SponsoredBuild your website with Vincony

ข้อจำกัดความรับผิดชอบ: นี่ไม่ใช่คำแนะนำทางกฎหมาย กฎหมายและคดีมีการเปลี่ยนแปลง โปรดปรึกษาทนายความที่มีคุณสมบัติสำหรับสถานการณ์เฉพาะของคุณ

UK Law Reference
All Legal Journeys
Data Protection
England & Wales
6 stages
3–18 months from DSAR to potential court action
Reviewed April 2026

Data Protection Complaint Journey

The process for exercising data subject rights, making a complaint to the Information Commissioner's Office (ICO), and pursuing compensation through the courts if your data protection rights are breached.

Who Uses This Journey

Individuals who believe an organisation has mishandled their personal data in breach of the UK GDPR or Data Protection Act 2018 — whether by failing to respond to a Subject Access Request, sharing data without consent, retaining data too long, or causing harm through a data breach.

Stage-by-Stage Timeline

1

Submit a Subject Access Request (SAR)

A Subject Access Request (SAR) is a right under UK GDPR Article 15 to request a copy of all personal data held about you by an organisation. Submit in writing (email is fine) to the data controller's data protection officer (DPO). The request is free. Include proof of identity if requested.

Deadline: Organisation must respond within 1 calendar month (can extend by 2 months for complex requests if they notify you within the first month)
Evidence Needed
  • Written SAR (email or letter) clearly requesting all personal data
  • Proof of identity if requested
  • Specify any particular categories of data or time periods if needed
Common Mistakes to Avoid
  • Sending SAR to the wrong department — address to the DPO or data protection team
  • Not keeping a copy of your SAR and the date it was sent
  • Expecting more than a copy of your data — a SAR is not a right to explain decisions, only to see data
2

Await Response (1 Month)

The organisation must respond within 1 calendar month of receiving the SAR. They may: provide all the data; provide partial data (with explanations for anything withheld); request clarification of identity; or wrongly refuse. Note the exact date of your SAR to track the deadline.

Deadline: 1 calendar month from receipt of SAR
Possible Outcomes
  • Full response received — review for accuracy and completeness
  • Partial response — organisation claims exemptions
  • Extension notified — further 2 months allowed
  • No response or refusal — complain to ICO
Common Mistakes to Avoid
  • Accepting an incomplete response without questioning exemptions claimed
  • Not checking the data provided is actually accurate
3

Raise Concerns with the Organisation

Before complaining to the ICO, you should usually try to resolve the issue directly with the organisation. Write formally, identifying exactly what you believe is wrong (incomplete SAR, unlawful processing, inaccurate data, failure to erase under Article 17, etc.) and what you want done.

Deadline: Allow the organisation a reasonable time (typically 30 days) to respond
Common Mistakes to Avoid
  • Going straight to the ICO without trying to resolve directly — the ICO expects this step
  • Not specifying which UK GDPR rights have been breached
4

Complain to the ICO

If not resolved, submit a complaint to the Information Commissioner's Office online. The ICO will investigate whether the organisation has complied with data protection law. The ICO can issue: enforcement notices, warnings, reprimands, and fines (up to £17.5 million or 4% global turnover).

Deadline: ICO complaints are time-limited — complain within 3 months of the organisation's final response
Possible Outcomes
  • ICO upholds complaint — organisation directed to comply
  • ICO issues enforcement notice
  • ICO closes complaint — no further action
  • ICO refers matter to formal investigation
Common Mistakes to Avoid
  • Expecting the ICO to pursue compensation on your behalf — it cannot do this; you need a court claim
  • Not providing all relevant documents to the ICO at the outset
5

ICO Investigation

The ICO investigates the complaint. Both parties may be asked to provide information and documents. The ICO may use its powers to audit the organisation. Investigations can take 3–12 months. The ICO is not obliged to take formal enforcement action in every case.

Possible Outcomes
  • ICO upholds complaint and issues reprimand or enforcement notice
  • ICO closes complaint without formal action (considers it resolved)
  • ICO fines the organisation
  • ICO advises the complainant to pursue civil claim for compensation
Common Mistakes to Avoid
  • Waiting for ICO resolution before starting the 6-year limitation clock for a court claim
  • Not documenting the distress, financial loss, or damage caused by the breach
6

Court Claim for Compensation

A data subject has the right to claim compensation from an organisation for material or non-material damage under UK GDPR Article 82 and DPA 2018 s.168. 'Non-material damage' includes distress. Court claims can be brought in the County Court. Issue Form N1, set out the breach, and quantify damages (financial loss + distress).

Deadline: 6 years from the breach (DPA 2018 s.169)
Fee: Court issue fee based on claim value
Forms at This Stage
Evidence Needed
  • Evidence of the breach (communications, SAR response, breach notification letter)
  • ICO decision or correspondence
  • Evidence of financial loss (e.g. fraud, identity theft costs)
  • Medical evidence if claiming for psychiatric injury
  • Diary evidence of distress
Common Mistakes to Avoid
  • Not quantifying the damage — courts need specific figures
  • Claiming distress without any supporting evidence

Official Sources

Related Guides

Know Your Rights