This is interesting but quite unfortunate. As individuals we often spot #GDPR infringements in situations where we are not a victim. The GDPR does not empower us to act with any slight expectation of getting results. There is no reporting mechanism and no remedial correction if the complainant’s own personal data was not mishandled. No Article 77 possibility.

Paragraph 2 page 3:

The GDPR does not explicitly define what constitutes a complaint but Article 77 gives a first understanding providing that “every data subject shall have the right to lodge a complaint (…) if the data subject considers that the processing of personal data relating to him or her infringes this Regulation”.

Page 4 examples of non-complaints:

  • a suggestion made by a natural person that he or she thinks that a particular company is not compliant with the GDPR as long as he or she is not among the data subjects.

There is a hack but it’s purely the DPA’s discretion whether to act. From page 5:

The supervisory authority may act upon its own motion (ex officio), e.g., after being “informed otherwise of situations that entail possible infringements” 6 (e.g. by the press, another administration, a court, or another private company, a hint by a natural person which is however not a complaint within the meaning of Article 77).

So a natural person can tattle (tip off) the DPA but the DPA can simply ignore it. If the DPA feels like it, they can act on it as their own initiative (not under Art.77), which means the whistle blower can (and likely will) be kept out of the loop and in the dark. So such reports might as well be sent anonymously. And if it’s not a big interesting case (e.g. involving a tech giant), it’s probably unlikely a DPA will act.

Why this is a problem

I often want to engage with a data controller but their procedures demand irrelevant info in violation of data minimisation. In principle I should be able to use a corrective process to make the data controller compliant before I engage them. There is no useful mechanism unless a prospective data subject partakes in subjecting themself to a breach (self harm) before filing an Art.77 complaint.