It is increasingly common for employees and workers to make data subject access requests (DSARs), often alongside a grievance or as a precursor to an Employment Tribunal claim.
Employers should be aware that with effect from 19 June 2026, the Data (Use and Access) Act 2025 requires organisations to have a formal process in place for handling data protection complaints (including complaints about how they have handled DSARs).
Organisations must:
Provide a way for individuals to raise data protection complaints directly with them
Acknowledge complaints within 30 days of receipt
Take appropriate steps to investigate and respond without undue delay
Provide an outcome to the complainant, explaining what action has been taken or why the organisation believes it has complied with the law.
There does not need to be a single complaints channel, but, importantly, individuals are not required to use a specific process and may raise complaints with any employee or via informal channels, so spotting complaints will be important: e.g. a complaint about compliance with a DSAR just sent in an email to HR or a manager will be a complaint that needs to follow the formal process, even if not sent through formal channels.
For further information on this issue and the importance of implementing the right process, see guidance from the Freeths Data Protection and Privacy team.
Get in touch
The content of this page is a summary of the law in force at the date of publication and is not exhaustive, nor does it contain definitive advice. Specialist legal advice should be sought in relation to any queries that may arise.
Related news & articles
Related expertise
Contact us today
Whatever your legal needs, our wide ranging expertise is here to support you and your business, so let’s start your legal journey today and get you in touch with the right lawyer to get you started.
Get in touch
For general enquiries, please complete this form and we will direct your message to the most appropriate person.