SponsoredBuild your website with Vincony

Aviso legal: Esto no constituye asesoramiento jurídico. La legislación y la jurisprudencia cambian. Consulte siempre con un abogado cualificado para su situación específica.

UK Law Reference
← All Comparisons
Data Protection
Updated 2026-04-09

ICO Complaint vs Court Data Protection Claim

Comparing a complaint to the Information Commissioner's Office with bringing a claim in court for a data protection breach.

Overview

When your personal data has been misused, you have two formal routes: a complaint to the Information Commissioner's Office (ICO) under Article 77 of the UK GDPR, or a civil claim for compensation and/or injunctive relief under Article 82 UK GDPR and s.168 Data Protection Act 2018. The ICO is a regulator, not a compensation body — it can impose significant fines on organisations but cannot award you money. Only a court can do that.

Side-by-Side Comparison

ICO Complaint

Cost: Free
Time: 3–18 months for a full investigation

Pros

  • Free and accessible — no legal knowledge needed
  • ICO can exercise significant enforcement powers against the organisation
  • Outcome can benefit others in the same position, not just you
  • ICO may compel the organisation to provide information you need to bring a civil claim

Cons

  • ICO cannot award you compensation — regulatory fines go to the government, not to you
  • ICO has discretion whether to investigate — it may decline if the complaint is not a priority
  • ICO investigations can be slow (many months)
  • Outcome may be a reprimand or informal undertaking, not a fine

Best For

Cases where you want the organisation to stop unlawful processing, change its practices, or be held accountable; complaints about systemic data breaches affecting many people.

Court Claim (Article 82 UK GDPR)

Cost: Court fees from £35; legal costs if represented
Time: 6–18 months

Pros

  • Financial compensation is available — including for distress alone (Vidal-Hall v Google [2015] EWCA)
  • Injunctive relief can be obtained — compelling the organisation to erase data, cease processing, etc.
  • No need to go to the ICO first — you can go straight to court
  • Standard of proof is balance of probabilities

Cons

  • Court fees apply; risk of adverse costs order above small claims threshold
  • You must prove causation — that the breach caused you the damage claimed
  • Article 82 UK GDPR provides a defence if the controller was not at fault
  • Legal representation is likely needed for cases of significant value

Best For

Cases where you have suffered quantifiable financial loss or significant distress; cases where the organisation has refused to comply with your rights (e.g. ignoring a DSAR).

Key Differences

AspectICO ComplaintCourt Claim (Article 82 UK GDPR)
CompensationNone — ICO fines go to the governmentYes — damages for material and non-material harm
Enforcement powerCan fine organisations up to £17.5 millionCan order payment, injunctions, data erasure
CostFreeCourt fees; risk of costs order
SpeedSlow — ICO is a busy regulatorFaster for undefended claims
Evidence burdenICO investigates — you provide your accountYou must build and present your own case
PrerequisiteNoneNone — but ICO findings can support your claim

Our Recommendation

Complain to the ICO if you want the organisation to change its behaviour or be held to account by a regulator. Go to court if you want compensation. The two routes can be pursued in parallel — the ICO route does not stop the clock on the 6-year limitation period for civil claims. A favourable ICO decision can significantly assist a subsequent court claim. For significant data breaches (e.g. exposure of sensitive health or financial data), specialist data protection solicitors often offer CFA funding.

Related Guides