wordpress blog stats
Connect with us

Hi, what are you looking for?

When should a complaint be escalated to a data protection authority? #PrivacyNama2021

Chief privacy officers and data protection authorities often work closely together, so what exactly happens when there’s a privacy complaint?

“Our rule states that before you complain to the Data Protection Authority (DPA), complain first with the Data Protection Officer (DPO), complain first with the company. If you cannot resolve it that way, then is the time to elevate it to your DPA. This is again a prime example of how we can maximise resources and how we can train or build capacity reinforcement,” said Raymund Liboro, the Chairman of Philippines’ National Privacy Commission at PrivacyNama 2021, a global conference on privacy regulations held by MediaNama on October 6 and 7.

Liboro’s remarks give insight into the relationship between a company’s chief privacy officer (CPO) and a data protection authority (DPA). Liboro was accompanied in this conversation with Marit Hansen, State Data Protection Commissioner of Land Schleswig-Holstein, and Teki Akuetteh Falconer, the former Executive Director of Ghana’s Data Protection Commission.

In another panel discussion, Justin Weiss, the Global Head of Data Privacy at Naspers Group, Chief Privacy Officer at Match Group Idriss Kechida, and Chief Privacy Officer at Infosys Srinivas Poosarla, expanded on the relationship between a CPO and DPA, as well as how and when a complaint is escalated.

The connection between DPA and CPO is like ‘economy of scale’

Weiss described the relation between a CPO and DPA as that of an economy of scale, wherein there is a distributed model for dealing with complaints. “Only those complaints that lead to an escalation, or a conflict or something that can’t be resolved, get referred to the real data protection authority in the government. So that’s that part of the model,” Weiss said.

When India gets get a data protection law, and assigns personnel to find data breaches, you may have internal reports that say there were 5000 incidents in one day. Well wait a minute, maybe not! There’s minor incidents, there’s major incidents, there’s low risk issues, there’s high risk issues, there’s a spectrum. Now, we could report thousands of incidents to the centralised government authority, or we could ask a trained data protection officer or a security officer or chief privacy officer to assess the nature of incidents that occur. And escalate and refer and report, only those that are material, or cross a certain materiality threshold — Weiss

Support MediaNama’s endeavor to enable meaningful conversations around technology policy. Subscribe here.

The connection should not be seen as ‘shifting of burden’

Chief Privacy Officer at Match Group Idriss Kechida said that the economy of scale model that is in place for handling privacy complaints in countries with data protection laws, and other relevant structures, should not be seen as a way of data protection authorities ‘trying to shift the burden’ of handling complaints on chief privacy officer.

Advertisement. Scroll to continue reading.

Kechida said that issues such as access requests and deletion requests should be dealt at the company level. “The view of the DPA is, if those are handled properly nothing should come back to us. So when they receive something, they’re coming back to us saying well apparently you have some more work to do because that person is not satisfied with the answer that they received. And I think it makes total sense, it’s not, you know, shifting anyone’s burden. ”

Be so effective that customers don’t feel the need to approach DPA

Infosys’ chief privacy officer Srinivas Poosarla said that one needs to prioritise serious from friviolous complaints, and handle them in a way that customers do not feel the need to approach a DPA.

“The effectiveness lies in listening to these requests properly and leaving aside the frivolous request. You have to take it as an opportunity for improvement, correct yourself. If you don’t, these same people will go to the data protection authority. If I am in Spain, my aim is to ensure that people don’t go to DPA of Spain; they should come to me. If only I am not able to satisfy them they will go to the DPA and that’s my failure,” Poosarla said.

MediaNama hosted this event with support from Facebook, Flipkart, Internet Society, Mozilla, Mobile Premier League, Omidyar Network, Paytm, Star India, and Xiaomi. We are also thankful to our community partners – the CyberBRICS Project, the Centre for Internet and Society, and the Centre for Communication Governance (NLU Delhi).

Comments from panelists have been lightly edited for clarity and brevity. 

Also read:

Advertisement. Scroll to continue reading.
  • How To Be A Chief Privacy Officer – #PrivacyNama2021
  • What Makes An Effective Data Protection Authority Tick? #PrivacyNama2021
  • What To Do With Violators Of Privacy Laws? #PrivacyNama2021

Have something to add? Subscribe to MediaNama here and post your comment. 

Written By

Among other subjects, I cover the increasing usage of emerging technologies, especially for surveillance in India

Free Reads


Vaishnaw's remarks come a day after Google removed apps belonging to Matrimony.com, Info Edge (Naukri and 99 Acres), Shaadi.com, Altt, Truly Madly, Stage, Quack...


Paytm has started distancing itself from PPBL in light of the current negative spotlight on PPBL.


The move can be seen as an attempt by Paytm to distance itself from the troubled Paytm Payments Bank, which has been significantly restricted...

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



NPCI CEO Dilip Asbe recently said that what is not written in regulations is a no-go for fintech entities. But following this advice could...


Notably, Indus Appstore will allow app developers to use third-party billing systems for in-app billing without having to pay any commission to Indus, a...


The existing commission-based model, which companies like Uber and Ola have used for a long time and still stick to, has received criticism from...


Factors like Indus not charging developers any commission for in-app payments and antitrust orders issued by India's competition regulator against Google could contribute to...


Is open-sourcing of AI, and the use cases that come with it, a good starting point to discuss the responsibility and liability of AI?...

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ