Skip to content

Per-jurisdiction rights guides

Finding and Complaining to Your Local Data Protection Regulator

Almost every country has an independent authority that oversees how organisations handle personal data. Here is how to find the right one for where you live, and how to raise a concern with it when an organisation gets something wrong.

In short

Your local data protection regulator is the independent public authority that oversees how organisations handle personal data where you live — the ICO in the UK, your national DPA in the EU, the KVKK in Turkey, or the CPPA in California. You find it by identifying your country or state, then raise a concern with it for free once you have first contacted the organisation.

Who your regulator is depends on where you live

Most countries with a data protection law also have an independent authority that supervises it. People sometimes call it a regulator, a supervisory authority, or a data protection authority (DPA). Whatever the name, its job is similar everywhere: it oversees the rules about how organisations collect, store, and use personal data, publishes guidance, and looks into concerns raised by the public.

Which one applies to you usually comes down to where you are based and, sometimes, where the organisation is based. In the United Kingdom it is the Information Commissioner's Office (ICO), operating under the UK GDPR and the Data Protection Act 2018. Across the European Union each member state has its own national authority enforcing the GDPR. Several other jurisdictions have their own regulator and their own law.

If you are unsure which applies, start with your own country of residence. A regulator generally handles concerns from people in its own territory, and many will help point you in the right direction if a different authority is better placed. This is general information, not legal advice.

  • United Kingdom — the Information Commissioner's Office (ICO), under the UK GDPR and the Data Protection Act 2018.
  • European Union — your country's national data protection authority, under the GDPR.
  • Turkey — the Kişisel Verileri Koruma Kurumu (KVKK authority), under the KVKK.
  • California — the California Privacy Protection Agency (CPPA), under the CCPA/CPRA.
  • Canada — the Office of the Privacy Commissioner (OPC), under PIPEDA.
  • Australia — the Office of the Australian Information Commissioner (OAIC), under the Privacy Act.
  • Brazil — the Autoridade Nacional de Proteção de Dados (ANPD), under the LGPD.

How to find the right authority and raise a concern

Once you know which jurisdiction applies, finding the regulator itself is straightforward, and raising a concern with it is normally free. Most authorities expect one thing of you first: that you have already given the organisation a fair chance to put the matter right. A complaint to the regulator is an escalation route, not usually a first move.

Working through a simple order keeps your concern complete and easy for the authority to follow.

  • 1. Identify your jurisdiction — usually your country or state of residence, and note where the organisation is based.
  • 2. Find the official regulator — look up the authority for that jurisdiction and use its own official website; be wary of look-alike sites.
  • 3. Contact the organisation first — raise your concern in writing and give it a reasonable chance to respond, keeping a dated copy.
  • 4. Prepare a short record — what you asked for, when, and the organisation's reply (or a note that it did not reply).
  • 5. Submit your concern to the regulator — most accept complaints online or by post, and most charge nothing.
  • 6. Keep copies and wait for the authority to come back to you with what, if anything, it intends to do.

What a regulator can and cannot do for you

What a data protection authority can do varies by country, but the broad pattern is consistent. It can review your concern, ask the organisation questions, and give guidance on how personal data should be handled. Where it finds a serious or repeated failing, a regulator typically has formal powers to act. In many individual cases, though, the outcome is guidance to the organisation — which is often what gets your own issue resolved.

There are limits worth knowing. Many regulators do not award compensation; that is usually a matter for the courts. An authority also tends to focus on an organisation's wider handling of data, so the result may be advice to the organisation rather than a specific order in your individual case. The exact powers, time limits, and process differ by jurisdiction, so always check your own regulator's official guidance.

Raising a concern is your right, and in most places it costs nothing. OSINTA helps you understand your own digital footprint and frame and route your own data-rights requests, with your findings in front of you — the system suggests, and you decide every step. It does not contact a regulator on your behalf. This is general information, not legal advice; for your own situation, consider speaking with a qualified professional.

  • Can usually — review your concern, question the organisation, and offer guidance; use formal powers where a failing is serious.
  • Often cannot — award you compensation; in many jurisdictions that is a matter for the courts.
  • Powers, deadlines, and procedure vary by country, so check your own regulator's official site for the specifics.

Frequently asked questions

How do I know which data protection regulator applies to me?

Start with your country or state of residence, and note where the organisation is based too. In the UK it is the ICO; in the EU it is your national authority under the GDPR; other jurisdictions such as Turkey, California, Canada, Australia, and Brazil each have their own regulator. If unsure, your home authority can often point you to the right one.

Do I have to contact the organisation before complaining to the regulator?

In almost all cases, yes. Most regulators expect you to raise your concern directly with the organisation first and give it a fair chance to respond. A complaint to the authority is best treated as an escalation route once the organisation has had its opportunity to put things right.

Does it cost anything to complain to a data protection authority?

In most jurisdictions, no — raising a concern with the regulator is free, and you generally do not need a lawyer. Fees and process do vary by country, so it is worth checking the specifics on your own authority's official website.

Will the regulator get me compensation?

Usually not. Many data protection authorities do not award compensation; that tends to be a matter for the courts. A regulator can review your concern, question the organisation, and offer guidance, and may act formally where a failing is serious.

Related terms

This is general information, not legal advice. For guidance on your own situation, consider speaking with a qualified professional.

Reviewed by OSINTA's founding lawyer — 2026-06-27.

Know your rights before you escalate

Often the step before a complaint is a clear access request. OSINTA helps you understand your own footprint and route your own requests — you stay in control of every step.

See the DSAR guideJoin the waitlist