Data & Privacy

You can make a subject access request (SAR) in writing or verbally to any UK company holding your personal data — they must respond within one month and provide all your data free of charge, unless the request is manifestly unfounded or excessive.

You have the right to request erasure of your personal data under UK GDPR, and the company must comply without undue delay — usually within one month.

Yes, you can challenge an automated loan decision in the UK if it involves solely automated decision-making with legal or significant effects, as protected under the UK GDPR and Data Protection Act 2018.

Yes, you can object at any time to a company processing your personal data for direct marketing — they must stop immediately and free of charge.

You can complain to the Information Commissioner’s Office (ICO), request an enforcement notice, or take court action for compensation if inaccurate personal data is not corrected.

Yes, you may be entitled to compensation for distress caused by a data breach in the UK, even without financial loss, if the breach resulted from a controller’s failure to comply with UK GDPR or the Data Protection Act 2018.

Yes, you have a legal right to port your personal data between providers in the UK under the UK GDPR, provided certain conditions are met.

You can legally stop spam emails in the UK by withdrawing consent, reporting to the ICO, and using your rights under PECR and the UK GDPR.

No, it is not lawful for a UK website to force you to accept all cookies without offering a genuine choice — consent must be freely given, specific, informed, and unambiguous.

No, it is generally not legal for a company in the UK to use your photo for marketing without your consent, especially if it implies endorsement or harms your privacy or reputation.

No, it is not lawful for a UK company to transfer your personal data outside the UK without appropriate safeguards, unless an exception applies.

Yes, sharing your medical records without your consent is usually a breach of data protection law and medical confidentiality, unless a specific legal exception applies.

The police accessing your communications data in the UK is governed by the Investigatory Powers Act 2016, which sets strict conditions and oversight for such access.

Yes, your neighbour's CCTV pointing at your property may breach UK data protection law if it captures personal data about you without a lawful basis, especially where it records areas you reasonably expect privacy.

Yes, your employer can legally monitor your work emails in the UK, but only if they comply with data protection law, have a lawful reason, and inform you about the monitoring.

Schools in the UK can only lawfully use facial recognition if it is necessary, proportionate, and compliant with data protection law — including conducting a Data Protection Impact Assessment and obtaining lawful basis under UK GDPR.

Yes, your former employer must erase your personnel records if you request it under the UK GDPR and Data Protection Act 2018 — but only if one of the legal conditions for erasure applies, such as withdrawal of consent or lack of lawful basis.

The ICO can fine a company up to £17.5 million or 4% of its global annual turnover — whichever is higher — for the most serious GDPR breaches.

A Data Protection Impact Assessment (DPIA) is a process to identify and minimise data protection risks in high-risk processing activities. It is legally required under UK GDPR before starting any processing likely to result in high risk to individuals’ rights and freedoms.

You should complain to the Information Commissioner’s Office (ICO), the UK’s independent data protection regulator, which has the power to investigate and take action on data protection breaches.

A company in the UK must not keep your personal data longer than necessary for the purpose it was collected — there is no fixed time limit, but retention must be justified and regularly reviewed.

Yes, you can challenge a company's 'legitimate interest' claim under UK GDPR. You have the right to object at any time, and the company must stop processing unless it demonstrates compelling legitimate grounds that override your rights.

A company must appoint a Data Protection Officer (DPO) under UK law only if its core activities involve large-scale, regular and systematic monitoring of individuals, or large-scale processing of special category or criminal offence data.

Yes, it is likely a breach of UK data protection law. Companies must provide a privacy notice at the time personal data is collected.