http://www.legislation.gov.uk/id/ukpga/2025/18

Part 5Data protection and privacy

Chapter 1Data protection

Enforcement

103Complaints by data subjects

(1)

The 2018 Act is amended in accordance with subsections (2) and (3).

(2)

Before section 165 (but after the italic heading before it) insert—

“164AComplaints by data subjects to controllers
(1)
A data subject may make a complaint to the controller if the data subject considers that, in connection with personal data relating to the data subject, there is an infringement of the UK GDPR or Part 3 of this Act.
(2)
A controller must facilitate the making of complaints under this section by taking steps such as providing a complaint form which can be completed electronically and by other means.
(3)
If a controller receives a complaint under this section, the controller must acknowledge receipt of the complaint within the period of 30 days beginning when the complaint is received.
(4)
If a controller receives a complaint under this section, the controller must without undue delay—
(a)
take appropriate steps to respond to the complaint, and
(b)
inform the complainant of the outcome of the complaint.
(5)
The reference in subsection (4)(a) to taking appropriate steps to respond to the complaint includes—
(a)
making enquiries into the subject matter of the complaint, to the extent appropriate, and
(b)
informing the complainant about progress on the complaint.
164BControllers to notify the Commissioner of the number of complaints
(1)
The Secretary of State may by regulations require a controller to notify the Commissioner of the number of complaints made to the controller under section 164A in periods specified or described in the regulations.
(2)
Regulations under this section may provide that a controller is required to make a notification to the Commissioner in respect of a period only in circumstances specified in the regulations.
(3)
Regulations under this section may include—
(a)
provision about a matter listed in subsection (4), or
(b)
provision conferring power on the Commissioner to determine those matters.
(4)
The matters are—
(a)
the form and manner in which a notification must be made,
(b)
the time at which, or period within which, a notification must be made, and
(c)
how the number of complaints made to a controller during a period is to be calculated.
(5)
Regulations under this section are subject to the negative resolution procedure.”

(3)

In section 165 (complaints by data subjects to the Commissioner)—

(a)

omit subsection (1), and

(b)

in subsection (2), after “infringement of” insert “the UK GDPR or”.

(4)

The UK GDPR is amended in accordance with subsections (5) and (6).

(5)

In Article 57 (Commissioner’s tasks)—

(a)

in paragraph 1, omit point (f), and

(b)

omit paragraph 2.

(6)

Omit Article 77 (right to lodge a complaint with the Commissioner).

(7)

Schedule 10 to this Act contains minor and consequential amendments.