Data protection complaints

Copyright © 2025 LexisNexis

There is no requirement in the UK GDPR for organisations to deal with data protection complaints. The only complaint-handling obligations fall on the ICO. However, the ICO obviously considers it good practice for organisations to have complaints procedures, as it provides guidance on handling data protection complaints, including providing a data protection complaints process. The ICO’s Data protection complaints tool for data subjects indicates that the ICO will generally not deal with a complaint unless:

  1. it has first been made to the relevant organisation, and

  2. 30 days has elapsed since the complaint was made

The right to complain

Data subjects have the right to lodge a complaint with the ICO, where they consider their personal data has been processed in a way that breaches the UK GDPR. They can also complain to the ICO via a not-for-profit body, organisation or association. The ICO is required to investigate complaints to the extent appropriate and inform the complainant of the progress and outcome of the investigation within a reasonable period.

There is no corresponding right to make a complaint to the data controller, ie to your organisation.

To view the latest version of this document and thousands of others like it, sign-in with LexisNexis or register for a free trial.

Existing user? Sign-in TAKE A FREE TRIAL
Powered by Lexis+®
Latest Risk & Compliance News

Failure to prevent fraud—an effective means to combat corporate crime?

Corporate Crime analysis: While previous failure to prevent offences—bribery and tax evasion—have resulted in few prosecutions so far, they have arguably influenced a corporate compliance culture in the UK. In this third and last part of our series on the corporate offence of failure to prevent fraud, Aziz Rahman of Rahman Ravelli assesses the effectiveness of failure to prevent offences in holding corporate bodies to account for economic crime. With the offence of failure to prevent fraud having come into effect on 1 September 2025, there has been discussion about the compliance challenges it will pose for companies and how effective it will be in tackling corporate fraud.

Home Office announces implementation of corporate 'failure to prevent fraud' offence

The Home Office has announced that the new corporate criminal offence of 'failure to prevent fraud' has come into effect. Introduced under the Economic Crime and Corporate Transparency Act 2023 (ECCTA 2023), the law makes large organisations criminally liable if employees or associates commit fraud for corporate benefit. Organisations must prove reasonable prevention measures were in place to defend against prosecution.

JMLSG Guidance updates approved by HM Treasury

HM Treasury has approved updates to the Joint Money Laundering Steering Group (JMLSG) Guidance. The approved changes affect the following paragraphs of Part 1: 5.3.97A, 5.3.99, 5.3.138A, 5.3.138B, 5.6.36-5.6.38 and 2.16-2.24.

FATF publishes toolkit and guidance to support national money laundering risk assessments

The Financial Action Task Force (FATF) has published a Money Laundering (ML) National Risk Assessment (NRA) toolkit to help jurisdictions identify and address ML risks. The toolkit is accompanied by four thematic quick guides and a set of annexes (Annexes A–C), which provide practical tools and cross-country insights. The materials cover corruption, virtual assets, legal persons and the informal economy, and include methodologies developed by the World Bank, International Monetary Fund (IMF) and Council of Europe (CoE). The toolkit is designed to support a risk-based approach to anti-money laundering (AML) in line with Recommendation 1 of the FATF Standards. The toolkit and guides are designed to be flexible and may be used for full NRAs, sectoral or thematic assessments, or to support broader AML strategy development.

View Risk & Compliance by content type :
News
Practice notes
Precedents
Q&As

Popular documents

Can a limited company make a subject access request? Can a director of a limited company ask for

Can a limited company make a subject access request? Can a director of a limited company ask for recordings of calls with us? If yes, what personal data must we provide?This Q&A draws on the Information Commissioner’s Office’s (ICO’s) guidance on business-to-business marketing, which may or may

Priority between loss reliefs in loss making companies

Priority between loss reliefs in loss making companiesWhy does it matter?A company that is a member of a group and has incurred any of the types of losses available for surrender by way of group relief may, without any further rules, have more than one way in which to use the loss. There are a

What is the difference between an appeal and a review?

What is the difference between an appeal and a review?What is an appeal?An appeal in insolvency proceedings is no different to an appeal in normal litigation. An appeal will be allowed only if the appeal court is satisfied that the decision of the lower court was 'wrong' or 'unjust because of a

Contributory negligence in personal injury claims

Contributory negligence in personal injury claimsContributory negligence is a partial defence which can lead to a discount in damages.Other defences may also be relevant. See Practice Notes: Did the claimant consent to the risk of injury? and Was the claimant involved in an illegal activity?If a
Can a limited company make a subject access request? Can a director of a limited company ask for

Can a limited company make a subject access request? Can a director of a limited company ask for

Can a limited company make a subject access request? Can a director of a limited company ask for recordings of calls with us? If yes, what personal data must we provide?This Q&A draws on the Information Commissioner’s Office’s (ICO’s) guidance on business-to-business marketing, which may or may

Priority between loss reliefs in loss making companies

Priority between loss reliefs in loss making companies

Priority between loss reliefs in loss making companiesWhy does it matter?A company that is a member of a group and has incurred any of the types of losses available for surrender by way of group relief may, without any further rules, have more than one way in which to use the loss. There are a

What is the difference between an appeal and a review?

What is the difference between an appeal and a review?

What is the difference between an appeal and a review?What is an appeal?An appeal in insolvency proceedings is no different to an appeal in normal litigation. An appeal will be allowed only if the appeal court is satisfied that the decision of the lower court was 'wrong' or 'unjust because of a

Contributory negligence in personal injury claims

Contributory negligence in personal injury claims

Contributory negligence in personal injury claimsContributory negligence is a partial defence which can lead to a discount in damages.Other defences may also be relevant. See Practice Notes: Did the claimant consent to the risk of injury? and Was the claimant involved in an illegal activity?If a