Data Protection Complaints In The Employment Context And DSARs – Q&A

The Data (Use and Access) Act 2025 introduced a new "right to complain" to controllers regarding general UK GDPR compliance.

Further, the ICO has set out in its new complaints guidance that should someone choose to complain to the ICO in the first instance in most cases the ICO will ask complainants to raise the complaint with the controller before escalating it to them if necessary. This means controllers must have a way of receiving and managing these complaints, providing an acknowledgement and outcome in the required timescales.

We anticipate that this new right will become another tool used to leverage data protection rights against organisations, enabling data subjects to advance an underlying grievance, whether that be an employment complaint, a consumer issue or other challenge.

In this article we focus on the applicability of this right to the employment relationship but the right and our advice around it applies to all controllers in all settings.

Q&A

Data Protection Complaints: geographical applicability and legal position

remove

Does the new right to complain about data protection apply only to DSARs made in the UK, or does it extend to DSARs made in EU jurisdictions?

The right to complain is a statutory right that applies throughout the UK (s164A of the Data Protection Act 2018 ("DPA")) and covers processing by controllers falling under the scope of the UK GDPR (general data processing) and Part 3 of the DPA (law enforcement processing).

The right to complain therefore applies to all processing covered by the UK GDPR. In turn, the UK GDPR applies to all processing for entities with an establishment in the UK as well as those who are not established in the UK but offer goods or services (even free ones) or monitor individuals located in the UK. Therefore, some overseas entities will be caught but it is unlikely that individuals making DSARs in EU jurisdictions will be covered by the new right to complain.

What is the difference between the new statutory right to complain and the previous right to complain?

Data subjects and their representatives have long complained about data protection issues, sometimes to the organisation in question, sometimes direct to the ICO. The new right to complain places this right on a statutory footing, with specific investigation requirements and response timescales. The ICO’s new complaints guidance also makes it clear that complainants will need to bring their initial complaint to the controller before escalating it to the ICO, if necessary to do so.

Under s164B of the DPA, the Secretary of State has the power to make regulations requiring all controllers to report the number of complaints received to the ICO. At the time of writing, no such regulations had been made, however we recommend that you start to do this now in your systems or logs by way of best practice.

What are the penalties for non-compliance with the complaints process?

ICO: the full range of ICO enforcement options are available, although we still expect the usual investigation process to apply through letter questions, escalating through Information Notices, Assessment Notices, Interview Notices, Enforcement Notices and Penalties (to the usual data protection cap, but very unlikely to reach it). However, in line with DSARs, we would only expect this to take place for the most extreme examples of non-compliance.
Meaningful engagement, a genuine attempt to resolve the issue and clear communications are what the ICO expect to see where a complaint has been made. The ICO also uses public Reprimands setting out, by way of publication on the ICO website, why a particular organisation must do better, although to date these have mainly been used when a public sector body is involved.

Employment Tribunal: the failure to operate the complaints process properly could be referenced, but the Tribunal does not have the jurisdiction to assess this.

Court: Court proceedings could be threatened, and such matters are sometimes settled, or indeed strongly defended. A court could scrutinise the operation of the complaints process in the same way that they can now do so for a DSAR.

In summary, we'd primarily expect the complaints process to provide additional data subject leverage.

Data Protection Complaints: sequencing of complaints to controller and ICO

remove

Can data subjects still complain directly to the ICO, or must they complain to the controller first?

Data subjects can still complain to the ICO at any time, but in the new complaints guidance the ICO states in most cases they “will ask them to raise a complaint with you first”. The change effectively attempts to shift the burden of dealing with complaints from the ICO to controllers in the first instance, which we believe is the ICO's and Government's policy objective.

Data Protection Complaints: intake route

remove

Can the right to complain be incorporated into an existing compliance speak-up line?

The intake can be done that way in terms of your preferred process, but you do need to ensure complaints can come through any route (as someone may be unaware of a particular route) and that the speak-up process incorporates the "must" requirements in the ICO's complaints guidance, along with the "shoulds" and "coulds" that you wish to adopt. The ICO will assess the operation of your complaints process against its guidance in order to determine compliance.

Should the complaints process sit within the grievance policy or the privacy policy?

It can certainly be referenced in the grievance policy, but we would recommend it is referenced in all privacy policies, as you may receive complaints from individuals who are not employees. If this is your preferred approach existing policies and processes should be updated to incorporate the new right to complain prior to 19 June 2026 to ensure compliance.
If you are referencing the complaints process, it follows that the process itself would then be set out in a standalone document. The ICO guidance notes that there can be a publicly available version but also a more detailed operational internal version.

Is it acceptable to add “complaint” as an option on an existing DSAR request platform (e.g. OneTrust) or use a monitored email address in the HR privacy policy?

Both would be a valid intake route but remember that complaints could come in via any route and the right to complain should be set out in all your privacy policies.

Are organisations required to have an electronic form for complaints, or are other methods (e.g. email) sufficient?

You must have some way of making complaints, but it does not need to be an electronic form - it can be by email, form, phone, postal address, online portal, live chat, in person etc. – for more information see the ICO’s guidance. There just needs to be a publicised route to make a complaint.

Do organisations with existing grievance and data management policies still need to update their processes for DSARs and complaints?

Yes, it is important to update existing policies and processes to incorporate the new right to complain prior to 19 June 2026 to ensure compliance. In addition, your DSAR response letters should be updated to reference the right to complain to you rather than the ICO in the first instance.

Does an electronic complaint form need to be publicly available (e.g. linked from the privacy policy), or can it be provided upon receipt of a complaint?

You can choose to have an electronic form, and it can be public or provided on request. There is no obligation to do so but should you adopt this method as long as you accept the complaint and deal with it in the prescribed timescales this should enable you to meet your obligations.

Data Protection Complaints: complaints process management

remove

Who should investigate and respond to a data protection complaint? Can the employment lawyer handling the DSARs deal with it, or should it go to the DPO?

In terms of who reviews the complaint, this will depend on the process you have put in place. While the ICO's guidance doesn't say that the complaint should be reviewed independently or at least by a different person or team, it would be logical for the DPO or other legal advisers familiar with data protection issues to review the complaint. From a best practice/governance perspective it is recommended that the review be handled by someone who was not involved in or connected to the original decision and, ideally, by a more senior staff member or external counsel to ensure independence and objectivity. We will be assessing complaints too in the same way that we conduct investigations, reviews, DSARs and other advice requirements for clients.

If a grievance includes a complaint about a DSAR, can it be dealt with entirely as a grievance, or does the DSAR complaint need to be separated out?

We would recommend these being split out. The ICO's guidance states that sometimes people may complain about a service or other matters "whilst also exercising their data protection rights" and that this "doesn't count as a data protection complaint." One example given is an employee raising a grievance issue and also requesting copies of their personal information. The ICO continues, if it is not clear if someone is making a data protection complaint you should ask them to clarify. It also makes sense to split the DSAR or complaint about a DSAR out so as not to miss statutory deadlines.

Does the right to complain apply only in the employment context, or can clients and other data subjects also use it?

The right to complain must be available to all data subjects where the data subject considers that the controller has infringed the UK GDPR (general data processing) or Part 3 of the DPA (law enforcement processing) in connection with personal data relating to that data subject.

There is no requirement for a contractual or commercial relationship but there must be a nexus between the complainant's personal data and the controller's processing. 

The obligation on controllers to maintain and operate a complaints process is universal but the right to invoke it is necessarily limited to individuals whose personal data has been processed by the relevant controller.

Grievances - AI impacts

remove

What impact is generative AI having on the volume of DSARs and grievance complaints?

Generative AI is having a significant and multifaceted impact on both the volume and character of DSARs and grievance complaints. 

AI is making it far easier for individuals to submit requests and complaints, driving volumes upward. But it is not only volume that is causing concern, now AI is reshaping the nature of requests themselves, seeking to broaden the scope of requests to include every data type across every system - how this will be reconciled with the “reasonable and proportionate” search is yet to be determined.

The combined effect of volume and complexity means that employers should consider:

• reviewing DSAR and grievance handling processes and ensuring they are adequately resourced internally or sourcing external support, if required,
• refreshing training for HR and compliance teams to help recognise AI-generated content,
• engaging early with the requesters to clarify the scope of broad DSARs and/or to understand what the employee is seeking through their grievance,
• documenting your decisions carefully, especially in light of the right to complain, and
• using AI defensively to streamline DSAR response workflows, being mindful of the fact proper AI governance is essential to ensure compliance.

Data Subject Access Requests (DSARs): reasonable and proportionate search and scope generally

remove

What guidance is available on what constitutes a "reasonable and proportionate" search when responding to a DSAR?

The ICO sets out the test as follows in its Right of access guidance:

"To determine whether searches may be unreasonable or disproportionate, you should consider:

• the circumstances of the request;
• the volume of information you may need to search in order to respond;
• any difficulties involved in finding the information; and
• the fundamental nature of the right of access.

You must be able to show why a search is unreasonable or disproportionate."

We recommend conducting this assessment in real time (particularly taking account of the circumstances and data search size), documenting it via mapping it to the available evidence and justifications, and then playing back a summary of it to the data subject either during the DSAR timescales or certainly in the end covering letter.

How should organisations handle DSAR requests where the individual’s personal data appears in conversations between other people?

If this was in the form of recorded conversations e.g. transcripts of calls/teams messages etc. then they should be located, subject to a "reasonable and proportionate" search. The test will then be to apply the guidance on mixed personal data, as set out by the ICO in its Right of Access guidance. We'd recommend assessing it (in summary form) for each redaction, though of course the third party's consent/refusal can be applied across all documents/redactions.

If a DSAR set of search results includes an email where the individual’s name is mentioned but it also contains unrelated business information, how should this be handled?

In this case we would recommend saying that what has been asked for is not their personal data and they are not entitled to request it. This can either be done during the process, as part of scoping, or at the end. We'd recommend doing so during the process unless there are specific reasons not to.

Where there are ongoing internal processes (e.g. a whistleblowing investigation, grievance, or redundancy appeal), how risky is it to withhold documents that the individual has not yet seen?

If the reasons for holding the documents back can be validly applied to an exemption, then there is a risk of complaint but there should not be an underlying data protection compliance risk.

However, if the reason for holding them back cannot be validly applied to an exemption, then there is the risk of a successful complaint, with the complaint then providing additional leverage for the employee.

Are organisations using AI and automation to assist with DSAR responses, for example for large-scale redaction?

In part - the technology is developing and we often use AI for cross-checking consistency where we are dealing with multiple related DSARs at the same time. There is some redaction technology available, but it is not sufficiently mature to rely on it - redactions are an art not a science given the discretion you have in applying them. What we do see AI used for by some clients is deduplication and email threading, for example to reduce the review bundle size and focus the review on key elements (again in line with the "reasonable and proportionate" search scope).

When should routine requests for personal data (e.g. copies of performance reviews) be logged as formal DSARs?

It is acceptable to deal with routine requests such as requesting a copy of performance reviews, employment contracts and payslips as non-DSARs. Here we would suggest you expressly say that you are dealing with them outside the scope of a DSAR process and as a routine employment support matter.

If the request is non-routine then it would be advisable to log it as a DSAR and handle it accordingly.

Does any request for personal information have to be treated as a DSAR, or can it come only through specific channels such as the ICO?

Any request for personal information to a controller is to be taken as a DSAR, except where it can be categorised as a routine request.

Most DSARs come directly from the data subjects themselves, not the ICO, and they can come in via any route, to any person in your organisation and in any form. The ICO does operate a form that people can complete to submit a DSAR to a controller but in our experience this is not widely used. 

Remember if you are acting as a processor for the personal data in question then you’ll need to forward the request to the relevant controller for them to deal with, albeit likely with your assistance. 

DSARs - review and redaction approach

remove

When extracting personal data from documents for a DSAR response, is there a requirement to identify the source document, and what is the best way to do this?

You need to be able to explain the context of the personal data if this is not obvious. The best way to do that would be in the place you extract it to or explain it briefly in the covering letter at the end. The aim of this is to increase clarity for the data subject and reduce subsequent questions.

DSARs - court scrutiny

remove

Does the court’s power to scrutinise DSAR compliance extend to legally privileged material?

The right of the court is not limited by way of stated exemptions in s180A DPA. We would argue that as a matter of general law the court should not see legally privileged material. The obligation is on the controller to provide to the court such information as the controller has.

DSARs - exemptions

remove

What are examples of DSARs that may be considered "manifestly unfounded” or “excessive”?

A very clear example of manifestly unfounded would be where a data subject says that they're happy to withdraw the DSAR if only the organisation pays them an amount of money. It would also apply for example where the data subject clearly says they're causing disruption or showing extreme anger at a particular person. The “manifestly excessive” test applies where there is an overlap between the new request and previous requests and/or where the personal data requested is disproportionate to the costs and/or burden on the organisation. They are very fact-specific analyses and again the evidence must be carefully mapped against the relevant criteria in real time, and a summary provided for the data subject.

Again, the ICO’s Right of access guidance is helpful, providing examples to help you make your assessment. It is important to note there is different guidance for law enforcement processing.

DSARs - withdrawals of them prior to settlement agreements

remove

Should the withdrawal of a DSAR be documented separately from the settlement agreement?

We would recommend this so as not to contravene the ICO's guidance. The guidance states if a settlement agreement you have made with a worker limits their right of access, then it is likely this part of the settlement agreement will be unenforceable under data protection law. It is also important to note that the ICO states signing a settlement or non-disclosure agreement does not waive a worker’s information rights.

Compensation for low-level data protection issues

remove

Are there examples of compensation being awarded for lower-level data protection issues such as DSAR breaches, failures in impact assessments, or defective privacy notices?

Compensation for purely procedural or technical breaches remains rare. Where a breach involves a genuinely "lower-level" or procedural failing, e.g. a DPIA omission, a privacy notice deficiency or a minor DSAR delay, without a demonstrable causal link to material or non-material harm, courts have been reluctant to award compensation and the ICO has tended to use reprimands or enforcement notices rather than fines.

It is important to remember that the ICO cannot award compensation, individuals seeking financial redress must do so through the courts, where quantum for low-level breaches is modest. That said, if a large number of data subjects were to be affected even a modest amount of compensation could quickly become an eye-watering amount. 

Courts have been pushing low-value data protection claims towards the County Court and Small Claims Track, where legal costs are generally not recoverable, which acts as a deterrent to exaggerated or speculative claims for minor breaches. That said, the Farley v Paymaster appeal, listed in the Supreme Court on 7-8 October 2026, is being closely watched as if the threshold of seriousness is eliminated it could result in a new wave of high-volume, low-value data breach claims.

If you were unable to attend but would like to hear our practical guidance on the new statutory right to complain in data protection law, as well as wider issues arising from data subject access requests (DSARs) please view our webinar here passcode cy&J3gcJ

Details of how we can support you in preparing for and handling complaints from data subjects can be found here and if you have any questions, please do reach out to JP Buckley your usual LS contact.