Skip to main content

Complaints guidance for organisations

We are currently consulting on this draft guidance - our consultation is open until 11:59pm on 19 October 2025.

How to deal with data protection complaints

You must have a process for handling data protection complaints within your organisation.

Data protection complaints can come from anyone who’s unhappy with how you’ve handled their personal information. For example, they may come from people who:

  • are unhappy with your response to their subject access request (SAR), or other rights request;
  • have been impacted by a data breach, regardless of whether it’s reportable to us; or
  • are unhappy about the way you’ve used their personal information (eg where you’ve store it, how long you’ve kept it for, or its accuracy).

Read this guide to ensure you are familiar with what you must, should and could do.

How to use this guidance

To help you to understand the law and good practice as clearly as possible, this guidance says what organisations must, should, and could do to comply.

Legislative or legal requirements

Must refers to:

  • legislative requirements within our remit; or
  • established case law (for the laws that we regulate) that's binding.

Good practice

Should  doesn't refer to a legislative requirement, but what we expect you to do to comply effectively with the law. We expect you to do this unless there's a good reason not to. If you choose to take a different approach, you need to be able to demonstrate that this approach also complies with the law.

Could refers to an option or example that you may consider to help you to comply effectively. There are likely to be various other ways for you to comply.

This approach only applies where indicated in our guidance. We will update other guidance in due course.

At a glance 

Data protection law says you must:

  • give people a way of making data protection complaints to you;
  • acknowledge receipt of complaints within 30 days of receiving them;
  • without undue delay, take appropriate steps to respond to complaints, including making appropriate enquiries, and keep people informed; and
  • without undue delay, tell people the outcome of their complaints.

In brief

How do we prepare to receive data protection complaints?

Give people a way to complain to you

You must give people a way to make data protection complaints directly to you. You could do this by taking the following actions:

  • provide a complaint form that people can submit to you either electronically or in writing (eg by email or post);
  • allow people to make a complaint over the phone;
  • provide an online complaints portal;
  • have a livechat function with the option to escalate to a human if needed; or
  • give people a way to make complaints to you in person (eg if you don’t have an online presence).

Having a process for dealing with data protection complaints helps you to be accountable and can improve dialogue between you and the people who wish to make a complaint. It can help build trust around how you’ll handle their information and lead to fewer complaints about you to us.

Complaints from, or on behalf of, children

If you receive complaints from children, or on their behalf, you should also ensure that you address children in plain, clear language that they can understand. You should consider this at all stages of the process.

Children have the same rights as adults over their personal information. However, they may be less aware of the risks, consequences and safeguards.

You must assess the capacity of the child to understand and exercise their rights. (For more information, see the section When may a child exercise their rights? in our children and the UK GDPR guidance.)

You may receive complaints on behalf of a child, for example from a parent, another adult, or a representative such as a child advocacy service, charity or solicitor. (For more information about what you’ll need to consider, see our guidance When may a parent exercise these rights on behalf of a child.) 

If your organisation falls in scope of the Age appropriate design code, you should:

  • provide mechanisms to help children exercise their rights or make complaints;
  • have mechanisms for children to indicate that they think their complaint or request is urgent and why;
  • actively consider any information they provide about this and prioritise accordingly; and
  • have procedures in place to take swift action where they provide information indicating there is an ongoing safeguarding issue.

What else do we need to consider?

Write a complaints procedure

If you don’t already have one, you should write a complaints procedure. Having a written procedure makes it easy for people to know how to make complaints to you directly, which can lead to fewer complaints to us.

You should publish this on your website or provide it to people at the earliest opportunity. 

You should include information about how people can make data protection complaints and what they can expect from your process. For example, tell them that you’ll acknowledge their complaint within 30 days, keep them informed of progress and explain the outcome.

You should use plain language rather than jargon or legal terms.

Develop a system for asking for more information

If you need evidence or supporting information, reference numbers, or proof of ID, you could include information about this in your complaints procedure. You should also make sure you ask for it at the earliest opportunity. You must be reasonable and proportionate about what you ask for. You must not request more information if the requester’s identity is obvious to you.

If someone (eg a family member or solicitor) makes a complaint on behalf of another person, you must check they're authorised to act on the complainant's behalf. The form of evidence you are required to check depends on the circumstances of each request, but some examples are: 

  • power of attorney; or
  • signed letter of authority from the person they are acting on behalf of.

If there is no evidence that a third party is authorised to act on someone’s behalf, you are not required to investigate the complaint. However, you should still respond to them explaining this.

Consider if there are other legal frameworks to comply with

This guidance relates to data protection law. There are other legal frameworks and obligations that you may have to consider when handling complaints, such as the Equality Act 2010.

Check your record keeping system is fit for purpose

You should make sure you have a system for keeping your records up-to-date which is clearly organised and labelled. This will help you find all the information you need quickly and effectively.

Train your staff about data protection complaints

You should ensure your staff can recognise a data protection complaint and know what to do if they receive one. This includes knowing where to direct the complaint to within your organisation. You should include information about handling data protection complaints in any internal data protection training you give to your staff.

What do we do when we receive a complaint?

Acknowledge the complaint

You must acknowledge receipt of the complaint within 30 days to let the complainant know you’re looking into it.

You can respond in different ways depending on how you receive the complaint:

  • If you receive a complaint verbally (eg over the phone or face-to-face), you should make a record of this. You could follow this up in writing within 30 days.
  • If you receive a complaint electronically (eg through email or live chat), you could use an automatic response. If you receive it through social media, you should ask for an alternative contact method as this may not be a secure way to send personal information.
  • If you receive a complaint in writing (eg by post), you could send an acknowledgement letter.

Having a record of your acknowledgement can help you show that you’ve met your obligations within the 30 day timeframe.

There are two important things to know about the timeframe:

  • The 30 days starts the day after you receive the complaint. It doesn’t matter if this day falls on a weekend or a public holiday. The 30 days still starts on this day.
  • If the last day to acknowledge the complaint falls on a weekend or public holiday, you have until the next working day to provide an acknowledgement.

Example

You receive a data protection complaint at 19:00 on Thursday 5 June. The 30 days doesn’t begin until 00:01 on Friday 6 June. This means 30 days ends at 23:59 on Saturday 5 July. However, as this falls on a weekend, you have until 23:59 on Monday 7 July to acknowledge the complaint.

If you have staff absence for certain periods of the year (eg school holidays or sickness), you must ensure you have arrangements for continuing to handle data protection complaints during these times.

Investigate the complaint

You must make enquiries into the complaint without undue delay. This means as soon as possible. You must make an appropriate level of enquiries and be able to justify why you handled a complaint in the way you did.

You should start by gathering as much information as you need, including:

  • look at all the relevant facts thoroughly, fairly and accurately;
  • speak to relevant members of staff;
  • compare the information from the complaint with the information you hold; and
  • check you’ve upheld your own terms, policies and standards.

If you aren't sure what the complaint is about, you should ask the person making it for more information as quickly as possible. This helps you identify which enquiries you need to make. You could also ask what outcome they’re looking for. For example, do they want you to alter a decision you’ve made, apologise for a mistake, or change your processes? This may help you narrow the scope of your investigation and resolve the complaint quickly.

You must keep the person making the complaint updated on the progress of the investigation without undue delay. If the investigation is likely to take some time, follow up on your initial response so they know you’re working to resolve the issue. You could provide them with a date for when you expect to finish your investigation and a point of contact if they have questions. Having an open dialogue can build trust and lead to people making fewer complaints to us, before you’ve had the opportunity to put things right.

Further reading

For more guidance to check you’ve complied with the law, see our resources - UK GDPR guidance and resources

Record your actions

You should keep a record of:

  • the date you received the data protection complaint;
  • your acknowledgement;
  • any relevant conversations and documents;
  • the outcome of the complaint; and
  • any actions you took as a result of your investigation.

This provides evidence of what you’ve done. We, or industry bodies, may ask to see this if a complaint is made about you in the future. 

You must not keep personal information for longer than you need it.

What do we do after we’ve finished our investigation?

Provide an outcome to the complaint

Having completed your investigation, you must let the complainant know the outcome, without undue delay. This means as soon as possible. You must be able to justify why you handled a complaint in the way you did.

You should clearly explain what you’ve done to resolve their data protection complaint and, where appropriate, any actions you’ve taken as a result. Include enough information to help the complainant understand how you’ve reached your conclusion. It can be useful to itemise the complaint areas in a bullet point list, responding to each point and providing appropriate evidence, where possible.

If the complainant is unhappy with your outcome, you should let them know they have the right to complain to us and provide them with our contact details.

Further reading

For more information about how people can make a complaint to us about how you’ve used their personal information, and for our contact details, see Make a complaint about how an organisation has used your personal information.

Review the lessons learned

Once you’ve provided an outcome, you should review what happened. Consider if there’s anything you can learn or improve on to prevent future complaints. Recording this information may help you to identify trends or areas to improve.

How does the ICO deal with complaints?

If someone tells you they’re raising a complaint with us, there’s no need for you to tell us. We’ll be in touch if we need more information from you.
In most cases, if someone complains to us about the way you’ve handled their personal information, we’ll ask them to raise a complaint with you first.