GDPR/Data Protection – Right to Complain to the Communication Workers Union

GDPR/Data Protection – Right to Complain to the Communication Workers Union

From the 19th of June 2026, UK organisations that process personal data will be legally required to handle data protection complaints internally before individuals can escalate to the Information Commissioner’s Office (ICO).

What changes on 19 June 2026

On 5 February 2026, the ICO confirmed that most remaining data-protection provisions in the Data (Use and Access) Act had already commenced, except the requirement for organisations to have a complaints procedure, which is due to commence on 19 June 2026. The ICO’s main guidance says there are no exemptions from having a process for handling data protection complaints.

The legal structure behind that guidance appears in the Data (Use and Access) Act 2025 explanatory notes. Those notes explain that new section 164A requires controllers to facilitate complaints, acknowledge receipt within 30 days, and take appropriate steps without undue delay, including making enquiries and informing the complainant about progress.

This duty is separate from a person’s right to complain to the ICO. In practice, organisations now need an internal route to handle privacy complaints directly, while still making clear that people can escalate to the regulator.

What counts as a data protection complaint?

The ICO says a person can complain if they believe the CWU has infringed data protection law in the way the union handled their personal information. The ICO’s examples include complaints about how the union handled a subject access request, how securely the union stored personal data, or how the union collected, retained, or used personal information.

Some examples of complaints the CWU might receive could be:

  • Sharing members’ personal data with third parties without the member’s consent
  • Revealing an employee’s trade union membership status without the member’s consent
  • Using members’ personal data for purposes other than trade union purposes
  • Not keeping membership data securely
  • Not keeping membership information up to date
  • Continuing to contact ex-members even though they have specifically requested that the union not to do so
  • Non-members receiving contact even though they have specifically requested that the union not to do so
  • Not sharing a member’s personal data with them when they request the union does so [a subject access request]

This list is not exhaustive as data protection complaints can be widely scoped.

Branch Officers should be aware that under the GDPR, the CWU nationally is considered the ‘Data Controller’ and is therefore responsible for all membership data – even if the data is held at Branch level.

Therefore, the union will ultimately be held responsible for any data breaches or data complaints.

IE all membership data held and processed/controlled by branches is the responsibility of the CWU nationally. There is no such entity as ‘a CWU branch’ as far as the ICO is concerned.

For more information on this please see: What are ‘controllers’ and ‘processors’? | ICO

Complaints do not need to use legal language or cite sections of legislation. This matters operationally because many complaints will arrive in ordinary business language. Therefore, Branches and staff need to be alerted to recognise a potential data protection complaint.

But in the rare occasions where a potential complaint arises, please share this with the CWU Data Protection Officer [DPO details below] as soon as you can. Similarly, please feel free to contact the CWU DPO if you have any queries about this change to the Regulations, or if you have any other queries about data protection/GDPR.

And for further information please see: How to deal with data protection complaints 

The CWU Privacy Policy [see: CWU: Privacy Policy] has been updated accordingly, to say the following:

Data Protection Complaints

The Communication Workers Union takes its data protection responsibilities very seriously and does all it can to avoid data protection infringements but if you believe the union has not met these high standards, you are entitled to complain on that basis.

The Data (Use and Access) Act provides a facility for data subjects to complain to data controllers [The CWU in this case] if they believe the data controller has infringed data protection law in the way they handled their personal information.

This duty is separate from a person’s right to complain to the Information Commissioner’s Office [ICO] see: Make a complaint | ICO

The ICO’s examples include potential complaints about how the CWU handled a subject access request, how securely the CWU stored personal data, or how the CWU collected, retained, or used personal information.

You can submit a complaint to any point of contact in the CWU, but it will help to expedite your complaint if you contact the CWU Data Protection Officer [details below] The complaint can be submitted by email, letter or by phone.

You do not need to use legal language or cite sections of legislation.

Please contact:

Denis Lenihan, Information Manager & Data Protection Officer

Communication Workers Union [CWU]

150, The Broadway

Wimbledon

London, SW19 1RX

Email: dlenihan@cwu.org

Tel: 020 8971 7279

We will acknowledge receipt within 30 days of receiving the complaint.

Any enquiries should be addressed to dlenihan@cwu.org.

Yours sincerely

Karen Rose

Acting General Secretary

LTB 187/26 – GDPR – DATA PROTECTION RIGHT TO COMPLAIN TO THE COMMUNICATION WORKERS UNION

View Online

Leave a comment

Create a website or blog at WordPress.com

Up ↑