After a complaint to your data protection authority: what actually happens

A complaint to a supervisory authority is the start of a regulatory conversation, not a verdict. Most SMB owners who have never received one imagine FBI-style raids; the actual experience is a letter on official letterhead with a list of documents requested and a deadline to respond. The outcome depends heavily on what the response contains.

The arrival

Supervisory authorities (CNIL in France, BfDI / state DPAs in Germany, Garante in Italy, AEPD in Spain, ICO in the UK, etc.) receive complaints through public web forms. A complaint is screened by the authority’s intake team. If it meets the threshold of a credible allegation against an identifiable controller, it is forwarded to the controller.

The forwarding is typically a letter or registered email containing:

• The complaint reference number.
• A summary of the allegation (often quoting the complainant’s text).
• The specific GDPR / ePrivacy / national-law articles the authority believes may apply.
• A list of information requested from the controller.
• A response deadline — typically 21 days (CNIL), 30 days (most DPAs), up to 60 days (large or complex matters).

The letter is not an accusation. It is a fact-finding step. The tone in most EU DPA letters is neutral and procedural.

What gets asked for

A typical first-letter information request includes:

• The lawful basis under Article 6 the controller relies on for the processing in question.
• A copy of the privacy policy and any consent records.
• Where applicable, evidence of consent (timestamps, CMP logs).
• The retention period for the relevant data category.
• The data processing agreement with any subprocessors involved.
• Any transfer mechanism (DPF certification, SCCs, etc.) relied on for international transfers.
• The internal procedure for responding to data subject rights requests.

For accessibility complaints under EAA or national accessibility law, the equivalent list is: WCAG conformance evidence, the accessibility statement, the remediation roadmap, the date of the last audit. Veracly reports are designed to slot into this exact list — the signed PDF + the audit ledger entry is the evidence package an authority is asking for.

How to respond

Five principles consistently predict good outcomes:

1. Respond on time. The deadline is real. Late responses can result in escalation regardless of substance. If you need an extension, ask explicitly before the deadline — most authorities grant a short extension on a reasonable request.
2. Respond factually. Answer each question with documentation attached, not narrative. Authorities read hundreds of complaints; clear evidence is faster to process than careful prose.
3. Be specific about remediation. If a finding is correct, acknowledge it and describe what you have already changed. “We fixed the banner parity issue on 12 May 2026, here is the deploy log” is a much better answer than “We dispute the characterization.”
4. Don’t over-share. Provide the information requested, not everything the controller has. Volunteering additional processing details that were not asked about expands the scope of inquiry.
5. Get a lawyer if there is doubt. First letter on a clear, cooperative case is generally manageable in-house. Special-category data, cross-border issues, or any allegation of intentional violation needs counsel.

The escalation path

If the first response is unsatisfactory, or the complaint is severe enough at intake, the authority can escalate to a formal investigation. This typically involves:

1. A follow-up letter with more specific document requests.
2. Possibly an on-site visit (rare for SMBs in the EU, more common for large controllers and US contexts).
3. A draft decision shared with the controller for comment.
4. A final decision, possibly with a fine and remediation order.
5. An appeal window — typically 30–60 days to the relevant administrative court.

For most SMB cases the process closes at step 1 with a warning, or at step 4 with a remediation order. Fines for SMB respondents are typically calibrated to size — CNIL has been explicit that they apply Article 83’s proportionality framework, and SMB fines in the four- and low-five-figure range are common; the seven-and-eight-figure headline fines target controllers with global revenue.

The patterns that lead to fines

Across published EU DPA decisions against SMB respondents, the patterns that correlate with fines (versus warnings or remediation orders) are consistent:

• Failure to respond at all. The single largest predictor of an escalated outcome.
• Repeat violation. A controller previously warned for the same issue is treated more sternly than a first-time finding.
• Special-category data. Health, biometric, racial, religious, union, or sexual-orientation data raises the severity by one tier in most authorities’ internal frameworks.
• Children’s data. Special weight under GDPR Article 8 and CNIL’s 2021 guidelines on under-15 processing.
• Intentional or knowing violation. Evidence the controller knew the processing was problematic and continued. Internal communications surfaced in document production frequently determine the difference between a warning and a fine.
• Cross-border violations. Complaints involving the lead-supervisory-authority mechanism (Article 56) escalate faster because multiple authorities coordinate.

What having a signed Veracly report does

A signed, timestamped Veracly report is a piece of evidence that does several things in a complaint response:

• Establishes when the controller last audited the relevant processing — the regulator wants to see that compliance is monitored, not assumed.
• Provides an independent third-party assessment, distinct from self-certification.
• Carries a verifiable signature — the authority can confirm the PDF is the one issued and has not been edited.
• Maps findings to specific regulation articles, which is exactly the format the authority’s legal team is operating in.

None of this is a defense to a substantive violation. But it shifts the conversation from “does the controller take this seriously” to “here is the evidence of monitoring, here are the findings as of [date], here is the remediation status.” That framing matters.

Practical recommendation

Treat the response window as a project. Open a folder for the complaint, file every piece of correspondence with the authority, file every piece of internal investigation, file your Veracly reports for the relevant period. Respond on the deadline, with attachments, in the format the authority requested. Follow up to confirm receipt. Most first-time SMB complaints close at this stage.

See also: How to verify a Veracly report is authentic · Sharing a Veracly report with regulators