ICO data protection complaint

A complaint to the Information Commissioner's Office about a breach of the UK GDPR or Data Protection Act 2018 — including refused SARs, late responses, and personal-data losses.

Draft template. This letter is being reviewed by a regulated solicitor before publication. You can use it now as a starting point, but read the surrounding guide carefully and consider getting free legal advice before sending.

You must first raise the concern with the organisation (data controller) before complaining to the ICO. The ICO will normally only investigate after you have given the controller a reasonable chance to respond — usually 30 days for SAR-type requests, or up to 3 months for more complex matters.

Submit your complaint online at ico.org.uk/make-a-complaint or post to the address above. Attach: your original request, the controller's response, and any evidence of damage or distress.

The ICO is free to use. Possible outcomes: information notice (compelling disclosure to the ICO), enforcement notice (compelling specific action), penalty notice (fine), or "no further action" if the ICO does not find a breach.

You can also bring a separate private claim under section 167 DPA 2018 for compensation for damage / distress — this is a court claim, not an ICO process.

AI cross-check (2026-06-15) — pending regulated solicitor sign-off

This letter cites the following authority, which the AI has checked against current GOV.UK / legislation.gov.uk:

  • UK GDPR Articles 6, 15, 16, 17, 21, 33 (as applicable by user selection): confirmed currently in force under the Data Protection Act 2018 which retains the UK GDPR post-Brexit. All cited articles are correctly identified.
  • Section 165 Data Protection Act 2018 (complaint to the Commissioner): confirmed currently in force; this is the correct statutory basis for an individual complaint to the ICO.
  • Section 167 Data Protection Act 2018 (court enforcement of data subject rights): confirmed currently in force; correctly cited for private court claims alongside the ICO route.
  • Part 6 Data Protection Act 2018 (Commissioner's enforcement powers): confirmed currently in force; includes information notices, enforcement notices, and penalty notices — correctly described.
  • ICO address (Wycliffe House, Water Lane, Wilmslow SK9 5AF): confirmed as the current ICO registered address.
  • 1-month SAR deadline (Article 12(3) UK GDPR): the letter does not explicitly set out the 30-day controller response period, but this is consistent with Article 12(3) — confirmed.

Reviewer focus areas: (1) Confirm whether the Data Protection and Digital Information Act (DPDI Act — formerly the DPDI Bill) has been enacted and whether it modifies any of the UK GDPR provisions cited. As of 2026, the UK was still reviewing potential deregulation of data protection law. (2) Confirm that the ICO's complaint process (ico.org.uk/make-a-complaint) remains operative and the address is current. (3) Check whether the ICO has issued updated guidance on complaint timelines or priority categories.

This AI cross-check is an aid only; final sign-off requires a regulated solicitor.

Your details

Copies of correspondence, screenshots, the organisation's response, etc.

E.g. enforced disclosure of the SAR, erasure of data, ICO enforcement notice.

Letter preview

Fill in your details on the left and press Preview letter.

Disclaimer

This information is for general guidance only and does not constitute legal advice. You should seek qualified legal help if your situation requires it.