Find out how to raise a complaint about the transfer of your personal information from the United Kingdom to the United States of America under the UK Extension to the EU-US Data Privacy Framework (UK Extension), or what to do if you believe a US-based organisation is falsely claiming to be signed up to the UK Extension.
Also find out how to raise a complaint about the access of your personal data by US national security agencies after it has been transferred to the US from the UK, either using the UK Extension or any other transfer mechanisms.
Before making a complaint
If you want to raise a complaint about a US-based organisation handling your personal information under the UK Extension, you should check that they are registered on the Data Privacy Framework (DPF) website, unless your complaint is about a US-based organisation falsely claiming to be registered under the UK Extension.
This does not apply if you are making a complaint about the access of your personal information by US national security agencies (signal intelligence activities) following a transfer from the UK to a US-based organisation.
If you do not provide the information we need, your complaint may be delayed.
Making a complaint
About a US organisation signed up to the UK Extension
If you want to complain to us about the handling of your personal data by a US-based organisation that has signed up to the UK Extension, you should give that organisation a chance to sort things out before you come to us. If they do not do that, or you are unhappy with their response, you’ll need to provide us with:
- copies of any letters or emails about your complaint between you and the organisation; and
- any other evidence that supports your complaint.
If you want to complain to us about a US-organisation you believe is falsely claiming to be signed up to the UK Extension, you will need to provide:
- the name of the US organisation,
- the website address; and
- (optional) images showing where it makes this claim.
If you are acting on behalf of someone else who wants to bring a complaint, you will need to send us a letter of consent signed by them or evidence that you can act on their behalf.
About access by US National Security agencies
If you want to complain to us about the accessing of your personal data by US national security agencies, after it has been transferred from the UK to a US-based organisation (either using the UK Extension, or any other transfer mechanisms), you’ll need to provide information which is the basis for your belief that there may have been a violation of relevant US law. This information includes:
- whether you believe your information has been subject to signals intelligence activities (as defined in the US);
- the specific means by which the personal information was believed to have been transmitted to the US, such as the name of the UK organisation that sent your information to the US, the US organisation and details about the transfer from the UK to the US;
- the identities of the US Government entities believed to be involved in the alleged violation;
- when this access may have taken place;
- the outcome you are looking for; and
- any other attempts you have made to resolve the matter and the response you received.
You do not need to show that US national security agencies have accessed your personal information.
If you are acting on behalf of someone else who wants to bring a complaint, you will need to send us a letter of consent signed by them or evidence that you can act on their behalf.
Further reading
Find out more about the process and potential outcome of your complaint about a US-based organisation under the UK Extension to the EU-US Data Privacy Framework, or about US national security agencies.