Skip to main content

How to make a data protection complaint to an organisation

You have the right to complain to an organisation if you think it has not handled personal information responsibly and in line with good practice.

When can I complain to an organisation?

You can complain to an organisation about how it is handling yours or other people's information; if it:

  • has not properly responded to your request for your personal information;
  • is not keeping information secure;
  • holds inaccurate information about you;
  • has disclosed information about you;
  • is keeping information about you for longer than is necessary;
  • has collected information for one reason and is using it for something else; or
  • has not upheld any of your data protection rights.

How do I complain to an organisation?

1. Complain directly to the organisation involved

You should give the organisation you’re unhappy with a chance to sort things out before bringing your complaint to us. Many data protection complaints can be resolved quickly and easily with the organisation. 

You can use this template to email or write to the organisation. Include full details of your concern at the beginning. If the organisation responds but it appears they have misunderstood you, or not given a full response, you should let them know.

Include all relevant details in your letter or email, such as account or patient numbers to help the organisation identify you. Send copies of all the key documents you have to evidence your complaint. Don’t send the originals as you might need them later. Don’t include additional documentation ‘just in case’.

Check the organisation’s website or give them a call to make sure you have the right address.

 [Your full address]
 [Your phone number]
 [The date]

 

[Name and address of the organisation]
[Reference number (if provided within the initial response)]

Dear [Sir or Madam / name of the person you have been in contact with]

Data Protection Complaint
[Your full name and address and any other details such as account number to help identify you]

I am concerned that you have not handled personal information properly.

[Give details of your complaint, explaining clearly and simply what has happened and, where appropriate, the effect it has had on you.]

I understand that before reporting my complaint to the Information Commissioner’s Office (ICO) I should give you the chance to deal with it.

If, when I receive your response, I would still like to report my complaint to the ICO, I will give them a copy of it to consider.

You can find guidance on your obligations under information rights legislation on the ICO’s website (www.ico.org.uk) as well as information on their regulatory powers and the action they can take.

Please send a full response within 30 days. If you cannot respond within that timescale, please tell me when you will be able to respond.

If there is anything you would like to discuss, please contact me on the following number [telephone number].

Yours faithfully
[Signature]

 

Raising a concern template letter - word version

2. Give the organisation one month to respond to your complaint or request.

It may take some time for your complaint to be considered. Don’t be afraid to chase politely if nothing seems to be happening.

3. Ask the organisation involved for clarification if you don’t understand or you’re unhappy with their response.

Organisations have an obligation to clearly explain why they are using your information in the way they are doing or why they have refused a request.

If the organisation gives you a response you do not understand, you should write to them to ask for clarification. You may want to use this template letter.

[Your full address]
[Your phone number]
[The date]

[Name and address of the organisation]
[Reference number (if provided within the initial response)]

Dear [Sir or Madam / name of the person you have been in contact with]

Information rights complaint.

[Your full name and address and any other details to help identify you, for example an account number.]

I am writing further to your recent letter/email about my information rights complaint because I would like further clarification.

Organisations have an obligation to clearly explain why they are using data in the way they do or why they have refused a request. This is set out under the accountability principle of the DPA 2018.

Accountability is one of the key principles in data protection law – it makes organisations responsible for complying with the legislation and says that they must be able to demonstrate their compliance.

I would like further clarification about

Give details of what you don’t understand. You should refer specifically to the response you have already received where appropriate]

I understand that before reporting my complaint to the Information Commissioner I should give you the chance to provide a full explanation.

If, when I receive your response, I would still like to report my complaint, I will give them a copy of your response to consider.

You can find guidance on your obligations under information rights legislation on the ICO’s website (www.ico.org.uk) as well as information on their regulatory powers and the action they can take.

Please send a full response within one calendar month. If you cannot respond within that timescale, please tell me when you will be able to respond.

If there is anything you would like to discuss, please contact me on the following number [telephone number].

Yours faithfully/sincerely
[Signature]

 

Clarification template letter - word version 

4. Complain to the ICO

If you have followed these steps or the organisation is refusing to respond to you, you can complain to the ICO.

Before you submit a complaint about an organisation you should read about what to expect from the ICO.