[kenbaylor]

This is a key reason why there are data protection officers under GDPR. They report to the highest level of management (mostly the board) and are independent. They are also called mini-regulators. They ensure the company is compliant.

If they are not doing their job, (and you are not content with their reply), you then appeal to the Data Protection Authority (DPA, Privacy Regulator in the country). The DPA has full powers of subpoena (and a whole lot more), and are not to be trifled with.

[chopin]

That doesn't help. I'm in a similar position, but I'd like to know which data has eg. Facebook on me. If they write back "you have no account, we have no data on you" how I am to know that this is true (and it is almost certainly not)? With nothing on hand it doesn't make sense to go to a regulator.

[kenbaylor]

There is a process to be followed. If you have the response from the DPO and a reasonable suspicion based on evidence, you can absolutely to to the DPA. If your evidence is strong, that may proceed on that. If not but there are many other similar complaints, they can formally ask the company to 'clarify' issues....which is a very dangerous thing if you are a company that is evasive.

[heavenlyblue]

You have an entity that regularly creates accounts on Facebook, then sends the letters requesting the data Facebook holds for them. For any requests replying those accounts do not exist that entity brings Facebook to court.