Overview

This article allows data subjects to mandate a not-for-profit body, legally established in a Member State and active in data protection, to lodge complaints, exercise rights under Articles 77, 78, 79, and claim compensation under Article 82 on their behalf. Member States may also permit such bodies to independently lodge complaints and exercise rights when data subject rights are infringed.


Key Principles

  • Data Subject Empowerment: Enables collective representation for asserting GDPR rights.

  • Authorized Bodies: Must be legally constituted, not-for-profit, and active in data protection.

  • Scope of Representation: Complaints, judicial remedies, and claims for compensation.

  • Independent Action: Member States may allow bodies to act independently when rights are violated.

  • Accountability: Ensures representation is legitimate and aligned with data subjects’ interests.

Organizational Applicability

This article applies to:

  • Not-for-profit bodies representing data subjects in GDPR matters.

  • Supervisory authorities handling complaints or legal actions filed by representative bodies.

  • Controllers and processors responding to complaints or claims filed by authorized bodies.

  • Legal and compliance teams supporting data subject representation processes.

Implementation Requirements

  • Recognize authorized bodies as valid representatives of data subjects.

  • Accept complaints and claims filed by these bodies in accordance with Articles 77–82.

  • Establish procedures to facilitate independent actions where permitted by Member States.

  • Document representation mandates and actions taken by authorized bodies.

Implementation Guidance

  • Maintain a registry of recognized representative bodies.

  • Train staff on handling complaints and claims filed by these bodies.

  • Ensure communication channels are clear for notifications, responses, and updates.

  • Periodically review representation procedures to maintain compliance and effectiveness.

Periodic Review

  • Frequency: Annually or when new representative bodies are recognized or regulations change.

  • Responsible Role: Supervisory authority leadership, Compliance Team, or Legal.

  • Outcome: Ensure legitimate, effective representation of data subjects and enforcement of GDPR rights.

Non-Compliance Risks

  • Fines: Up to €20 million or 4% of global annual turnover for controllers or processors violating GDPR.

  • Legal Exposure: Challenges due to refusal or mishandling of complaints by representative bodies.

  • Reputational Damage: Loss of trust due to inadequate support for data subject representation.

  • Operational Risk: Failure to recognize authorized bodies may delay remedies and enforcement.