Report misuse of your personal data — by country

If a company has shared, leaked or misused your personal data — or won't act on a request to access or delete it — these are the official data-protection and telecom regulators that take complaints.

First send the company a written request to access, correct or delete your data and give it a deadline; most laws (GDPR in the UK and Ireland, and the newer Gulf and South Asian data-protection laws) only let the regulator step in once the company has failed to respond. For intimate-image abuse, use StopNCII.org (18+) or Take It Down (under-18) in parallel with the regulator.

CountryOfficial bodyCallOnline
United StatesFTC / State Privacy AgenciesThe US has no single federal privacy law; the FTC pursues deceptive data practices, and state laws (e.g., California's CCPA/CPRA, enforced by the CPPA) give access and deletion rights.Legal basis: FTC Act; state privacy laws (CCPA/CPRA and others)www.ftc.gov
Saudi ArabiaSDAIA — National Data Management OfficeThe regulator for Saudi Arabia's Personal Data Protection Law — complaints about misuse, sharing or a breach of your personal data.Legal basis: Personal Data Protection Law (Royal Decree M/19, 2021)sdaia.gov.sa/en
QatarCommunications Regulatory Authority (CRA)Telecom complaints, SIM/spam issues, and the National Data Privacy Office under the PDPPL (Law 13/2016) for misuse of your personal data.Legal basis: Personal Data Privacy Protection Law (Law 13/2016)www.cra.gov.qa/en
BahrainPersonal Data Protection Authority (PDPA)Complaints about misuse of your personal data under the Personal Data Protection Law (Law 30/2018) — unauthorised collection, sharing or processing.Legal basis: Personal Data Protection Law (Law 30/2018)www.pdp.gov.bh/en
KuwaitCITRATelecom complaints and the data-privacy regulations (Resolution 26/2024) covering misuse of personal data by online and telecom services.Legal basis: CITRA Data Privacy Protection Regulation (Resolution 26/2024)citra.gov.kw/sites/en
OmanMinistry of Transport, Communications & ITRegulator for Oman's Personal Data Protection Law (Royal Decree 6/2022) — file here if a company collects, shares, or misuses your personal data without consent. Its OCERT team is the national cyber-incident response body for phishing and security threats.Legal basis: Personal Data Protection Law (Royal Decree 6/2022)mtcit.gov.om
PakistanPTAComplaint Management System for SIM, spam, and harmful online-content issues, and the channel to request takedown of unlawful content.Legal basis: Prevention of Electronic Crimes Act 2016 and the Telecommunication Act 1996www.pta.gov.pk
BangladeshBTRCTelecom regulator — SIM, call-drop, spam and online-content complaints, and content-takedown requests.Legal basis: Bangladesh Telecommunication Regulation Act 2001btrc.gov.bd
United KingdomICOComplaints about misuse of your personal data, data breaches, and refused subject-access requests under UK GDPR.Legal basis: UK GDPR and the Data Protection Act 2018ico.org.uk/make-a-complaint
IrelandData Protection Commission (DPC)Complaints about misuse of your personal data under GDPR — unlawful processing, breaches, and refused access requests.Legal basis: GDPR and the Data Protection Act 2018www.dataprotection.ie
FranceCNILComplaints about misuse of your personal data — unlawful processing, refused access or erasure, marketing spam — under GDPR and the French Data Protection Act.Legal basis: GDPR and Loi Informatique et Libertés (Loi 78-17)www.cnil.fr
GermanyBfDIFederal data-protection authority for telecoms, postal and federal bodies; complaints about a private company go to your Bundesland's own data-protection authority.Legal basis: GDPR and the Bundesdatenschutzgesetz (BDSG)www.bfdi.bund.de
SingaporePDPCComplaints about misuse of your personal data, and the Do Not Call registry for unwanted marketing, under the PDPA.Legal basis: Personal Data Protection Act 2012www.pdpc.gov.sg
DenmarkDatatilsynetComplaints about misuse of your personal data — unlawful processing, breaches, refused access or erasure — under GDPR and the Danish Data Protection Act.Legal basis: GDPR and Databeskyttelseslovenwww.datatilsynet.dk
IcelandPersónuverndComplaints about misuse of your personal data under GDPR (as implemented in Iceland) — unlawful processing, breaches, refused access.Legal basis: Act 90/2018 (implementing GDPR)www.personuvernd.is
CanadaOffice of the Privacy Commissioner (OPC)Complaints about how private companies handle your personal data under PIPEDA; Quebec (CAI, Law 25), BC and Alberta have their own commissioners.Legal basis: PIPEDA and the Privacy Actwww.priv.gc.ca
AustraliaOAICComplaints about how organisations handle your personal data — breaches, misuse, refused access — under the Privacy Act.Legal basis: Privacy Act 1988www.oaic.gov.au
New ZealandOffice of the Privacy CommissionerComplaints about how an agency handles your personal information — refused access, misuse, breaches — under the Privacy Act.Legal basis: Privacy Act 2020www.privacy.org.nz

Each entry links to the official body and shows the date we last verified it. This is legal information, not advice, and we don't take payment to list anyone. See the full country directories for every channel, not just the headline one.

You came here to know your rights — help someone else know theirs.

Support This Mission