Share
Relevant DUA ACT Provision: Section 103, which inserts Section 164A into the DPA 2018.
The DUA Act introduces a statutory duty for controllers to handle complaints made by data subjects who believe that their rights under the UK GDPR or Part 3 of the DPA 2018 have been infringed. Section 164A formalises the internal complaints handling process at the controller level for the first time. Controllers are now required to:
- Facilitate the making of complaints, including by providing a complaint form which can be completed electronically and by other means.
- Acknowledge receipt of the complaint within a statutory time limit of 30 days of receiving it. Take appropriate steps in response, including making reasonable enquiries into the complaint and keeping the complainant informed of the progress.
This reflects a new legal obligation modelled on the ICO’s own investigatory duties under section 165 of the DPA 2018 and aims to introduce greater consistency and accountability in how organisations respond to data protection complaints.
The Secretary of State is empowered by regulation to:
- Require controllers to report complaints data to the ICO;
- Determine the form, timing and metrics for such reporting; and
- Delegate powers to the ICO to issue notices on how reporting should be carried out.
This will be especially relevant for large controllers and data-rich organisations that receive high volumes of complaints or requests from individuals.
Divergence
The UK regime diverges from the EU GDPR by imposing a statutory duty on controllers to investigate and respond to complaints. Under the EU GDPR, there is no explicit requirement for controllers to handle complaints internally; instead, individuals have a direct route to lodge complaints with a supervisory authority. The UK model introduces an intermediate step and a duty to “facilitate” complaints before individuals escalate to the ICO.
ICO commentary
In its comments on the DUA Act, the ICO welcomed the introduction of clearer statutory expectations around complaint handling. The ICO has committed to issuing Complaints guidance for organisations in Winter 2025/26, with a focus on proportionality, communication, and transparency. The ICO has emphasised that internal complaint-handling should not be a barrier to individuals’ rights but rather a way to enhance resolution and accountability.
Recommendations
- Create and publish a user-friendly complaints form, available via your privacy notice, website and app (where applicable).
- Update internal processes to acknowledge all complaints within 30 days of receipt and implement case-tracking tools to manage progress updates.
- Clearly communicate timelines, escalation paths, and response mechanisms in privacy notices.
- Train DPOs, privacy team and complaint handlers on triaging issues and documenting decisions within the statutory time limit. Where this has been outsourced, ensure that your contract with the outsourced service provider reflects the amendments and new requirements.
- Ensure you are keeping a record of complaints and begin tracking complaints volume and outcomes.
- Prepare for future ICO reporting requirements once regulations are enacted.
|
This article is part of a twelve-part series analysing the key legal reforms introduced by the Data Use and Access Act (DUA Act), which came into force on 19 June 2025. The series examines the most significant areas of divergence and convergence between the DUA Act and the EU GDPR, drawing on both the legislation itself and provisional guidance from the Information Commissioner’s Office (ICO). Each article provides legal context, highlights regulatory shifts, and offers practical compliance insights. The twelve core areas covered in this series are: 1. Recognised Legitimate Interests (RLIs) |
United Kingdom