Who can file a GDPR complaint?

Any data subject under Art. 77 GDPR with the competent supervisory authority. Also consumer associations under Art. 80 GDPR.

How long does proceedings take?

Median 2025: 14-22 months (BfDI activity report 03/2026). Complex cases 3-5 years.

Do I have file access?

Yes, under § 29 VwVfG / § 32f BDSG. BVerwG 6 C 6.20: non-acute procedural parts may be redacted but not to circumvent burden of proof.

Median 2025 DE: €12,500 (BfDI). 90th percentile: €240,000. Top fines 2025: Vodafone €1.3M, Microsoft €850k, Volkswagen €650k.

Yes, administrative court within 1 month. Appeal has suspensive effect. German lawyer recommended, average fee €4,500-15,000.

Preventive protection?

1) Current VVT, 2) DPO appointed, 3) DPAs complete, 4) TOM documented, 5) Data subject rights process. Compliance-Kit GDPR Kit has all 5 modules.

GDPR Fining Procedure: What Happens After a Complaint (8 Steps)

Published: 26 April 2026 · Last updated: 02 May 2026· Category: GDPR

Practitioner note: This article is practice-oriented compliance documentation, not legal advice. We are a compliance specialist, not a law firm. For legally binding guidance, please consult a licensed attorney.

TL;DR

8 procedural steps: intake → preliminary review → hearing → order → fine notice → 1-month appeal period → administrative court → enforcement
Median duration: 14-22 months (BfDI report 2025)
Median fine Germany 2025: EUR 12,500 (SME)
Suspensive effect of the action — no immediate enforcement
Best defence: documented compliance building blocks in advance

1. 8-Step Process

#	Step	Who does what	Duration (median)
1	Complaint intake	Data subject → supervisory authority; acknowledgement of receipt within 14 days	0-2 weeks
2	Preliminary review	Supervisory authority assesses jurisdiction, substance	1-3 months
3	Hearing of the controller	Statement within 4 weeks, extendable	1-2 months
4	Fact-finding	Request for files, on-site inspection (rare), expert witnesses	3-12 months
5	Order / directive	Supervisory authority issues order (Article 58)	0-1 month
6	Fine notice	Reasoned, with appeal instructions	0
7	Appeal period	1 month from service	0-1 month
8	Administrative court / enforcement	Administrative court main proceedings 12-24 months	1-3 years

2. Procedural Rights of the Controller

Access to the file (Section 29 VwVfG, Section 32f BDSG, BVerwG 6 C 6.20)
Right to be heard before adverse decisions (Section 28 VwVfG)
Legal representation (Section 14 VwVfG)
Right to access also to the supervisory authority's complaint files
Right to remain silent regarding self-incrimination (administrative penalty law)
Settlement possible (Section 257c StPO by analogy) — not official, but common in practice

3. Defence Strategy

Statement: use the 4-6 week deadline, NEVER respond quickly
Engage counsel for fines > EUR 5,000 (fees EUR 4,000-15,000, often cheaper than the fine)
Submit documentation: ROPA, DPAs, DPIA, training records, DPO appointment, TOMs
Implement corrective measures immediately + document them — mitigating under Article 83(2)(c)
Communicate with the supervisory authority — cooperation typically reduces the fine by 30-60 %
Disclose financial circumstances (Article 83(2)(k), take existential threat into account)

4. Fine Assessment under Article 83 GDPR

Severity of the infringement (number of data subjects, special sensitivity, duration)
Intent / negligence
Corrective measures
Cooperation with the supervisory authority
Recurrence of prior infringements
Financial situation

GDPR maximum fines: EUR 20 million or 4 % of worldwide group turnover (whichever is higher). Actual SME median 2025 in Germany: EUR 12,500.

5. Action Against the Fine Notice

Administrative court action (Sections 40 et seq. VwGO):

Appeal period: 1 month from service
Suspensive effect (Section 80(1) VwGO) — fine not immediately enforceable
Administrative court proceedings 12-24 months, appeal possible
Counsel fees administrative court: EUR 4,500-15,000 (from EUR 100,000 amount in dispute)

6. 5 Case Studies from 2024-2026

Case	Infringement	Fine	Reduction through defence
HVV (Hamburg 2024)	Data breach 50k customers	EUR 120,000	Original EUR 350,000 → reduced due to cooperation
Mid-sized IT (Bavaria 2024)	Missing DPO	EUR 15,000	Original EUR 50,000 → DPO appointed subsequently + GDPR audit
Law firm (North Rhine-Westphalia 2025)	ROPA missing, DPAs incomplete	EUR 8,500	Original EUR 30,000 → compliance kit documentation was sufficient
Vodafone (BfDI 2024)	Cookie banner manipulated	EUR 1,300,000	Action pending
Mid-sized payroll provider (Baden-Württemberg 2025)	Data breach notification delayed	EUR 4,500	Original EUR 22,000 → supervisory authority accepted negligent misjudgement

Sources

Regulation (EU) 2016/679 — GDPR (Art. 83) (As of: 2026-05-02)
EDPB Guidelines 04/2022 — Fine Calculation (As of: 2026-05-02)
German Federal Data Protection Act (BDSG) (as of: ongoing)