17.8 UK data rights and remedies

Rows of data-centre equipment
Privacy controls matter, but enforceable rights provide a route when controls fail.

Status reviewed 15 July 2026. All data-protection provisions of the Data (Use and Access) Act 2025 were in force by 19 June 2026. This page gives general information about the ordinary UK data-protection regime, not advice on litigation, law-enforcement files, intelligence processing, journalism, employment, or a particular exemption.

What changed

The Data (Use and Access) Act 2025 amended rather than replaced the UK GDPR, Data Protection Act 2018, and Privacy and Electronic Communications Regulations. It also created a statutory structure for registered digital verification services, enabled smart-data schemes, changed aspects of cookies and electronic communications, altered regulator powers and governance, and amended parts of online-safety law.

For an individual, the most visible data-protection changes are these: organisations now have an express statutory complaints process; subject-access searches need only be reasonable and proportionate; time can pause in defined circumstances while an organisation seeks clarification; the law provides a broader route for significant automated decisions not involving special-category data, with safeguards; and some processing purposes receive clearer or recognised legitimate-interest treatment. The Act did not remove the core rights listed below.

The rights that remain

Rights are conditional tools, not commands that always produce the requested result. The applicable right depends on why the organisation processes the data, what data it is, whether an exemption applies, and whether competing rights such as freedom of expression are engaged. Make the request that matches the outcome you need.

Access

A subject access request asks whether an organisation processes your personal data and, if so, for a copy and supporting information such as purposes, categories, recipients, retention, source, rights, and relevant automated-decision information. You do not need a special form or the phrase "subject access request". A clear written request is easier to prove.

The normal response period is one month, with a possible extension for complexity or multiple requests. An organisation can ask for information reasonably needed to verify identity and, after the 2025 Act, may ask for clarification where reasonably required to identify the information or processing sought. The statutory clock can pause while it waits for that clarification. It only has to make reasonable and proportionate searches, not every technically imaginable search. Narrowing by account, date, system, transaction, or event often produces a faster and more useful result.

Access does not guarantee unredacted copies of every document. The organisation must protect other people's data and may rely on exemptions. The right is to your personal data and required context, which may be provided through extracts or an intelligible compilation rather than the original file.

Correction, erasure, and restriction

Use rectification where data is inaccurate or incomplete. State the disputed field, the correct value, and the evidence. An opinion is not necessarily inaccurate merely because you disagree, but a record may need your challenge or context attached.

Erasure applies in defined circumstances: for example, data is no longer needed for its purpose, consent is withdrawn and no other basis remains, a valid objection succeeds, processing was unlawful, or deletion is legally required. It is not an absolute right. Legal obligations, claims, public tasks, health and research rules, and freedom of expression can justify continued retention. Ask the organisation to identify the basis and retention period if it refuses.

Restriction can be useful while accuracy, lawfulness, or an objection is being resolved. It may preserve data but limit active use. That can be safer than immediate deletion where records may be evidence of fraud, harassment, discrimination, or a complaint.

Objection and direct marketing

You can object to processing based on public task or legitimate interests on grounds relating to your situation. The organisation must stop unless it demonstrates compelling legitimate grounds overriding your interests, rights, and freedoms, or needs the data for legal claims. An objection therefore benefits from a concrete explanation of harm, vulnerability, inaccuracy, or disproportion.

The right to object to use of personal data for direct marketing is stronger: it is absolute. The organisation should stop using the data for that marketing. It may keep a minimal suppression record so it does not accidentally add you again; deletion of every trace can undermine the opt-out.

Portability

Data portability applies to data you provided, processed by automated means on consent or contract. It supports receiving that data in a structured, commonly used, machine-readable form and, where technically feasible, transmitting it to another controller. It is narrower than access and does not force a company to reveal every inferred score or proprietary system.

Automated decisions after the 2025 Act

The amended regime permits more solely automated decisions with legal or similarly significant effects where an organisation has a valid lawful basis, rather than limiting ordinary-data decisions to the older short list of contract, law, or explicit consent. Special-category data, such as health, ethnicity, political opinion, religion, sexual orientation, or biometric data used for unique identification, remains more restricted.

Broader permission does not mean no protection. The organisation must provide safeguards that include information about the decision, an opportunity to make representations, the ability to obtain meaningful human intervention, and a route to contest the outcome. General fairness, transparency, accuracy, minimisation, security, and discrimination law still apply. A nominal human who merely approves a computer result without real authority or review may not be meaningful intervention.

If an age estimate, fraud score, recruitment filter, credit decision, insurance decision, benefit process, or account suspension has a serious effect, ask: Was the final decision solely automated? What data and principal factors were used? What lawful basis applies? Was special-category data involved? How can a competent human reconsider it and correct wrong inputs? Avoid demanding disclosure of source code; the useful legal issue is meaningful information about logic, significance, consequences, and safeguards.

The new complaints duty

Since 19 June 2026, organisations handling personal data must facilitate data-protection complaints, for example through an electronic complaint route. They must acknowledge a complaint within 30 days, take appropriate steps to investigate, and tell the complainant the outcome without undue delay. The 30-day acknowledgement rule applies to the complaint, not as a replacement for the separate time limits governing a rights request.

Separate the two where necessary. A message can say: "This email contains (1) a subject access request for the listed data and (2) a complaint that the organisation disclosed my address without a lawful basis." That prevents an organisation treating a request for records as though it were only dissatisfaction, or treating a complaint as though supplying a data copy resolves the alleged breach.

An effective complaint identifies the organisation, account or reference, event and date, personal data involved, why the handling appears wrong, harm or risk, previous contact, and the remedy sought. Remedies might include correction, deletion where applicable, restriction, an explanation, restored access, a human review, improved security, notification to recipients, or confirmation of a changed process.

Age and identity checks

An age-assurance or digital-identity provider is still subject to data-protection law. Ask for the controller's identity, purpose, lawful basis, fields collected, source, recipients, retention, international transfers, whether a biometric template is created, whether data trains a model, whether the relying service receives identity or only an age attribute, and how to appeal a false result.

Data minimisation matters particularly here. The ICO says that in many cases viewing an official identity document may be excessive where a method processing less information can achieve the required confidence. A verifier should not reuse age-check data for advertising or an incompatible purpose. Accuracy and equality matter because facial age estimation can perform unevenly and an error may deny access to an adult.

If a provider says it deletes the image immediately, access may reveal little because deleted data cannot be supplied. You can still ask for transaction metadata, decision result, confidence or age band where held, recipients, retention policy, and evidence of any human review. Do not send another passport copy in an ordinary email unless proportionate identity verification genuinely requires it and a secure route is provided.

Making an effective request

  1. Identify the outcome: copy, correction, deletion, stopped marketing, restricted use, portability, human review, or complaint resolution.
  2. Write to the privacy contact or any clear organisational contact. Keep a copy and delivery evidence.
  3. Give enough information to locate the record: name used, account, relevant email or phone, dates, and transaction. Do not volunteer unrelated identity data.
  4. Name the right, but describe the substance. A request is not invalid merely because the legal label is imperfect.
  5. Ask for secure delivery. A large unencrypted email attachment can create a fresh breach.
  6. Record the response deadline, clarification pauses, extension notice, and every reply.
  7. If refused, ask for the relied-on exemption or reason, the balancing assessment where relevant, and information about ICO and court remedies.

A concise access request might say: "Please provide my personal data relating to account X and the age-verification transaction on 2 July 2026, including the data submitted, decision and confidence data held, source, recipients, retention period, and any solely automated decision information. Please tell me promptly if you reasonably require clarification or identity evidence." Tailor it; do not send a generic demand for "all data everywhere" when a specific event is the real concern.

Limits and escalation

An organisation can refuse or charge a reasonable fee for a manifestly unfounded or excessive request, but it should explain the decision. It may withhold information to protect another person, legal privilege, crime prevention, regulatory functions, journalism, research, or other statutory interests. Different rules apply to police and intelligence processing. A disagreement is not proof that the organisation acted unlawfully.

Complain to the organisation first unless urgency or safety makes that inappropriate. If the response is absent or unsatisfactory, the ICO provides a complaint route and will normally want the correspondence and evidence. The ICO is a regulator, not your lawyer, and does not award compensation. Courts can enforce rights and may award compensation where legal requirements are met; limitation, costs, evidence, and litigation risk make legal advice important before a claim.

For an immediate risk of identity theft, stalking, intimate-image abuse, financial loss, or physical harm, do not wait for a subject access response as the only action. Preserve evidence, secure accounts, contact the relevant service or bank, and use police or specialist support where appropriate.

Official sources