How to make a data protection complaint to an organisation
Latest updates - 29 June 2026
29 June 2026 - this guidance was published
You have the right to complain to an organisation if you think it hasn’t followed data protection law. This guide will help you, if you need to complain.
- When can I complain to an organisation?
- How do I complain?
- What if I’m complaining on someone else’s behalf?
- What can I expect the organisation to do?
- What if I make a data protection complaint and a rights request?
- What if I make a data protection complaint, and a complaint about another legal framework?
- Can I ask for compensation?
- What if I’m unhappy with the organisation’s response?
- How does the ICO handle data protection complaints?
When can I complain to an organisation?
It can be worrying if you think an organisation hasn’t followed data protection law because of the way it handled your personal information (or the information of someone you’re acting on behalf of).
Data protection law requires organisations to have a process to deal with complaints. Many complaints can be resolved quickly and effectively by going directly to the organisation.
For example, you might complain to an organisation:
- about how it handled your request for copies of your personal information;
- if you’re worried it hasn’t kept your personal information secure (eg because a data breach has impacted you);
- about how it collected or used your personal information (eg how long it kept your information, or whether the organisation was transparent about how it would use it);
- because it used your information in a way you didn’t expect; or
- because of how it handled any other rights request from you (eg to correct or delete your information).
Further reading – ICO guidance
- Find out about your rights
- What is a data breach?
What’s the difference between a rights request and a complaint?
You have a number of rights under data protection law that you can contact an organisation about. These rights requests usually mean asking it to do something with your information (eg respond to your request for a copy of your information, or consider if it can delete something).
A complaint is when you tell the organisation that you don’t think the way it handled your information followed data protection law. This could be about how it handled your rights request, or something else.
(For more information, see the section What if I make a data protection complaint and a rights request?.)
How do I complain?
Organisations must have a data protection complaints process. There are many ways you may be able to make your complaint. For example, you may:
- use the organisation’s complaint form;
- use the complaints page on the organisation’s website;
- make your complaint verbally, such as over the phone or in person; or
- send your complaint to the organisation’s dedicated complaints email address.
To find out about its process:
- read its privacy policy (which is usually on its website, if it has one);
- check if it has a specific complaints section on its website; or
- ask them directly.
If you don’t follow the organisation’s process, you risk your complaint not reaching the right person or team, or being missed. For example, if the organisation has a dedicated web page, avoid making a complaint via social media. Social media is also not generally a secure way to send personal information.
However, you can use this template to send your complaint to the organisation by email or post, if it doesn’t have its own complaint form.
[The date]
[Name of the organisation]
[Address of the organisation (if known)]
[Reference number (if applicable)]
Dear [name of team, department or person you’ve been in contact with],
Data protection complaint
[Your name and any other details to help identify you]
I’m concerned that you haven’t handled my personal information properly.
[Give details of the complaint, and what you’d like the organisation to do to put things right]
If I still want to complain to the ICO after receiving your response, I’ll share a copy of the complaint letter and your response with them.
You can find guidance on your obligations to handle complaints, as well as guidance on your obligations under data protection law, on the ICO’s website.
If there’s anything you’d like to discuss, please contact me on [give preferred contact method].
Yours sincerely
[Signature]
However you choose to complain, it’s a good idea to keep a record of your complaint. You can use this as evidence if you need to follow it up with the organisation or us in the future. If you choose to make a complaint verbally, follow it up in writing too, where possible.
What do I include in the complaint?
Be clear you’re making a data protection complaint
Make it clear that your complaint is about data protection. For example, if you talk on the phone, explain that you’d like it to handle your concern as a data protection complaint. This helps the organisation know that you expect an outcome.
Provide enough detail to help the organisation locate your information
Include things like:
- reference numbers;
- account numbers;
- your contact details (eg your full name, email address, home address, or phone number);
- relevant dates or time periods; and
- names of relevant departments or staff, if appropriate.
Be specific
Explain your complaint in a clear, specific and short summary. Tell the organisation what you think it did wrong and, if relevant, how to put things right. For example:
- “You haven’t sent me the following information…”
- “You’ve redacted information from documents and not explained why”
- “I disagree with your response because…”
Use your own words
You don’t need to use legal terms or quote the legislation. Explain the issue in clear, simple language that makes sense to you. Putting the complaint into your own words can help the organisation understand the issue. This reduces the need for it to ask you to clarify, which can delay things.
List your concerns
Break your concerns into short, separate points (eg by using bullet points).
If your complaint includes other issues which aren’t about data protection (eg customer service issues), it might help to list these separately.
This helps the organisation understand and respond to each issue in turn.
Explain the effect it’s had
Let the organisation know if the issue has affected you or you might be at risk of harm because it’s unresolved.
Send copies of documents
Only send copies of key documents as evidence. Keep the originals safe as you may need them in future.
Stick to what’s relevant
Only send the key information that an organisation needs to look into your complaint as it will often be dealing with lots of enquiries. It might help if you limit your complaint to around 500 words. If your message is too long or contains documents ‘just in case’, the organisation may miss something important to you.
Let the organisation know how it can help you
Ask in your initial complaint if there’s anything you need the organisation to do to help you. For example, you can let the organisation know if:
- you’re under 18 (organisations have a responsibility to consider how they’ll help young people); or
- you have any accessibility needs.
What if I’m complaining on someone else’s behalf?
If you’re making a complaint on behalf of someone else, you need to prove that you have the authority to act for them. For example:
- an appropriate power of attorney; or
- a signed letter of authority from the person you’re acting on behalf of.
What can I expect the organisation to do?
Acknowledge your complaint
The organisation has 30 days to acknowledge your complaint, starting the day after it receives it. If the 30 days end on a weekend or public holiday, it has until the next working day to acknowledge it.
This doesn’t mean it needs to resolve your complaint within 30 days.
It means it has 30 days to let you know it’s received your complaint and is investigating it.
Look into your complaint
The organisation needs to take appropriate steps to look into your data protection complaint. What’s appropriate will always depend on the circumstances.
Update you on progress
The organisation needs to keep you up to date.
This doesn’t mean you should expect updates weekly or on each step. But if you haven’t heard from the organisation and it’s been a while, you can ask for an update.
Provide you with an outcome
The organisation needs to look into your complaint and provide you with an outcome without an unjustifiable or excessive delay. It should clearly explain what it’s done to resolve your data protection complaint and, if appropriate, any actions it’s taken as a result. If it thinks it complied with data protection law, it should explain its decision.
Data protection law doesn’t set a specific time limit to provide an outcome because how long it takes depends on the circumstances. This will vary from one complaint to another.
If you’ve given the organisation a reasonable amount of time and haven’t received your outcome, you can ask for an update.
What if I make a data protection complaint and a rights request?
Data protection complaints and rights requests are separate things. Each follows different rules, even if they’re about the same issue and you send them to the organisation at a similar time.
Example
You make a data protection complaint to an organisation. At the same time you request copies of your personal information (this is known as a subject access request). You can expect the following from the organisation:
- the organisation has 30 days to acknowledge your data protection complaint, but this doesn’t apply to your rights request (although it might still acknowledge your rights request in practice);
- for your data protection complaint, the organisation has to take appropriate steps to look into the complaint, keep you informed, and provide a final response without an unnecessary or unjustifiable delay; and
- for your subject access request, it has to take reasonable and proportionate steps to find your personal information, and provide a response without an unnecessary or unjustifiable delay. This needs to be within one calendar month at the latest (which it can extend for complex requests).
In some cases, you might make a rights request while also making a complaint about a non-data protection issue.
If so, the organisation only needs to respond to your rights request under data protection law and not the wider issue.
Example
You raise a grievance with your employer. You also request copies of your personal information.
The organisation only needs to respond to your rights request under data protection law. It should treat your grievance about your employer separately.
Example
You complain about a customer service issue. You also ask the organisation to delete your information.
The organisation only needs to respond to your rights issue under data protection law. It should treat your customer service issue separately.
What if I make a data protection complaint, and a complaint about another legal framework?
Some organisations have existing processes, guidance, or frameworks that set out how they handle complaints that aren’t about data protection. This may include different rules and timeframes.
If the organisation can provide you with an outcome to your data protection complaint sooner than it can provide an outcome to the other issues, it needs to do so. However, this may not always be possible. You can ask the organisation if you need to understand more about how it is handling your data protection complaint.
Can I ask for compensation?
You can claim compensation directly from an organisation if you have suffered damage as a result of it breaking data protection law.
If you submit a complaint to the ICO, we will handle the complaint in accordance with our complaints handling framework. However, we don’t have the power to award compensation and aren’t able to advise on compensation claims.
Further reading – ICO guidance
For advice on going to court and claiming compensation, see:
What if I’m unhappy with the organisation’s response?
If the organisation has looked into your complaint and you’re unhappy with its response, you can ask it to provide more details or explain its decision more clearly. Explain your outstanding issues in a short, clear summary, and allow a reasonable amount of time for it to respond.
You can also complain to us at any time, but we recommend giving the organisation a chance to complete its complaint handling process first. This gives the organisation the opportunity to put things right and may mean we can handle your complaint to us more quickly.
How does the ICO handle data protection complaints?
For more information on how we handle data protection complaints, read our advice on making a complaint to the ICO. This explains what we can look into and what to expect.
If your complaint relates to a different law or areas that another regulator handles, we won’t be able to look into it. This may mean you need to complain to us about data protection issues, and to another service about the other issues.
Further reading – external resources
Our additional support directory lists organisations and resources that you can access. They can support you with challenges or issues that are unrelated to your information rights.