How do we prepare to handle data protection complaints?
-
This guidance explains what you need to do to meet the new requirements for you to have a data protection complaints process, as set out in the Data (Use and Access) Act. Although these requirements are not in force until 19 June 2026, we think it is useful for this to be published now so that you are ready for these changes. Even before these requirements are in force, we think that what’s set out in this guidance represents good practice.
How do we prepare to handle data protection complaints?
Prepare for how you’ll receive and check complaints
Give people a way to complain to you
You must give people a way to make data protection complaints directly to you. How you do this is up to you, but you could take one of the following actions:
- provide a complaint form that people can submit to you either electronically or in writing (eg by email or post);
- provide an email address for people to submit complaints to;
- allow people to make complaints over the phone;
- provide an online complaints portal;
- have a live chat function with the option to escalate to a human if needed; or
- give people a way to make complaints to you in person (eg if you don’t have an online presence).
You’re not required to set up a separate tool for receiving complaints, as long as you can still meet your obligations. You may already have an existing complaint tool that isn’t data protection specific but you can adapt it to include data protection complaints.
Whether you set up a new tool or adapt an existing one, having a set process for dealing with data protection complaints helps you to be accountable and can improve the dialogue between you and the people who wish to make a complaint. It can help build trust around how you’ll handle their information and lead to fewer complaints about you to us.
Although you can invite people to use your set process, there’s no obligation for them to do this. People can complain in any way they choose, including through other channels. For example, they may contact any of your employees, or any part of your organisation.
However you receive a complaint, you must accept it.
Consider how you’ll handle complaints through social media
People can make a complaint through social media where you have an online presence. You should:
- make sure you consider how you’ll handle these complaints;
- take a sensible approach to identifying complaints you receive through social media; and
- consider if someone is intending to make a complaint and expecting you to respond.
In general, responding on social media is not a secure way of providing information. You should ask for an alternative contact method instead.
Consider how you’ll handle complaints from children
Children have the same rights over their personal information as adults. However, children merit specific protection as they may be less aware of:
- the risks and consequences of the processing; and
- their rights when you process their personal information.
If you receive complaints from children, you should respond in plain, clear language they can understand. You should consider this at all stages of the complaints process, alongside your obligations to consider data protection by design.
You must assess the competence of the child to understand and exercise their rights. In most cases, if you’ve already recently assessed the child’s competence as part of an initial information rights request, you won’t need to do this again. (For more information, see the section When may a child exercise their rights? in our children and the UK GDPR guidance).
If your organisation falls in scope of the age appropriate design code, you should ensure you’re familiar with the requirements around handling complaints from children in standard 15 of our code.
This means you should:
- provide mechanisms to help children exercise their rights or make complaints;
- have mechanisms for children to indicate that they think their complaint or request is urgent and why;
- actively consider any information they provide about this and prioritise accordingly; and
- have procedures in place to take swift action where they provide information indicating there is an ongoing safeguarding issue.
Further reading
- What rights do children have?
- When may a child exercise their rights?
- Children and the UK GDPR
- Standard 15: Online tools - Age appropriate design code
- What services are covered by this code – Age appropriate design code
- Why do children merit specific protection? – Recital 38: Children and the UK GDPR
- Data protection by design and default
Tell people they can complain
You must tell people they can complain to you, as well as to us:
- at the point you collect their personal information (eg by displaying this in your privacy notice). You must use clear and plain language, particularly if you’re addressing a child; and
- when you respond to a subject access request.
If you’re processing information for law enforcement purposes, there are various points when you must tell people they can complain, unless a restriction applies:
- as part of your general duty to inform people about their right to complain (eg by displaying this in your privacy notice);
- when restricting the information you provide to people in connection with their right to be informed;
- when responding to a subject access request (SAR);
- when refusing a rectification, erasure or restriction request; and
- when withholding information in response to a SAR, or the right to be informed, that is protected by legal professional privilege.
Relevant provisions in the UK GDPR/DPA
Consider writing a complaints procedure
If you don’t already have one, you could also write a complaints procedure. Having a written procedure makes it easy for people to know how to make complaints to you directly. This helps you meet your obligation to give people a way to complain, and can lead to fewer complaints about you to us.
You could publish this on your website or provide it to people at the earliest opportunity.
You could include information about how people can make data protection complaints to you and what they can expect from your process. For example:
- the method you’ve set to receive complaints. (Don’t forget, people can submit complaints using different methods.);
- what evidence or supporting information you need to investigate complaints;
- what proof of ID you accept;
- what type of proof of authority you accept, if people complain on behalf of others; and
- that you acknowledge complaints within 30 days, keep people informed of progress, and explain the outcome.
You may already have published information on how to complain about other matters. You could adapt existing written procedures, such as your privacy notice, to include information on how people can make data protection complaints.
You should use plain language and explain any jargon or legal terms.
You may also write internal procedures for staff, but you’re not expected to publish these externally. You may wish to include how you’ll manage complaints received through other channels.
Confirm the complainant’s identity
If you have any doubts about the complainant’s identity, you may need to ask them for proof of ID before you respond. You should make sure you ask for it at the earliest opportunity. If you have sufficient information to be satisfied about the requester’s identity, you must not request more information.
Further reading
Verify the authority of people making complaints on behalf of others
Someone may make a complaint on behalf of another person (eg a family member, solicitor, child advocacy service, or other relevant not-for-profit organisation). If so, you must check they’re authorised to act on the other person’s behalf. The form of evidence you may need depends on the circumstances, but some examples are:
- an appropriate power of attorney; or
- a signed letter of authority from the person they are acting on behalf of.
You may already have sufficient procedures for verifying the authority of third parties (eg for information rights requests). It’s likely you can apply the same checks when you handle data protection complaints submitted on behalf of others.
If you’re unsure whether a letter of authority is valid, you could consider contacting the complainant about your concerns.
If you have no evidence that a third party is authorised to act on someone’s behalf, you must not investigate the complaint until you receive the appropriate authority.
Consider if there are other legal frameworks and obligations to comply with
This guidance relates to data protection law. There are other legal frameworks and obligations you may have to consider when you handle complaints, such as equality and discrimination legislation.
You may have existing processes, guidance, or frameworks that set out how you handle complaints effectively. They may include specific timeframes and other rules or advice. There’s no obligation to produce a separate or standalone process for data protection complaints. You can integrate data protection complaints into your existing processes, as long as you can continue to meet your data protection obligations. This includes your obligation to investigate and provide an outcome without an ‘undue delay’.
There may be instances where you’re responding to a data protection complaint as part of a wider complaint about other issues. If you can provide an outcome to the data protection complaint sooner than you can provide an outcome to the other issues, you must do this. Waiting to deal with all the issues at once without justification could cause an undue delay.
Check your record keeping system is fit for purpose
You should have a system for keeping your records up to date, clearly organised, and labelled. This will help you find all the information you need quickly and effectively.
Train your staff about data protection complaints
It’s up to you to decide who is best placed in your organisation to handle data protection complaints.
You should ensure all staff can recognise a data protection complaint and know what to do if they receive one. This includes knowing where to direct the complaint to within your organisation. You should include information about handling data protection complaints in any internal data protection training you give to your staff.
Meet your obligations as joint controllers and processors
If you’re a joint controller, you should have a transparent arrangement in place with the other joint controller(s) to set out how you’ll handle complaints. The timescale begins as soon as the complaint is received by any of the controllers, so it’s important everyone’s clear on what they need to do. You’ll need to consider things such as:
- whether to have a central point of contact for people to submit complaints;
- how to tell people where to submit complaints;
- who is responsible for coordinating the investigation; and
- who is responsible for liaising with the complainant.
If you need to share information with another controller or joint controller to investigate a complaint, you should take into account the Data sharing code of practice.
Controllers are responsible for complying with the complaint obligations. If you use processors, you should have an agreement in place about how you handle complaints, whether they’re sent to you or the processor. The processor should:
- help you meet your obligations to investigate;
- send complaints to you; and
- allow you to obtain the necessary information from them to handle a complaint.
The processor could help with the administration of complaints, but the obligation to handle the complaint remains with you as the controller.