Welcome to Simply-Docs

Data Use and Access Act (DUAA) 2025 - New Data Protection Complaints Documents

June 2026

Individuals now have a clearer right to complain directly to organisations about the handling of their personal data. Organisations must provide a way for people to make data protection complaints, acknowledge complaints within 30 days, take appropriate steps to respond without undue delay, keep complainants informed, and tell them the outcome of their complaints.

What is Changing?

The Data (Use and Access) Act 2025 introduces a new complaints process into UK data protection law. This means that individuals can complain directly to a controller if they consider that there has been an infringement of data protection law in connection with their personal data.

For businesses and other organisations, this means having a clear and accessible process for receiving, acknowledging, investigating, and responding to complaints about personal data handling.

What Should You Do?

You should make sure that individuals have a clear way to raise data protection complaints. This may include providing an electronic complaints form or other appropriate contact method.

A complaint handling process should also help staff understand what to do when a complaint is received, when to ask for clarification, proof of identity, or proof of authority, how to investigate the issues raised, and how to provide a clear outcome.

Good records are also important. Keeping a record of complaints, decisions, investigation steps, outcomes, and remedial action can help demonstrate that complaints have been handled properly and consistently.

New Data Protection Complaints Templates

To help you comply with this important new requirement, a new set of Data Protection Complaints templates is now available.

These templates are designed to help organisations put a practical complaints process in place, collect the information needed to investigate complaints, and communicate clearly with complainants at each stage of the process.

Data Protection Complaints Policy and Procedure

This internal policy and procedure helps you establish a clear process for receiving, acknowledging, investigating, responding to, reviewing, and recording data protection complaints.

Data Protection Complaints Form

This complainant-facing form helps individuals provide the details needed to make a data protection complaint, while also making clear that use of the form is optional.

Data Protection Complaint Acknowledgement Letter

This letter helps you confirm receipt of a data protection complaint, provide a reference number, summarise the issue, explain next steps, and request any further information, ID, or authority where needed.

Data Protection Complaint Acknowledgement and Response Letter

This letter is suitable for straightforward complaints where you can acknowledge receipt and provide the outcome of your investigation in the same response.

Data Protection Complaint Request for Further Information Letter

This letter helps you ask for clarification, further details, proof of identity, or evidence of authority where more information is needed before the complaint can be properly investigated.

Data Protection Complaint Receipt of Additional Information or ID / Authority Letter

This short letter confirms that further information, proof of identity, or evidence of authority has been received and that the complaint investigation will continue.

Data Protection Complaint Holding or Progress Update Letter

This letter helps you provide an update where a complaint is still being investigated and you are not yet ready to issue a final response.

Data Protection Complaint Final Response Letter

This letter helps you set out the outcome of your investigation. It addresses a range of outcomes, actions taken or proposed in response, review or clarification options, and the complainant’s right to complain to the ICO.

Practical Support for Data Protection Compliance

The new templates are designed to support compliance with the UK GDPR, the Data Protection Act 2018, and the Data (Use and Access) Act 2025.

By putting clear complaints procedures and correspondence templates in place, businesses can help ensure that data protection complaints are handled fairly, consistently, and without undue delay.

The contents of this Newsletter are for reference purposes only and do not constitute legal advice. Independent legal advice should be sought in relation to any specific legal matter.

Simply-4-Business Ltd Registered in England and Wales No. 4868909, 20 Mortlake High Street, Mortlake, London SW14 8JN

Top