Claims Handbook Logo

GDPR/Data Breach Complaint Letter

Use this template

#When to Use This Template

  • Your personal data was exposed in a breach
  • A company shared your data without consent
  • Your Subject Access Request (SAR) was ignored
  • Your data was used for purposes you didn't agree to
  • You've suffered distress or financial loss due to data mishandling

#Template Letter

[Your Name]
[Your Address]
[City, Postcode]
[Your Email] | [Your Phone Number]
[Date]

Data Protection Officer / Complaints Department
[Company Name]
[Company Address]
[City, Postcode]

Subject: Formal Complaint Under UK GDPR – Data Breach / Privacy Violation
Reference: [Your customer/account number if applicable]

Dear Data Protection Officer,

I am writing to make a formal complaint regarding a breach of data protection law affecting my personal data.

#What Happened

[Describe what happened. Be specific about dates and what data was affected. Examples below:]

Option A – Data Breach:

On [date], I was notified that [Company Name] experienced a data breach. I understand that my personal data, including [list data types: name, address, email, financial details, etc.], may have been accessed by unauthorised parties.

Option B – Unauthorised Sharing:

On [date], I discovered that my personal data had been shared with [third party name] without my consent. I did not agree to this sharing and was not informed it would happen.

Option C – SAR Not Fulfilled:

On [date], I submitted a Subject Access Request asking for a copy of all personal data you hold about me. Under UK GDPR, you were required to respond within one calendar month. It has now been [X weeks/months] and I have not received a response / received an incomplete response.

Option D – Data Used Incorrectly:

My personal data was used for [purpose], which I did not consent to. This goes beyond the purposes for which I originally provided my data.

#How This Has Affected Me

[Describe the impact. This is important for compensation claims. Examples:]

  • Distress and anxiety – I have been worried about identity theft and fraud
  • Time spent – I have had to spend [X hours] monitoring accounts, changing passwords, and dealing with this issue
  • Financial loss – I have incurred costs of £[amount] for [credit monitoring / replacement documents / etc.]
  • Actual fraud – I have been a victim of fraud which I believe is connected to this breach
  • Embarrassment – Sensitive personal information was exposed to [colleagues / family / the public]

Under UK GDPR and the Data Protection Act 2018:

  • Article 5 – Personal data must be processed lawfully, fairly and transparently
  • Article 6 – Processing requires a lawful basis
  • Article 17 – I have the right to erasure ("right to be forgotten")
  • Article 32 – You must implement appropriate security measures
  • Article 82 – I am entitled to compensation for material and non-material damage

#What I Am Seeking

  1. Full explanation of what happened and what data was affected
  2. Confirmation of what steps you have taken to protect my data going forward
  3. Compensation for the distress, inconvenience, and any financial loss I have suffered
  4. [If applicable] Deletion of my personal data from your systems
  5. [If SAR issue] Full response to my Subject Access Request within 7 days

I believe compensation of £[amount] is appropriate given the distress caused. [Typical range: £250-£2,000 for distress depending on severity; more if actual financial loss.]

#Next Steps

Please respond to this complaint within 28 days.

If I do not receive a satisfactory response, I will:

  1. Report the matter to the Information Commissioner's Office (ICO)
  2. Consider legal action through the small claims court to recover compensation

#Evidence Enclosed

  • Copy of breach notification received
  • Screenshots / correspondence relating to the incident
  • Original SAR request (if applicable)
  • Evidence of financial loss (if applicable)

Yours faithfully,

[Your Signature]
[Your Printed Name]

#After You Send

#Reporting to the ICO

If the company doesn't resolve your complaint:

  • Website: ico.org.uk/make-a-complaint
  • The ICO can investigate and fine companies
  • However, the ICO does not award compensation – for that, you need to go to court

#Small Claims for Compensation

Typical GDPR compensation awards:

Severity Typical Award
Minor distress (worry, inconvenience) £250 - £500
Moderate distress (anxiety, time spent) £500 - £1,500
Significant distress (embarrassment, ongoing anxiety) £1,500 - £3,000
Serious impact (actual fraud, sensitive data exposed) £3,000 - £10,000+
Financial loss Actual loss + interest

To claim: Use Money Claim Online (moneyclaim.gov.uk) for claims up to £10,000.