What is a Data Use and Access Act complaints policy?

It is a formal policy document detailing how an organisation processes, records, and resolves complaints from individuals concerning data protection breaches under Section 103 of the DUAA 2025.

Does the DUAA complaints policy apply to employee data?

Yes. The complaints procedure applies to personal data processed for customers, staff/employees (current and former), suppliers, and service users.

How quickly must we acknowledge a complaint?

Receipt must be formally acknowledged in writing within 30 calendar days, starting the day after receipt.

Author: Compliance Editorial TeamPublished: 18 June 2026

Data Use and Access Act (DUAA) Complaints Policy: A Compliance Blueprint

Generate a compliant DUAA Complaints Policy and Tracker for £20.

Generate Now – £20

With the **Data (Use and Access) Act 2025 (DUAA)** taking full effect in the UK, data controllers are facing updated compliance rules regarding how they manage privacy-related complaints. Put a clear complaints-handling process in place before the **19 June 2026** deadline to reduce regulatory risk.

What is the DUAA Complaints Requirement?

Under Section 103 of the Data (Use and Access) Act 2025, which inserts a new Section 164A into the Data Protection Act 2018, all organisations handling personal data must establish, publish, and maintain a complaints process. This process allows individuals to raise complaints about how their personal details are handled, stored, or processed.

Key provisions require that controllers:

Acknowledge receipt of a data complaint within 30 calendar days.
Investigate the complaint without undue delay.
Communicate the outcome in writing, detailing remedial actions and the right to complain to the ICO.

The Scope of Personal Data Covered

The Act applies to data controllers processing personal data across all user segments. This is not limited to external customer interactions. The scope covers:

Customers & clients: Billing details, addresses, accounts, tracking cookies.
Employees & staff: HR files, payroll data, contract details (applies to current & former staff).
Suppliers & partners: Account contact information, technical logs, IP records.

Reducing Regulatory Risk with DUAA Shield

Failing to have a complaints process may increase regulatory risk, ICO scrutiny, and the likelihood of escalation. Purchasing bespoke legal documentation from solicitors typically costs £400+.

DUAA Shield provides a practical, standardized complaints policy pack for £20. The pack is configured to your business inputs and contains:

A tailored Data Protection Complaints Policy (PDF)
Website Notice phrasing
Acknowledgement and outcome communication templates
An internal complaints tracker CSV spreadsheet
Copy-pasteable Privacy Notice amendment wording

Official guidance from the Information Commissioner's Office:ICO Website

Frequently Asked Questions

What happens if we do not have a data protection complaints process?

Failing to have a complaints process may increase regulatory risk, ICO scrutiny, and the likelihood of escalation. It leaves you exposed to immediate compliance audits.

Can we use this policy template for clubs or sole traders?

Yes, this template is designed to support compliance for sole traders, clubs, small businesses, and charities acting as UK data controllers.

Disclaimer: This pack is a standardised compliance-support document set and is not legal advice. Complex operations should consult qualified solicitors.