Data protection complaints

There is no obligation for organisations to deal with data protection complaints and the right of complaint under the UK GDPR is to the Information Commissioner’s Office (ICO). However, the Data (Use and Access) Act 2025 will impose complaint-handling obligations on commercial organisations. In the meantime, guidance and tools published by the ICO make it clear that the ICO will not usually deal with a data protection complaint unless it has first been raised with the organisation to which the complaint relates.

The right to complain

Data subjects have the right to lodge a complaint with the ICO, where they consider their personal data has been processed in a way that breaches the UK GDPR. They can also complain to the ICO via a not-for-profit body, organisation or association. The ICO is required to investigate complaints to the extent appropriate and inform the complainant of the progress and outcome of the investigation within a reasonable period.

There is no corresponding right to make a complaint to the data controller, ie to your organisation. Any complaints process you introduce is therefore voluntary. However, The Data (Use and Access) Act 2025

To view the latest version of this document and thousands of others like it, sign-in with LexisNexis or register for a free trial.

Powered by Lexis+®
Latest Risk & Compliance News
View Risk & Compliance by content type :

Popular documents