Data protection complaints

There is no requirement in the UK GDPR for organisations to deal with data protection complaints. The only complaint-handling obligations fall on the ICO. However, the ICO obviously considers it good practice for organisations to have complaints procedures, as it provides guidance on handling data protection complaints, including providing a data protection complaints process. The ICO’s Data protection complaints tool for data subjects indicates that the ICO will generally not deal with a complaint unless:

  1. it has first been made to the relevant organisation, and

  2. a period of 30 days has elapsed since the complaint was made

The right to complain

Data subjects have the right to lodge a complaint with the ICO, where they consider their personal data has been processed in a way that breaches the UK GDPR. They can also complain to the ICO via a not-for-profit body, organisation or association. The ICO is required to investigate complaints to the extent appropriate and inform the complainant of the progress and outcome of the investigation within a reasonable period.

There is no corresponding right to make a complaint to the data controller, ie to your

To view the latest version of this document and thousands of others like it, sign-in with LexisNexis or register for a free trial.

Powered by Lexis+®
Latest Risk & Compliance News
View Risk & Compliance by content type :

Popular documents