DUAA 30-day acknowledgement explained

Under the Data (Use and Access) Act 2025, controllers must acknowledge receipt of a data protection complaint within 30 days. Here’s how the clock actually works.

When does the 30 days start?

The period begins the day after you receive the complaint — not on the day of receipt.

If someone submits a complaint on Thursday 5 June, day one is Friday 6 June.

Weekends and bank holidays

The ICO’s example: if 30 days end on a Saturday, you have until the end of the next working day (e.g. Monday) to acknowledge.

Build your process to handle staff absence (holidays, sickness) so acknowledgements are not missed.

What counts as acknowledgement?

You must confirm you received the complaint and that you will look into it. Methods include:

• Email confirmation
• Letter
• Verbal acknowledgement followed up in writing (for phone complaints)

An auto-confirmation email sent promptly when a form is submitted can satisfy the requirement if it clearly confirms receipt and investigation.

Investigation starts immediately

The ICO states that investigation must begin without undue delay when the complaint is received — not after the 30-day acknowledgement window.

How ComplaintsDesk helps

ComplaintsDesk tracks the acknowledgement deadline per case, sends alerts before day 30, and logs every acknowledgement in an audit trail.

Get the free template or read the full DUAA guide.