Got a minute to help? take our quick website survey >
Asking for your personal data
Explains your right to request copies of personal data and records held about you by different organisations.
How to complain to the ICO about personal data
Different organisations might hold personal data and records about us. A public body called the Information Commissioner's Office (ICO) oversees and protects our data rights.
The ICO can help if we need to complain about how an organisation has used or misused personal data. Making a complaint to the ICO might feel like a difficult or overwhelming process. But you're not alone, and our information is here to help you.
What is the ICO?
The ICO is an independent public body. It makes sure that UK organisations comply with data laws. These include the Data Protection Act 2018 and UK General Data Protection Regulation (UK GDPR), as amended by the Data (Use and Access) Act 2025 (DUAA).
In practical terms, this means the ICO can help you with concerns about:
- The way in which organisations look after your personal data
- How organisations deal with subject access requests (SARs), if you've made one
Why might I complain to the ICO?
You might complain to the ICO after an organisation does 1 or more of the following:
- The organisation fails to respond to your request for personal data or formal SAR.
- The organisation rejects your data request without a good reason for refusal.
- The organisation fails to send you all the data you asked for.
- The organisation fails to comply within the response time limit. This is 1 calendar month from receipt of all required documents.
Before you submit a complaint to the ICO, you must first complain to the organisation directly. You can then complain to the ICO if the organisation ignores you again. Or it does not provide a satisfactory response.
To find out more, visit our page on problems with asking for personal data.
How do I complain to the ICO?
To complain to the ICO, you'll need to submit a form on their website. When you submit the form, you'll need to include the following:
- Records of all communications you've had with the organisation about your data request. This might be emails you can download and attach, or letters which you'll need to photocopy.
- Copies of documents or emails where you raised your initial complaint to the organisation.
Before you can complain to the ICO, you must wait for the 1-month response deadline to pass. You must also have already tried complaining to the organisation directly.
If you're complaining to the ICO at a later date, you can complain within 3 months of your last ‘proper contact’ with the organisation. ‘Proper contact’ means significant contact related to your data request or query.
To access the complaint form, visit the ICO website.
What can the ICO do about my complaint?
If the ICO believes the organisation has failed to comply with its legal duties, they might:
- Write to the organisation and ask them to resolve the problem
- Take action against the organisation concerned, which you can find out more about on the ICO website
The enforcement powers of the ICO were strengthened under the DUAA. But the ICO might only take action against an organisation in cases of a serious data breach. This might include sending an enforcement notice and imposing a financial penalty.
The ICO can't give you any personal compensation. You can only claim compensation by taking an organisation to court and winning the case.
Can I take an organisation to court?
You have the right to take an organisation to court for failing to respond appropriately to your SAR. However, you must be able to show the court that you tried to resolve things with the organisation directly.
If so, you can ask the court to order the organisation to put things right. For example, you might ask the court to:
- Provide you with the personal data that you requested
- Pay you compensation for harm and distress caused by the organisation's actions
But it's rare for things to get to this stage. You should be able to deal with your personal data problem by complaining to the ICO.
For more information about taking your case to court, visit the ICO website.
Subject access request (SAR)
This is a written request to an organisation asking for details of the personal information they hold about you.
See our pages on accessing my personal information to find out more.
Visit our full listing of Legal TermsInformation Commissioner's Office (ICO)
The ICO is an independent body. It's responsible for making sure that organisations comply with their obligations under the Data Protection Act 2018.
Visit our full listing of Legal TermsEnforcement notice
This is a document sent to an organisation by the Information Commissioner's Office. It sets out the action the organisation needs to take to comply with its obligations under the Data Protection Act 2018. If the organisation fails to comply with the enforcement notice it's a criminal offence. And the organisation can be fined.
Visit our full listing of Legal TermsGeneral Data Protection Regulation (UK GDPR)
These regulations tell organisations how they can use your personal information. They also give you rights to access and correct personal information held about you.
Visit our full listing of Legal TermsData Protection Act 2018
The Data Protection Act 2018 is the law that sets out how organisations must handle and process your information. It also gives you rights to access personal information held about you. And rights to correct personal information held about you if it's wrong.
Visit our full listing of Legal TermsData (Use and Access) Act 2025 (DUAA)
The Data Use and Access Act 2025 (DUAA) is a law that came in to update data protection rules. This law makes the rules simpler for organisations, while still protecting your rights.
Visit our full listing of Legal TermsPublished: June 2026
Next review planned: June 2029
References are available on request. If you would like to reproduce any of this information, see our page on permissions and licensing.
