Under the Data (Use and Access) Act 2025, you must have a clear process for receiving, investigating and responding to data protection complaints.
As part of this process, you should
- provide clear ways for people to complain
- tell people about their right to complain
- verify identity and authority where necessary
- train staff to recognise complaints
- maintain effective records
- establish clear complaints procedures
- meet your responsibilities as a data controller or processor
A clear process helps you comply with data protection law and resolve concerns quickly, reducing the risk of escalation to the Information Commissioner’s Office (ICO).
Give people a way to complain
You must allow people to make data protection complaints directly to you. You can offer them different ways to do this. For example, you could
- provide a complaint form (a digital or paper copy)
- accept complaints by email, post, telephone or in-person
- provide an online complaints portal
- offer a live chat service with an option to speak to a staff member
You do not need to set up a separate system for receiving complaints. You can adapt an existing complaints process if it enables you to meet your data protection obligations.
People are not required to follow your preferred process. They may complain through any channel, including by contacting employees directly.
You must accept data protection complaints regardless of how they are received.
Complaints on social media
People may use social media to raise data protection concerns. You should plan how you will identify and handle these complaints, and check if the person expects a response. Social media is generally not a secure way to discuss personal information, so ask to move conversations to a secure channel where appropriate.
Complaints from children
Children have the same data protection rights as adults. When responding to complaints from children, you should use clear and age-appropriate language and assess whether the child can understand and exercise their rights.
If your organisation falls within the scope of the Age Appropriate Design Code, you should ensure your complaints process meets the relevant requirements.
Tell people they can complain
You must tell people they can complain to you and to the ICO. You must tell them this
- when collecting personal information, such as in a privacy notice
- when responding to a subject access request (SAR)
You must use clear and accessible language when providing this information, especially if you are addressing a child.
Organisations processing personal data for law enforcement purposes must tell people about their right to complain at key points in the process, unless a restriction applies.
Write a complaints procedure
If you don’t already have one, consider documenting and publishing a complaints procedure. A written complaints procedure helps people understand
- how to complain
- what information they need to provide
- what identification you may require
- how complaints made on behalf of others are handled
- expected timescales
- how outcomes are communicated
Write your complaints procedure in plain English and explain any legal or technical terms. You can publish this information on your website or include it within existing documents, such as your privacy notice.
Verify identity and authority
If you have reasonable doubts about the identity of the person complaining, you may ask for proof of identity. In this case, you should request identification as early as possible, and only request information necessary to confirm identity. If you already have enough information to verify the person’s identity, you must not ask for additional proof.
Where complaints are submitted on behalf of another person (for example, by family members, solicitors or advocacy organisations), you must check that the representative has authority to act before investigating the complaint. Evidence may include a power of attorney or a signed letter of authority. If there is no evidence of authority, you must not investigate the complaint until appropriate authorisation is provided.
Consider other legal obligations
Data protection law may not be the only legal framework that applies when handling complaints. You may also need to consider
- equality and discrimination legislation
- sector-specific requirements
- your own organisational complaint-handling policies
You can integrate data protection complaints into existing complaint processes, provided you continue to meet your data protection obligations and avoid undue delay. If a wider complaint includes a data protection issue, you should provide an outcome on the data protection aspect as soon as possible.
Maintain effective records
You should have a record management system that is accurate, organised, up to date and easy to search. Good record keeping helps you investigate complaints efficiently and provide timely responses.
Train staff to recognise complaints
All staff should understand what a data protection complaint is, how to recognise one, where to direct it internally, and what their role is in the complaints process. You should include complaint handling in your data protection training programme.
Meet your responsibilities as a joint controller or processor
If you are a joint controller, you should have a clear agreement with other controllers that sets out how data protection complaints will be handled. This should include how complaints are received, who investigates them, who communicates with complainants and how response times will be managed. The response period begins when any controller receives the complaint.
If you use processors, your contracts should ensure they notify you of any complaints they receive, provide information needed to support investigations and assist you in meeting your obligations. The controller remains responsible for handling data protection complaints.
If you need to share information with another controller or joint controller to investigate a complaint, you should take into account the data sharing code of practice.
