What can I complain to the ICO about?

You can complain to the ICO if you are unhappy with the way a media organisation has handled your personal data. We will consider whether or not we think the media organisation has used your data in a way that complies with data protection law.

How do I raise my concern with the ICO?

Before complaining to us, you should normally raise your concerns directly with the media organisation itself and give it an opportunity to put things right. You can find more information on how to do this, including a template letter that can help you, on the “Raising a concern with an organisation” section of our website.

If you cannot resolve your concern with the media organisation directly, you can then make a complaint to us.

What will the ICO do with my complaint?

We will give you our opinion on whether data protection law has been broken. This will be based on the information you give us and, if we believe it’s needed, information we have got from the media organisation.

Do media organisations always have to comply with every aspect of data protection law?

The DPA 2018 contains an exemption from many of the rights and obligations in data protection law when your personal data is being used for the special purposes.

The exemption aims to balance freedom of expression with privacy, which are both fundamental rights. It means that if an organisation is using your personal data for any of the special purposes, some of your rights may be restricted. These rights include:

However, the media organisation still needs to comply with data protection law. It will only be able to rely on the exemption if:

  • it was using your personal data for journalism, with a view to publishing journalistic material
  • it can justify that it reasonably believes the publication of that material would be in the public interest, and
  • it can show that complying with the relevant parts of the GDPR would be incompatible with journalism in your case.

If you believe a media organisation has wrongly refused to respect your rights or comply with its obligations under data protection law, you can raise your concern with the ICO.

What powers of enforcement does the ICO have?

The ICO has powers to take formal enforcement action for breaches of data protection law. The tools we can use include enforcement notices, administrative fines and criminal prosecutions.

A full list of our regulatory activities, including our formal powers of enforcement and how we will use them, can be found in our Regulatory Action Policy.

Given the importance of the public interest in freedom of expression, our ability to use some of our formal regulatory activities is restricted if a media organisation is using personal data solely for the special purposes.

However, subject to those restrictions, we are committed to taking regulatory action against media organisations, just as we would against organisations in other sectors, where this is necessary to ensure compliance with data protection law.

We will always carefully consider the potential impact on freedom of expression before deciding to take any action. Any action we do take will be targeted and proportional.