How to File a Data Protection Complaint in the UK and EU If a Regulator’s Office Is Under Investigation

When Your Local DPA Is Out of Action: Fast, practical steps for a DPA complaint in the UK & EU (2026)

Hook: You tried to complain to the local data protection authority, but their office has limited capacity — or worse, it is under investigation (see the Italy DPA raid reported in early 2026). Who do you turn to next to stop continuing harm, get a prompt ruling, or secure emergency relief? This guide shows clear, practical escalation routes — from cross-border complaints and alternative regulators to urgent remedies and consumer-level claims.

Why this matters now (2025–2026 context)

In late 2025 and early 2026, several high‑profile events — including the reported search of the Italian Garante’s offices — exposed an important vulnerability: national Data Protection Authorities (DPAs) are powerful gatekeepers for privacy enforcement, but they can be temporarily impaired. The EU’s GDPR framework has built-in cross-border coordination and an urgency procedure, yet those routes can be slow or hard to use for everyday consumers. Meanwhile, national courts, Ombudsmen and consumer regulators have grown more active in privacy-related enforcement.

Quick summary: Where to go if a local DPA is impaired

• If the controller/processor is in another EU country: File a cross-border complaint to the controller’s lead supervisory authority (LSA) or a concerned supervisory authority (CSA).
• If the controller is in the UK: Complain to the ICO directly (UK GDPR).
• If the local DPA cannot act or is compromised: Ask another EU DPA to act, request the EDPB to trigger the consistency mechanism, or seek interim relief via national courts.
• Urgent remedies: Article 66 (GDPR) allows provisional measures by DPAs in urgent situations — you can ask a functioning DPA or the EDPB to consider urgency. Also consider emergency injunctions from a national court.
• Alternative routes: Sectoral Ombudsmen, Trading Standards (consumer contracts), Financial or Telecoms Regulators, Small Claims courts, and representative bodies under Article 80 (GDPR).

Step-by-step plan: From immediate action to full escalation

Step 1 — Gather evidence (do this immediately)

Before you file anywhere, collect clear evidence. This is the foundation of any successful complaint.

• Copies of the communication with the company (emails, chats, web forms). For privacy-first intake and how organisations collect complaints, see privacy-first intake workflows.
• Screenshots of privacy settings, cookie banners, consent boxes, or offending pages (include timestamps).
• Transaction records or account IDs that tie you to the controller/processor.
• Any automated logs (e.g., emails delivered, SMS receipts) that show ongoing harm.
• Witness statements if relevant (short declarations are helpful).
• Record the name and details of the local DPA officer you contacted, and any replies — or the fact that they are not responding due to capacity issues.

Step 2 — Identify the right authority

Find out the controller’s establishment under GDPR:

• If the controller is established in your country and the local DPA is functioning, start there.
• If the controller is established in another EU country, that country’s DPA is the lead supervisory authority for cross-border processing.
• If the controller is in the UK, complain to the ICO (UK GDPR/DP Regime).

Step 3 — If the local DPA is impaired, escalate horizontally

If the local DPA is compromised or cannot act quickly (for example, during an investigation or staff shortage), you have options:

1. File with the controller’s DPA: Submit a complaint to the LSA where the company is established. The LSA has the authority to handle cross-border complaints under the GDPR One‑Stop‑Shop mechanism. If you need practical tips on handling cross-border tech services and EU-sensitive micro-apps, see EU-sensitive micro-app guidance.
2. Contact other concerned supervisory authorities (CSAs): If the processing affects data subjects in several Member States, other national DPAs can become CSAs and ask the LSA to act via the consistency mechanism.
3. Request EDPB intervention: If coordination stalls, the European Data Protection Board (EDPB) oversees the consistency mechanism and can adopt binding decisions between DPAs. For compliance questions around complex processing stacks (including AI), organizations often consult pieces such as guides on compliant infrastructure.
4. Use Article 80 representation: If you work with a consumer organisation or a law firm authorised under Article 80, they can represent you before DPAs and courts. See examples of representative actions and media reuse disputes at media and rights guides.

Step 4 — Seek urgent interim relief

When harm is ongoing — e.g., continued unlawful processing, data disclosures or harassment — you may need immediate relief. There are two practical emergency paths:

• DPA interim measures (Article 66): The GDPR contains an urgency procedure (Article 66), allowing DPAs to adopt provisional, binding measures. If your local DPA is not functioning, ask a functioning DPA that is concerned by the processing to use Article 66. The LSA can also act if the controller is established in their territory.
• National court injunctions: You can apply for an interim injunction from a national court to stop the processing or to freeze assets. Courts can act faster in emergencies and can issue orders enforceable against the controller in that jurisdiction. For practical civil-route parallels (how small claims and consumer processes run in practice), organizers often borrow templates from consumer guides and small-claims playbooks such as retail and small-claims resources.

Practical tip: When asking another DPA for interim measures, supply a short urgency letter explaining the immediate harm and attach the evidence checklist above. Keep it concise — authorities triage urgent requests.

Alternative regulators and routes you might not have considered

1. Sectoral regulators and Ombudsmen

Not all privacy harms are purely data-law matters. If the breach relates to a specific sector, other regulators can help:

• Financial data: National financial supervisory authorities and financial Ombudsmen can investigate misuse of personal financial data.
• Telecoms & ISP issues: National telecom regulators and telecom Ombudsmen often have powers on customer privacy and blocking content.
• Health data: National health regulators or professional bodies can provide alternative enforcement if medical confidentiality is breached — see sector playbooks like telehealth billing & messaging guidance for health‑sector privacy considerations.

2. Trading Standards and consumer protection authorities

If your case also involves unfair commercial practices, misleading privacy promises, or faulty products tied to data misuse, your national consumer protection authority (or Trading Standards in the UK) can take action under consumer law. Practical support teams and lean enforcement functions are documented in operational playbooks such as superpowered support for small teams.

3. Small Claims & civil litigation

GDPR gives a right to compensation for material or non-material damage. If you want monetary redress and the DPA route is slow or blocked, consider:

• Small Claims Court for lower-value claims (useful in the UK and many EU Member States).
• Representative actions via consumer organisations under national law or Article 80 representation under GDPR.

4. Media, MPs & political pressure

When a regulator’s capacity is hampered for institutional reasons, public and political pressure can be effective. Notify your MP/MEP, local consumer watchdogs, and reputable journalists — but ensure you share only verified evidence and avoid defamation risks. For event-based pressure and low-cost public action workflows, organisers often use micro-event toolkits like low-cost tech stacks for micro-events.

Practical templates: Use these to get started

Template A — Complaint to an alternative EU DPA (LSA)

Subject: Urgent privacy complaint (cross-border) — request for interim measures

Dear [DPA name / officer],

I am a data subject affected by processing by [controller name; country of establishment]. My personal data has been [brief description of processing].

I originally contacted [local DPA name], but their office is currently not able to process complaints due to [public reports / capacity issues / investigation]. Because the controller is established in your Member State, I ask that you accept this complaint as the lead supervisory authority under Article 60 GDPR and consider urgent interim measures under Article 66 to stop ongoing harm.

Attached: evidence checklist (communications, screenshots, transaction records).

Please acknowledge receipt and advise whether you require further documentation. I request a provisional measure to [stop processing / delete my data / suspend transfers] pending investigation.

Yours sincerely,

[Name, address, contact details]

Template B — Request for interim injunction (to a national court)

Subject: Emergency injunction application — stop unlawful processing

To the Clerk of Court / Duty Judge,

I, [name], seek an urgent interim injunction against [controller name] to immediately cease [the unlawful processing described briefly]. I attach evidence showing ongoing harm and the inability of my local DPA to provide prompt relief.

Relief requested: an immediate order requiring [controller] to [freeze data / delete data / stop transfers] and preserve evidence pending full hearing.

I am prepared to provide further particulars and to attend an ex parte hearing if necessary.

Sincerely,

[Name, contact details, attachment list]

Case studies & experience — how this worked in practice

Example (composite): In late 2025 a consumer in Country A found persistent unauthorised marketing calls linked to an EU-based platform. The local DPA was publicly reported to be under inquiry and slow to respond. The consumer:

1. Collected call logs and screenshots. If you need practical tips on preserving audio or field evidence, see field-audio workflows.
2. Filed a complaint to the platform’s DPA (LSA) and asked for Article 66 measures.
3. Raised an urgent court application in the platform’s country to stop the calls.
4. Filed a parallel Small Claims compensation action for non-material damage and contacted a consumer NGO to use Article 80 representation.

Outcome (6–9 weeks): The LSA issued an interim measure ordering the platform to stop the calls and the court granted an emergency injunction. The platform later settled the civil claim.

Advanced strategies & 2026 trends

Looking ahead, expect these trends:

• Faster DPA coordination: The EDPB has published faster guidance on cross-border triage (late 2025) to reduce delays when one DPA is impaired.
• More use of national courts: Courts are becoming a primary route for emergency relief as they can act quickly while DPAs coordinate.
• Representative litigation will grow: Consumer groups and law firms are using Article 80-style representation to bundle small claims into strategic actions — see examples in consumer media and rights coverage such as media rights case studies.
• Sector regulators will bite harder: Financial and telecoms regulators are increasingly treating privacy failures as consumer protection breaches.

How to combine routes for the best chance of success (recommended playbook)

1. File a cross-border complaint to the LSA and copy other concerned DPAs.
2. Simultaneously apply to a national court for interim relief if harm is immediate.
3. Notify sectoral regulators/Ombudsmen if the case involves finance, telecoms or health.
4. Engage a consumer representative organisation for Article 80 representation where possible.
5. Preserve evidence and public record (timestamped screenshots, certified mail receipts). For technical preservation and intake workflows, many practitioners reference guides to compliant micro-app architectures and migration patterns such as platform migration guides.

Common pitfalls — avoid these mistakes

• Don’t rely only on media reports: DPAs may still function at a basic level despite headlines. Get official status updates from the DPA’s website.
• Don’t delay evidence gathering — some items (logs, caches) are ephemeral.
• Avoid posting sensitive evidence publicly — that can worsen privacy exposure and complicate legal claims.
• Be precise about the controller’s establishment; filing with the wrong authority wastes time.

Checklist: What to do now (actionable takeaways)

1. Collect and timestamp all evidence now.
2. Identify controller location and whether they have a UK or EU establishment.
3. If your local DPA is impaired, submit to the controller’s DPA and ask for Article 66 interim measures.
4. If harm is immediate, file for an injunction in the jurisdiction where the controller is established.
5. Consider parallel consumer or small claims actions for compensation.
6. Engage a consumer NGO or solicitor under Article 80 when possible. For consumer outreach and low-cost event tactics (useful if you plan public pressure or community meetings), see micro-event tech stacks.

Final thoughts — a trusted path forward

When a national DPA’s capacity is impaired — whether due to an internal probe like the Italy DPA raid or resourcing issues — you still have several strong routes: cross-border complaints through the GDPR consistency mechanism, interim measures via DPAs or courts, sectoral regulators, and civil claims. The landscape in 2026 is evolving: DPAs and the EDPB are streamlining emergency coordination, while national courts and consumer groups are stepping into the breach.

Remember: Don’t let headlines stop you. Evidence, speed, and the right escalation path win these cases.

Call to action

If you’re facing blocked enforcement because your local DPA is under investigation or slow, download our free Urgent Privacy Complaint Checklist, or use our tailored complaint templates to contact an alternative DPA or apply for interim court relief. If you want personalised help, submit your case to our intake form and one of our privacy advisers will review your options and next steps. If your case involves commercial remedies or merch-related disputes, resources on creator commerce and dispute handling like edge-first creator commerce may be helpful references.

Related Reading

• Telehealth Billing & Messaging in 2026: Coding, Compliance, and SMS Workflows for Spine Clinics
• Field-Tested: Client Onboarding Kiosks & Privacy‑First Intake for Salons (2026 Review)
• Running Large Language Models on Compliant Infrastructure: SLA, Auditing & Cost Considerations
• When Media Companies Repurpose Family Content: How to Keep Ownership and Earn If It’s Used
• What TV Gets Right (and Wrong) About Rehab: A Clinician’s Take on The Pitt
• How to Build Watch Party Events Around Big-Franchise Releases Without Getting Lost
• Using Age-Detection Tools for Compliant Intern and Gig Worker Onboarding
• Cheap Flights to Gaming Conventions: Finding the Best Routes When MTG and Pokémon Events Drop
• Client Education Cheatsheet: Explaining New Hair Ingredient Claims Without the Jargon