Data Protection Complaints – Free Template

The Data (use and access) Act 2025 requires all business to take steps to help people make complaints about how organisations use their data.  In simple terms and in line with ICO (The Information Commissioner’s Office) guidance this means publishing a data protection complaints policy and procedure.

Data protection legislation says all organisations must:

  • Give people a way of making data protection complaints to them
  • Acknowledge receipt of complaints within 30 days of receiving them
  • Without undue delay, take appropriate steps to respond to complaints, including making appropriate enquiries, and keep people informed
  • Without undue delay, tell people the outcome of their complaints.

Our data protection template below covers all of these requirements and more. It is considered robust and effective. 

It is provided free of charge and in good faith, however as with any document, policy or procedure that may face legal scrutiny or challenge we recommend full legal advice on suitability for use is gained before implementation.

This document is generic in nature and there is licence around some items, for example in areas such as:

  • How to make a complaint
  • Integration with other complaints policies
  • Arrangements for training
  • Further visibility
  • Review

The policy needs to be linked to within related data protection policies, for example the organisation’s privacy policy.  The Appendix is a based on standard issue checklists used for many complaints, grievances and tribunal preparation. 

Data protection Policy Template

This Data Protection Policy document sets out:-

  • Introduction -The Law -Our Commitment to Compliance
  • What constitutes a data protection complaint -definition
  • What is not regarded as a data protection complaint
  • How to make a complaint
  • What you can expect from us
  • Integration of Data Protection Complaints Process with all Complaints Policies
  • Complaints made on behalf of others
  • Joint Controllers and Complaints
  • What to do if you are not happy with the way we handled your complaint-ICO signpost
  • Arrangements for training and general awareness
  • Further visibility for this policy
  • Review
  • Appendix A -Checklist for your complaint-help us to help you

  1. Introduction-The Law – Our Commitment to Compliance

Under UK data protection law all organisations are legally required to have a process in place for handling data protection complaints by 19 June 2026.   It’s one of the few new obligations brought in by the Data (Use and Access) Act.   We are required to:-

  • Give people a way of raising data protection complaints
  • Acknowledge each complaint within 30 days of receipt
  • Take appropriate steps to respond without undue delay, including making any relevant enquiries and keeping complainants up to date with progress
  • Provide an outcome to complainants without undue delay

We are committed to handling your personal data in a way that is fair, transparent, and in accordance with the law.

If you are unhappy with how we have handled your data, this policy outlines how you can make a complaint.

  1. What constitutes a complaint – how is it defined?

The aim of this new legal obligation is to give anyone unhappy with the way we have handled their personal information a clear method for raising a complaint.

The Information Commission (ICO) has provided an indicative listing of what a complaint could cover. This is not an exhaustive listing but represents typical cases they have encountered in the past.  

These cases include making a complaint about:-

  • A data breach which impacted them
  • A response to a Data Subject Access Request or other privacy rights request
  • How long personal information is kept
  • The accuracy of information held
  • Security measures in place to protect personal details
  • How profiling of a person has been carried out
  • Or any other data protection related matter

In the majority of cases if the ICO receives a complaint they will ask the person to first raise the matter with the organisation. The ICO will expect to see a robust policy and procedure in place to facilitate this quickly

Our policy reflects this expectation.

  1. What is not regarded as a data protection complaint?

If someone is complaining about a service or other matters and is also exercising one of their privacy rights (such as access, erasure, or objection) this will not be treated as a data protection complaint.

The ICO has provided the following examples which they say would not be data protection complaints: –

  • A person may acknowledge you responded to their subject access request on time but express dissatisfaction that you did not expedite it
  • An employee may raise a grievance issue and also request copes of their personal information
  • A person may complain about a customer service issue and also request that you delete their information

If you are not sure if your issue is a complaint, the ICO has said they will help provide clarification. A link to their official guidance and website can be found in 9 below.

  1. How to Make a Complaint

If you have a complaint about how your data has been handled, please contact our Data Protection Officer (DPO). Our DPO is (INSERT YOUR DPO NAME)

Our process is designed to enable us to investigate and resolve the issue as quickly as possible. You can use any of the following channels for your complaint:-

  • Email:
  • Phone:
  • Post:
  • Live chat via our website
  • Portal – online complaints
  • In person

But you are not obliged to use our set process. We want to be completely user friendly and flexible.

You can complain however you want. As with any Data Subject Access Requests, you can contact any appropriate employee, any part of the organisation or even submit a complaint via social media.

Whichever method you use, please provide as much detail as possible about your complaint.

Appendix A below carries a checklist to help you throughout the process. This will help us to understand the issue and investigate it thoroughly.

  1. What to Expect From Us

We will acknowledge receipt of your complaint within three working days.

We will then investigate your complaint and provide you with a full response within 30 calendar days.

Throughout the process, we will:

  • Keep you informed of our progress.
  • Request any additional information we may need from you in a timely and proportionate manner.
  • Provide you with a clear and comprehensive outcome of our investigation.

  1. Integration of Data Protection Complaints Process with all Complaints Policies

We already have a process to effectively handle all complaints. We have integrated this data protection complaints policy into our existing processes, making sure that legal requirements are met.

We follow six steps for all complaints:-

  1. Acknowledge
  2. Investigate
  3. Keep people updated
  4. Record all actions -defensible documentation
  5. Provide outcome to complainant with signpost to appropriate external authorities
  6. Review lessons learned

  7. Complaints made on behalf of others

As with privacy rights, a family member, solicitor, or other relevant organisation can raise a complaint on behalf of another person. We will follow due process for checking they’re authorised to do this, such as an appropriate Legal Power of Attorney or signed Letter of Authority from the person they are acting on behalf of.

  1. Joint Controllers and Complaints

Our Joint Controllers are expected to have transparent arrangements in place for handling data protection complaints and a clear understanding of where responsibilities lie. The timescale for acknowledgement starts as soon as the complaint is received by any controller. We have therefore updated our joint controller agreements.

9. If You Remain Unhappy

If you are not satisfied with the outcome of your complaint, or if you feel we have not handled it appropriately, you have the right to complain to the Information Commissioner’s Office (ICO). The ICO is the UK’s independent regulator for data protection and information rights.

 You can contact the ICO in the following ways:

  • Email: *protected email*
  • Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
  • Phone: 0303 123 1113

For more information about the ICO and their complaints guidance, you can visit their website at ico.org.uk.

https://ico.org.uk/for-organisations/how-to-deal-with-data-protection-complaints/what-are-data-protection-complaints/#whatare

  1. Arrangements for Training and General Awareness

Our staff and volunteers need to know about this change in the law, be able to recognise a complaint and know what to do if they receive or spot a complaint. We have provided full training and refreshed induction arrangements for new starters. Our wider UK Data Protection training is also updated every two years and after every incident or complaint

At the point we collect personal information, people are told they can raise a data protection complaint. This means our privacy notices have been updated. It also means when responding to any Data Subject Access Request, we make sure we explain our complaints process.

  1. Further Visibility for the policy

While not a legal requirement, the ICO recommends organisations to publish a complaints procedure on their website or provide it to people as soon as possible. We have done this and set out clearly in appendix A below:-

  • What evidence or supporting information you need to investigate complaints
  • What proof of ID we accept (where necessary)
  • What type of authority we accept if a complaint is made on behalf of someone else.
  • That we will acknowledge within 30 days, keep people updated on progress and explain the outcome.


12. REVIEW

As with all official policy documents, regular review and update is essential.  Detail within the policy, when the policy was first issued, the review frequency, the date of the last review and next review. We suggest at least every 2 years or after any incident or complaint.  Together with appropriate sign off approval dates

Does your data protection complaints policy need to include anything else?

Yes. You need to include help guidance and support to help the complainant structure their complaint.  We suggest an appendix as outlined below

Appendix A – A Checklist for Making your Data Protection Complaint 

Before you start Your Data Protection complaint, collect:

  • Copies of your original request or communication
  • Proof of when you sent it (email timestamp, postal receipt)
  • Any responses you received from us
  • Your follow-up correspondence
  • Notes of any phone calls (date, time, who you spoke to, what was said)
  • Visit the ICO guidance page signposted at 9 above

Drill down into:-

  • What happened — a clear description of the issue
  • When it happened — key dates
  • What you want — what outcome you’re seeking
  • What you’ve done so far — your attempts to resolve it

Six Top Tips- Help us to help you

  1. Be specific – dates, names, and exactly what happened
  2. Stay factual – avoid emotional language, stick to the facts
  3. Show your efforts -demonstrate how you tried to resolve it first
  4. Be clear about what you want -the outcome you are seeking
  5. Include evidence -documents strengthen your complaint
  6. Keep it focused – one clear complaint is better than multiple vague ones

Concrew Training
Spring/Summer Season 2026

Download this guide as a 100% free PDF document.

Data Protection Complaint Policy Guidance Template

See our free guides page for more useful 100% free downloads

Data Protection Training Courses

Image of book with GDPR on cover - data protection training courses from Concrew Training
GDPR & Data Protection Training
Data Protection - Training Courses
Data (Use and Access) Act Training Course
UK GDPR - Data Protection Training Course
PECR Training Course
Preventing Data Protection Breaches Training
Data Protection Impact Assessment Training
Information Governance

Data Protection, GDPR, PECR and DUAA Reference Guides

Data protection is the process of safeguarding important information from corruption, compromise, or loss, while ensuring personal data is handled lawfully, transparently, and securely.  The legislation is complex and the protentional fines for breaches huge.  our Data Protection, GDPR and PECR training courses bring you up to date with the latest developments and help you make sure you are 100% compliant. Our reference documents provide outline guidance. 

Data Protection Complaints Policy Template & Guidance

All organisations are required to publish their policy and procedure for make a complaint about the organisations data protection.  This free to use reference document and template is free to download and use 

GDPR Necessary, Fair and Transparent Explained

Before an organisation or business processed any personal data it has to ensure there is a legal basis for processing. It has to be necessary, fair and transparent.  Many organisations fail to meet these requirements are put themselves at risk.  Find out more about good process in this reference document

How frequent should GDPR Data Protection Training be?

This a frequently asked question and one we attempt to answer. The one over-arching answer is to risk assess, many find this too vague so we try to be more helpful in this guide

The ICO guide to the PECR – PDF

The ICO is responsible for overseeing adherence to the PECR.  This PDF document summarises all, alternatively see the ICO website