Data protection authorities, DPAs, are the enforcement bodies for privacy law in their respective jurisdictions. Under GDPR, they have the power to order organizations to delete data, cease certain processing activities, and impose fines. They are a genuinely effective tool, but they work on their own timeline, and the gap between filing a complaint and seeing a result is longer than most people are prepared for.
What you can complain about
Under GDPR Article 17, you have the right to request deletion of personal data that is no longer necessary, that you have withdrawn consent for, or that has been processed unlawfully. This covers a wide range of situations: old articles containing personal information, forum posts, images, profiles on data broker sites, and content published without your consent. The process starts with a direct request to the organization holding the data. Many of those requests are ignored. The DPA complaint is the escalation mechanism when the direct request has failed or been refused.
How to structure a complaint
A well-prepared complaint is the single most important factor in how quickly a proceeding moves. A DPA receiving a vague complaint will ask for clarification, and each request extends the timeline by weeks or months. A solid complaint includes: a clear description of the personal data at issue, the URL or specific location of the data, documentation of your prior request to the organization and their response or non-response, the specific legal basis under which you are requesting deletion, and your contact information.
Timeline expectations
Three to nine months is a realistic range for most complaints. Straightforward cases involving clear violations and cooperative organizations can resolve faster. Complex cases or organizations that dispute the complaint take longer. Filing a complaint and then following up every two weeks does not speed things up. File the complaint, document that you have done so, and wait for the authority to contact you.
Cross-border situations
If the organization processing your data is based in a different EU member state, the one-stop-shop mechanism means the lead supervisory authority is the DPA in the country where the organization has its main establishment. Complaints filed with your local DPA are typically forwarded to the lead authority, which can add time. For organizations based outside the EU entirely, GDPR still applies in principle, but enforcement is more difficult in practice.
When the DPA is not the right tool
DPA complaints are most effective for the unlawful processing of clearly personal data by identifiable organizations. They are less effective for content that is genuinely difficult to remove on legal grounds, for anonymous operators, or for situations where the legal basis for removal is contested. In those cases, other mechanisms may need to run in parallel.