What is a GDPR complaint?
A GDPR complaint arises when an individual (data subject) considers that an organisation (controller or processor) has not complied with GDPR requirements in relation to their personal data. This may be incorrect processing of personal data, non-compliance with the rights of the data subject or non-compliance with other principles of the GDPR.

Common reasons for filing a GDPR complaint:
Lack of consent: When an organisation collects or processes your personal data without obtaining your clear and informed consent.
Right of access: If you request access to your personal data and the organisation does not provide you with the necessary information or refuses your request.
Data security breach: If your personal data is compromised due to inadequate security measures or a data breach and the organisation does not notify you within the prescribed period.
Inaccurate or unlawful processing: If your data is processed in an inaccurate, irrelevant or unlawful manner.
Right to erasure: If you request the erasure of your data but the organisation refuses to do so without a valid reason.
Insufficient data protection: If an organisation does not take adequate measures to protect your data from unauthorised access or misuse.
How to make a GDPR complaint
If you believe that your rights under the GDPR have been violated, you can take the following steps:

Contact the organisation directly: Before you make a formal complaint, it is often a good idea to contact the organisation in question and try to resolve the issue directly. Many organisations have a Data Protection Officer (DPO) or a dedicated data protection team who can deal with your concerns.

Contact the relevant supervisory authority: If the problem cannot be resolved through direct communication or if the company does not respond to your enquiry, you can lodge a complaint with your local data protection authority. Each EU member state has a supervisory authority that is responsible for enforcing data protection laws.

In the UK, for example, you can contact the Information Commissioner’s Office (ICO) and in Germany you can contact the Federal Commissioner for Data Protection and Freedom of Information (BfDI).
You can also lodge a complaint with the data protection authority in the country where you live or where the alleged infringement took place.
Submit a formal complaint: Your complaint must include the following:

Details of the organisation concerned (name, address, contact information).
A description of the problem or offence, together with any supporting evidence (emails, communications, etc.).
Any steps you have taken to resolve the issue with the organisation (if applicable).
Expect an investigation: The DPA will analyse your complaint and may investigate the matter further. It may ask the organisation to take remedial action or impose sanctions if it finds a breach of the GDPR.

What happens after a GDPR complaint?
Once a complaint has been lodged, the supervisory authority will investigate the matter and take appropriate action. This may include:

Issuing a warning to the organisation.
Imposing fines or penalties on the organisation for non-compliance.
Instructing the organisation to rectify the problem or improve its data protection practices.
The supervisory authority usually endeavours to resolve complaints within a few months, although complex cases can take longer.