Series
Blogs
Series
Blogs
Author: Peter Church
One of the innovations in the Data (Use and Access) Act 2025 (“DUA”) is the requirement for controllers to facilitate complaints by data subjects, which includes updating their privacy notices to inform data subjects of this new right.
The aim is for controllers to deal with the problems at source and so lessen the workload for the Information Commissioner. However, this obligation is more procedural than substantive and may not always satisfy the complainant. We consider the practical implications of this new obligation.
The UK GDPR applies to almost everything done by every organisation in the UK. One problem with a “law of everything” is that almost anything can be a data protection issue. Even where the issue is not directly related to data protection, it is increasingly common to use data protection rights (such as subject access requests) to support a wider complaint.
As a result, the Information Commissioner received 42,315 complaints in 2024/25 and a deeper analysis of those figures shows they related to 13,137 different organisations. This represents a large and varied workload.
There would be significant benefits if controllers dealt with these complaints at source, both in terms of reducing the burden on the Information Commissioner and because controllers are best placed to resolve complaints as they understand the context in which the personal data is processed and the wider background.
Accordingly, the new section 164A of the Data Protection Act 2018 imposes limited complaint handling obligations on all controllers. (There does not appear to be any exemption for SMEs or organisations that only process limited personal data.) This requires controllers to:
In addition, controllers must:
There is no obligation on data subjects to use this new complaint procedure. However, the Information Commissioner has said that, in most cases, a complaint from a data subject will only be considered after the new complaints procedure has been used.
The obligation to use “appropriate steps” is very similar to the complaint handling obligations on the Information Commissioner under section 165, DPA 2018.
This obliges the Information Commissioner to consider the complaint, but leaves him with “broad discretion” whether to conduct a further investigation. The Information Commissioner does not have to determine if there has been an infringement and can instead merely express a view on the likelihood of there being a breach and take no further action (Delo v Information Commissioner [2023] EWCA Civ 1141).
Applying the same logic to the new complaints process under DUA, this suggests that controllers must apply their mind to the complaint, but there is no requirement to decide if a breach has actually happened, take any steps to remedy any breach and certainly no requirement to ensure the complainant is satisfied at the end of the process.
Controllers must also update their privacy notices to inform data subjects of “the right to make a complaint to the controller” (Articles 13(2)(ca) and 14 (2)(da), UK GDPR) and must also add this information to the response to a subject access request (Article 15(1)(ea)).
This raises two practical questions:
Separately, the Data (Use and Access) Act 2025 makes a number of other changes, such as the upcoming transformation of the “Information Commissioner” into the “Information Commission”, which might be worth wrapping into any update of your privacy notices.
These complaint handling provisions are not in force yet but are expected to apply from 19 June.
The substantive obligations are flexible and lightweight. Controllers with existing complaint handling processes can extend them to apply to data protection complaints, and those that do not may be able to use relatively informal arrangements, particularly where the number of complaints is small.
In either case, it would be sensible to put a policy in place to ensure complaints are acknowledged, investigated and the complainant notified of the outcome. This should be backed up by amendments to privacy notices, appropriate record keeping arrangements and training of staff to identify and escalate these complaints.
7 May 2026
Up next