If you’re in the UK and you’ve ever wondered what to do when a company mishandles your personal data — your photos, your documents, your account details — there’s now a clear, legally required answer. As of June 19, 2026, the Data (Use and Access) Act 2025 requires every organisation that controls personal data in the UK to provide a formal complaints procedure, and to respond to complaints within a set timeframe.
This is a quiet but meaningful shift. For years, UK data protection rights existed on paper but were hard to exercise in practice — you could email a company about a privacy concern and simply never hear back, with no defined process forcing a response. That gap is now closed, at least on paper.
What the Data (Use and Access) Act Actually Requires
The DUAA amends the UK’s existing data protection framework (UK GDPR and the Data Protection Act 2018) rather than replacing it outright. The complaints provision is one of the most concrete parts of the law for ordinary users, because it creates obligations a company can be checked against, not just principles.
From June 19, 2026, every data controller operating in the UK must:
- Provide an accessible way to submit a complaint, including an electronic form, and accept complaints submitted by other reasonable means — email, post, or even social media
- Acknowledge receipt of a complaint within 30 days
- Respond substantively within a further period — typically 45 days, though this can extend for genuinely complex cases
- Maintain a documented, consistent internal process for handling these complaints, rather than ad hoc replies from whichever employee happens to see the message
Crucially, the law requires you to raise the complaint with the company first, before escalating to the Information Commissioner’s Office (ICO). The ICO has signaled it will expect to see evidence that this internal step happened before it takes up a case — which makes the new procedure the actual front door for most data rights disputes, not a formality you can skip.
Why This Matters for Photos, Documents, and Personal Files Specifically
A lot of data protection conversation focuses on abstract categories — “personal data,” “processing,” “controllers.” For most people, the data that actually matters day to day is more concrete: the photo library on their phone, the scanned documents in a cloud drive, the voice notes and journals they’ve trusted to an app.
If a company holding any of that mishandles it — keeps it after you’ve asked for deletion, uses it for a purpose you never agreed to, or fails to secure it properly — you previously had a right to act, but no guaranteed mechanism for getting a timely answer. The new complaints procedure changes that. A company can no longer quietly ignore a request about your photo library and let the matter die from inaction; it now has a fixed clock running against it from the moment you submit a complaint.
This is particularly relevant for services that touch your most personal content by default — photo backup tools, document scanners, journaling and memory apps — because these are exactly the categories where users tend to discover a problem (an unexpected AI training clause, an unclear retention policy, a data-sharing change) well after they’ve already uploaded years of content.
How to Actually Use This Right
Find the company’s complaints procedure before you need it. Under the new rules, this should be published and reasonably easy to find — typically in the privacy policy or a dedicated “Contact” or “Your Rights” page. If a UK-facing company doesn’t have one after June 19, 2026, that’s itself a compliance gap worth flagging.
Put your complaint in writing, and be specific. Name the exact data involved (which photos, which account, which document), the specific issue (deletion not honored, unauthorized use, a breach you were never told about), and what outcome you want. Vague complaints are easier for a company to deflect; specific ones create a clear paper trail.
Note the date you submitted it. The 30-day acknowledgment clock and the response window both start from your submission, so keeping your own record matters if you need to escalate later.
Escalate to the ICO if the company doesn’t respond within the required windows, or if its response doesn’t actually resolve the issue. The ICO’s complaint form is free, and having gone through the company’s internal process first — with dates and copies of your correspondence — strengthens your case considerably.
Who Actually Has to Comply
The obligation falls on “data controllers” — any organisation that decides how and why personal data is processed, which in practice covers almost any company you’d interact with directly: photo and storage apps, banks, retailers, social platforms, employers, schools. It does not fall on “processors” — vendors that merely handle data on a controller’s behalf under instruction — though in practice that distinction rarely matters to an individual user, since you’re complaining to whichever company you actually gave your data to.
A point worth knowing: the obligation isn’t limited to companies headquartered in the UK. Under UK GDPR’s extraterritorial scope, any organisation processing the personal data of people in the UK — offering goods, services, or monitoring behaviour there — falls within reach, regardless of where the company itself is based. A US-headquartered app with UK users is still expected to provide this complaints mechanism to those users; it doesn’t get to treat UK data subjects differently just because its main operations sit elsewhere.
What a Well-Formed Complaint Actually Looks Like
Because the law specifies timeframes that start ticking from submission, the wording and content of your complaint matters more than it might seem. A complaint that’s too vague gives a company room to respond vaguely back, technically satisfying the 45-day window without resolving anything.
A complaint that holds up well typically states: what data is involved (be as specific as the photo, the file, the account, the date range), what happened that you believe was wrong (deletion ignored, undisclosed use, a breach you weren’t notified of, data shared with a category of recipient you never agreed to), what right you believe was violated (the rights under UK GDPR are largely the same as their EU counterpart — access, rectification, erasure, restriction, objection, portability), and what outcome would resolve it for you. None of this requires legal language; plain, specific, dated language works better than anything that sounds like a legal threat.
How This Compares to Rights Elsewhere
The UK’s approach sits alongside, but is distinct from, the EU’s GDPR and the patchwork of US state privacy laws that have been expanding steadily (Connecticut, Arkansas, and Utah all added new consumer rights protections taking effect in July 2026, for instance). What makes the DUAA’s complaints provision notable is its specificity: it doesn’t just say you have a “right to lodge a complaint” in the abstract, the way GDPR’s recitals do — it mandates exact timeframes and an accessible intake process, which is the part that was previously missing in practice.
For users outside the UK, the law doesn’t grant you these specific rights directly, but it’s a useful marker of where data protection enforcement is heading globally: toward concrete, auditable processes rather than aspirational principles. Companies that build a real complaints process for UK users often end up extending similar mechanisms more broadly, since maintaining two entirely separate support tracks is operationally awkward.
What Happens After You Escalate to the ICO
If a company misses its acknowledgment or response window, or resolves your complaint in a way you believe doesn’t actually comply with the law, escalating to the ICO is the next step — and the new internal complaints requirement is specifically designed to make that escalation more useful, not less necessary. The ICO has indicated it expects to see your prior correspondence with the company, including dates, before it treats a case as ready for its attention.
This sequencing — company first, regulator second — exists for a practical reason: most disputes genuinely can be resolved at the company level once there’s a real deadline forcing a substantive answer rather than silence. The ICO’s resources are better spent on cases where the company’s internal process has already failed, not on first contact for every complaint. Keeping copies of everything you send, and noting submission dates, is what makes that escalation path actually usable if you need it.
What This Doesn’t Fix
It’s worth being honest about the limits here. The DUAA’s complaints procedure governs how quickly and clearly a company has to respond — it doesn’t guarantee the answer will be the one you wanted. A company can still acknowledge your complaint within 30 days, respond within 45, and conclude that it did nothing wrong. The law forces a process, not a particular outcome.
It also doesn’t retroactively undo data uses that already happened. If a company trained a model on your content, shared it with a partner, or otherwise used it in a way you object to before you complained, the complaints procedure gives you a path to challenge that going forward — it can’t unwind processing that’s already occurred.
The Underlying Lesson: Read Before You Upload
The more durable takeaway, regardless of jurisdiction, is the same one that keeps showing up across data protection news this year: it’s far easier to avoid a privacy dispute than to win one after the fact. Knowing a company’s complaints process exists is useful. Not needing to use it, because you chose a service with clear, narrow data practices from the start, is better.
That’s the standard worth applying to anything holding photos, documents, or personal memories: does the provider explain plainly what it does with your content, and does it actually limit itself to that? daftei is built around a simple answer to that question — it never sells data, never trains third-party AI models on user content, and never shows ads, with TLS 1.3 encryption in transit and AES-256 encryption at rest. It’s GDPR and CCPA compliant, and account deletion is permanent and irreversible after a 30-day grace window, with no ambiguity about what happens to your data after that point.
The new UK complaints procedure is a genuine improvement for accountability. The better strategy is still to pick services where you’re unlikely to need it.