Skip to content
Misconceptions calendar_today Updated: 6 April 2026 schedule 4 min read

Misconception: If the Authorities Aren't Interested in Me, I'll Never Get in Trouble

Many business owners think they're safe as long as the supervisory authority doesn't come knocking. But 89% of all GDPR enforcement starts with a citizen complaint, not an inspection. This article explains why waiting is a risky strategy.

summarize Key Takeaways
  • check_circle 89% of GDPR enforcement starts with a citizen complaint, not an inspection by the supervisory authority
  • check_circle A dissatisfied customer, former employee, or competitor can file a complaint with just a few clicks
  • check_circle The supervisory authority is obliged to handle every complaint, even if you're a small business
  • check_circle Proactively getting your affairs in order is many times cheaper than putting out fires afterwards

The misconception

“The supervisory authority has never contacted me. As long as they don’t come knocking, I’m fine.”

Many business owners reason this way. And it’s understandable: if nobody has ever contacted you about GDPR, it feels like a non-issue. But this reasoning has a dangerous blind spot.

89% starts with a complaint

The majority of GDPR enforcement doesn’t start with a supervisory authority deciding to investigate your business. It starts with someone who files a complaint.

That someone can be:

  • A customer who asks to see their data and doesn’t get a response
  • A former employee who discovers their personnel file was shared with a third party
  • A website visitor who notices tracking cookies are placed without consent
  • A competitor who reports that your privacy policy doesn’t match reality
  • A newsletter recipient who never gave consent to receive your emails

Filing a complaint is easy. In most EU countries, it’s an online form that takes 10 minutes to fill out. The supervisory authority is then obliged to look into it.

What happens after a complaint

When the supervisory authority receives a complaint:

  1. They contact you and ask for your side of the story
  2. They request documentation: your processing register, privacy policy, processing agreements
  3. They assess whether you comply with the GDPR
  4. If you don’t comply, they can issue a warning, an order to comply, or a fine

The key question is not whether the supervisory authority will come to you proactively. The question is: can you demonstrate your compliance when they do come, triggered by a complaint?

The complaint landscape is growing

The number of privacy complaints grows every year:

  • The Dutch DPA received 25,000+ complaints in 2023
  • The Belgian DPA processes thousands of complaints annually
  • The French CNIL received over 16,000 complaints in 2023
  • The Irish DPC, responsible for many tech companies, saw a 30% increase in complaints year over year

Consumers are becoming more privacy-aware. They know their rights. And they use them.

The hidden costs of a complaint

Even if a complaint doesn’t result in a fine, it costs you:

  • Time: preparing documentation, writing responses, attending meetings
  • Money: legal advice if the case is complex
  • Stress: the uncertainty of an ongoing investigation
  • Reputation: if the complaint becomes public or the data subject shares their experience

Compare that to the cost of getting your basics in order: a few hours of work and a modest investment in tools. The math is simple.

What should you do?

Don’t wait for the supervisory authority to come to you. Get your basics in order now:

  • Processing register: document what data you process and why
  • Privacy policy: inform your customers and website visitors
  • Processing agreements: contracts with parties that process data on your behalf
  • Request procedure: know how to respond when someone asks about their data
  • Data breach procedure: know what to do when something goes wrong

These are not complex, expensive projects. They’re basic business hygiene that protects you when a complaint comes in.

auto_awesome Don't wait for a complaint

GDPRWise scans your website and helps you build your compliance file. So you're prepared when someone asks questions about your data processing.

GW
GDPRWise Editorial

This article was written by the GDPRWise team and reviewed by our privacy experts. We regularly review our content for accuracy and legal correctness.