How a data protection complaint works (explained without complications)

When we talk about personal data, there are situations that can go beyond a simple claim. If what happens is serious enough to be an infringement of the Data Protection Law (LOPD), we’re talking about a complaint. In other words: someone has done something that not only harms you, but may also be punishable.

Why can you file a complaint?

Any violation of the law: from using data without permission to failing to apply the required security measures. The regulations differentiate between minor, serious and very serious infringements, depending on the severity of the case.

Where to file the complaint?

It depends on who is responsible for the infringement:

Before the APDCAT (Catalan Data Protection Authority)

If the entity that violated the law falls within the APDCAT's scope (that is, public institutions and bodies of Catalonia), this is where you need to go. The APDCAT will investigate and, if there is evidence, may open a sanctioning procedure.

Before the AEPD (Spanish Data Protection Agency)

If the infringement was committed by an entity under the national scope (private companies or bodies outside the Generalitat), then the complaint must be directed to the AEPD.

How is it submitted?

Complaints must be made in writing and addressed to the competent authority. There are also electronic options to submit them online.

If you go to the APDCAT, the address is: Gran Via de les Corts Catalanes, 635, 1st floor, 08010 Barcelona.

If you go to the AEPD, the headquarters are at C/ Jorge Juan, 6, 28001 Madrid. You can also do it through the official website www.agpd.es or by calling 901 100 099.

If you send the complaint to the APDCAT but it actually corresponds to the AEPD, don’t worry: the APDCAT will forward it to the appropriate authority.