during investigations
DPAs will investigate to an appropriate extent, may request information from the controller, coordinate with other supervisory authorities, and must inform complainants of progress and outcomes; individuals can escalate dissatisfied decisions to national courts and may be assisted by NGOs or representative bodies in lodging complaints [5] [8] [6].
6. Practical caveats, variability and enforcement capacity
National variation in administrative rules, resources and legal obligations means timelines are not uniform: some DPAs publish strict decision deadlines, others have no clear statutory limits and may take longer—civil society studies document both statutory deadlines and frequent failures to meet them—so complainants in cross‑border or technically complex cases still face multi‑month to multi‑year processes despite the new EU ceilings [7] [9] [3].
7. Emerging reforms and what they change for complainants
The European Commission’s and Council’s recent push to harmonise procedural rules aims to reduce bottlenecks by clarifying admissibility criteria, introducing simplified cooperation for straightforward files, and setting harmonised timelines and participation rights for both complainants and companies—measures intended to make enforcement more predictable and faster across national DPAs [10] [11] [3].