Q&As

Is there a time limit for individuals to make a complaint to the Information Commissioner’s Office about a company that they suspect has breached the General Data Protection Regulation?

read titleRead full title
Copyright © 2025 LexisNexis
Produced in partnership with Jon Baines of Mishcon de Reya
Published on: 19 August 2019
imgtext

The Data protection laws in the UK consist primarily of the General Data Protection Regulation, Regulation (EU) 2016/679 (the GDPR) and certain related sections of the Data Protection Act 2018 (DPA 2018). DPA 2018 provides certain detailed provisions relating to how the GDPR regime applies in the UK. For more information, see Practice Note: The Data Protection Act 2018.

For the purposes of this Q&A, we have not considered the question of what time limits may apply to judicial remedies that may be sought by data subjects (see for example Article 79 and also Article 82(6) of the GDPR). This response also does not relate to the potential prosecution by the Information Commissioner’s Office (ICO) of criminal offences under DPA 2018. For further guidance on such criminal offences, including their enforcement by the ICO, see Practice Note: Offences under the Data Protection Act 2018.

For guidance

Jon Baines
Jon Baines

Mishcon de Reya

An information rights professional with 15 years' experience practising in and advising on data protection, privacy and freedom of information matters. Chair of National Association of Data Protection and Freedom of Information Officers ("NADPO"). Formerly Data Protection Officer at Network Rail. Advises clients on data protection compliance, rights and obligations, as well as the making of, responding to or asserting rights relating to freedom of information requests.

Read moreRead more
Powered by Lexis+®
Jurisdiction(s):
United Kingdom
Related legal acts:
Key definition:
Information Commissioner definition
What does Information Commissioner mean?

The Information commissioner’s Office (ico) is UK's regulator for data protection, and regulates freedom of information and environmental matters, except in Scotland, which has its own freedom of information commissioner. It maintains a register of data controllers.

Read more readmore

Popular documents

Profiling and automated decision-making

Profiling and automated decision-makingSTOP PRESS—Impact of the Retained EU Law (Revocation and Reform) Act 2023: This document contains references to retained EU law (REUL) and associated terms introduced by the European Union (Withdrawal) Act 2018 in connection with Brexit. From 1 January 2024,

Is someone’s voice personal identifiable information under GDPR? If someone is to do a voice over for

Is someone’s voice personal identifiable information under GDPR? If someone is to do a voice over for content of some training for a business, would a consent form be needed?Is someone’s voice personal identifiable information under GDPR?A voice recording is likely, in almost all circumstances, to

Scotland—the process for applying for sequestration

Scotland—the process for applying for sequestrationSequestration in Scotland is the legal process by which an insolvent debtor’s estate is gathered in, realised and then distributed among their creditors by a trustee appointed for that purpose. The process requires that a formal award of

What is the difference between an appeal and a review?

What is the difference between an appeal and a review?What is an appeal?An appeal in insolvency proceedings is no different to an appeal in normal litigation. An appeal will be allowed only if the appeal court is satisfied that the decision of the lower court was 'wrong' or 'unjust because of a