Data Protection Complaint Form

Fulfil the new data protection requirements to facilitate complaints easily and quickly, using a highly secure cloud solution combined with an initial legal assessment.

Does my company need a complaint form?

All companies must accept data protection complaints directly.

After the coming reform of the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 (DPA 2018) individuals will have the right to make a direct complaint to a company, if an individual considers that there was infringement of the UK GDPR or the DPA 2018 in connection with the processing of their personal data by the company.

In practice and by virtue of the reform all UK companies will be required to facilitate individuals to make direct electronic complaints to them, e.g. by offering an online complaint form on the company website.

How best to facilitate complaints?

Companies must facilitate the making of complaints by taking steps such as providing a complaint form which can be completed electronically and by other means.

For this purpose, the integration of an online complaint form on the website or the provision of a link to an online complaint form in privacy policies is highly recommendable.

According to the coming reform, you can outsource your online complaint form to external third parties. In this way, you do not have to maintain suitable staff and you fulfil the requirements for delegating your senior responsible individual´s (SRI) tasks.

Two activeMind-legal employees discuss a data protection case
Two lawyers from talk about necessary data protection measures for a client

Why is outsourcing of the online complaint form a good idea?

The technological safeguarding of complaints and the legal assessment should be carried out by professionals.

The online complaint form offered by is a highly secure cloud solution. It allows complaints to be received, appropriately acknowledged, investigated, and fully documented. If necessary, reports of complaints made in specified periods can be drawn for the Information Commissioner Office (ICO).

Our experienced data protection lawyers will carry out an initial legal assessment of the received complaints and provide you with concrete steps on how to proceed.

By setting up an online compliant form with, your company not only fulfils the legal requirements. You also increase the chance of being able to clarify complaints internally and thereby deepen the trust of the individuals whose data you process.

4 good reasons to partner with

We make dealing with complaints simple

Our online complaint form adapts to your needs and is always accessible to individuals wishing to exercise their rights. In this way, you ensure the greatest possible acceptance – and reduce your administrative burden.

We bring experience

We have broad experience of working with EU and UK regulators and responding effectively to complex interactions with data subjects and authorities. Our experts have been successfully advising clients in the UK and EU on their data protection obligations for several years now and know the ICO’s tendencies.

We know how to deal with worried individuals

We deal with data subjects request daily and while previously it was not a data subject right, have successfully dealt with many a worried data subject making a concerned complaint. When dealing with complaints we bring our experience to bear, mitigating any potential pitfalls.

We make costs planable

We work on the basis of a flat rate tailored to your needs. This allows you to calculate clearly and retain full control over expenses, regardless of how many complaints received and dealt with.

Free enquiry

Please provide us with some information about your company. We will contact you within two working days to discuss the details of an online complaint form for your company and provide you with a quote.

The quote will naturally contain a non-disclosure agreement so you may be sure that our experts, while already subject to professional privilege, will maintain the utmost confidentiality.

Frequently asked questions about data protection complaint forms*

The complaint may only be made if the individual considers that, in connection with their personal data, there is an infringement of the UK GDPR or DPA 2018 by the company.

Individuals will in future have to be informed of their right to make a complaint directly to the company when their data is first collected or otherwise obtained by a company, when their data subject requests are answered and in any other instances where they are currently informed of their right to complain to the ICO.

The reform is silent on who must deal with complaints (unless a company has to appoint a “senior responsible individual”, see below). This by no means indicates that the standards for dealing with complaints are dropped when there is no senior responsible individual, only that there is no person designated by the DPA 2018 to deal with them.

The reform will be changing the role of the data protection officer. Instead of a data protection officer companies will in certain instances be required to appoint a “senior responsible individual” (SRI). Among the tasks of the SRI, if one is required, will be dealing with complaints made in connection with the processing of personal data. As an SRI must be part of the organisation’s senior management, it is a good thing that the reform enables the delegation of the SRI´s task. Otherwise, senior management will be dealing with each complaint personally.

Aside from efficiency reasons the SRI must delegate their tasks where the performance would result in a conflict of interests. Often when dealing with complaints this will be the case. However, the SRI will not be able to simply delegate their task to just anyone.  In deciding whether their task should be performed by another person, and is so by whom, the SRI must consider the following:

  • The other person´s professional qualifications and knowledge of the data protection legislation;
  • The other person´s resources;
  • The other person´s involvement in the day-to-day processing of personal data by the company, and whether this affected their ability to perform the task.

All companies will be required to acknowledge the receipt of a complaint within the period of 30 days beginning with the day on which it is received. Furthermore, without undue delay, companies must take appropriate steps to respond to complaints and inform the complainant of the outcome of a complaint. Appropriate steps means making enquiries into the subject matter of complaints, to the extent appropriate, and keeping the complainant updated about progress of a complaint.

Companies may in future be required to inform the ICO of the number of complaints made to them in a specified period. What exactly this requirement will look like in practice remains to be determined by the Secretary of State.

A failure to facilitate complaints to be made, acknowledge them within 30 days or handle them appropriately is subject to a fine of GBP 8.7 million or 2% of the total annual worldwide turnover in the preceding financial year, whichever is higher.

As a further incentive to companies: Without an individual first exercising their right to complain directly to a company the ICO may refuse to deal with a complaint made to it by the individual.

* We will continually update this page as the reform of the UK GDPR and DPA 2018 progresses.