Data protection complaint route: controller → ICO → tribunal
Escalation route for UK GDPR breaches: DSAR ignored, erasure refused, unlawful processing, data breach.
When to use this route
An organisation has breached your data protection rights — refused a DSAR, declined erasure, processed your data unlawfully, or failed to notify you of a breach.
When NOT to use this route
If you want compensation for distress only — that's a civil claim under s.168 DPA 2018 (County Court). The ICO does not award compensation.
Prerequisites
- • You have asked the controller to fix the issue and given them a reasonable time
Evidence to gather
- • Original rights request
- • Controller's response (or proof of non-response)
- • Evidence of the unlawful processing
- • Evidence of distress / harm (for compensation claims)
Route map
- Stage 1
Complain to the controller
The ICO requires you to give the controller a chance to respond first. Quote UK GDPR Articles and DPA 2018 sections.
Controller has 1 month to respond (extendable by 2 months for complex) - Stage 2
ICO complaint
Submit online with all correspondence attached.
- Stage 3
ICO assessment and outcome
ICO assesses and either takes no action, issues a reprimand, an enforcement notice, or a monetary penalty.
- Stage 4
First-tier Tribunal appeal
If you disagree with the ICO outcome — or if the controller appeals an enforcement / penalty notice — the matter goes to the General Regulatory Chamber (Information Rights).
28 days from the ICO noticeForum: first tier tribunal - Stage 5
County Court damages claim (parallel)
For compensation for distress, issue under s.168 DPA 2018. Quantum guided by Lloyd v Google and Vidal-Hall principles.
Final remedies
- • ICO enforcement notice or reprimand
- • Monetary penalty (up to £17.5m or 4% global turnover) — payable to ICO, not to you
- • Court damages for distress
- • Court order requiring rectification or erasure