Katerina Douni
Data Protection Consultant
Katerina is a Data Protection Consultant at Data Protection People. Having started her journey on the Support Desk, she now helps organisations navigate data protection requirements, providing practical guidance and support to help customers stay compliant at every stage of the process.
Get to Know Katerina
Katerina is a Data Protection Consultant at Data Protection People. She joined DPP in 2024 and enjoys partnering with SMEs that are committed to achieving data protection compliance but may not know where to begin. She is passionate about making compliance accessible and practical, and believes that with the right organisational measures and ongoing support, improving data protection compliance can be a straightforward and achievable process.
A former high jump athlete and National Champion in Greece, Katerina brings a strong sense of discipline, dedication, and responsibility to her work. Outside of her professional role, she enjoys embroidery and spending as much time as possible in the countryside.
Experience
Katerina began her academic journey at the Law School of the National and Kapodistrian University of Athens, Greece. After qualifying as a lawyer, she worked in Greece specialising in civil and corporate law. During this time, she developed a strong interest in data protection and recognised the growing importance of privacy and information governance within the legal landscape.
To further develop her expertise, Katerina moved to the UK and completed an LL.M. in Data Protection and Intellectual Property at the University of Law, Leeds. This provided her with a strong academic foundation in data protection law and its practical application within organisations.
Following her studies, Katerina joined Data Protection People, where she was given the opportunity to build on her knowledge and gain hands-on experience supporting organisations with their compliance obligations. She initially worked within the Support Desk Team before progressing into the Data Protection Consultancy Team. Today, she manages a diverse portfolio of clients across a range of sectors, helping organisations navigate the complexities of data protection and implement practical, effective compliance frameworks.
Drawing on her previous experience as a practising lawyer, Katerina brings a valuable legal perspective to her consultancy work. Her background in both European and UK law provides her with a broad understanding of the regulatory landscape, enabling her to support organisations operating across multiple jurisdictions. This experience allows her to advise clients on international data protection considerations and help businesses navigate differing legal requirements when processing personal data across borders.
"Every data protection journey needs a reliable map, the right tools, and trusted guidance."
Katerina Douni
Data Protection Consultant
Katerina's Posts
Data Protection in Mergers and Acquisitions
Why Data Protection Is Critical in Mergers and Acquisitions
Mergers and acquisitions are complex transactions. They require time, resource, commercial planning and strategic alignment. But one area that is often underestimated is data protection.
Personal data can be one of the most valuable assets transferred during a merger or acquisition. Customer databases, employee records, supplier information, marketing lists, contracts, complaints, case files and historic archives may all form part of the transaction.
If this data has not been collected, used, stored or shared lawfully, it can quickly become a major risk. Organisations may acquire personal data that they cannot lawfully use. They may inherit compliance gaps, weak security controls, poor retention practices or unresolved data subject rights issues.
In some cases, this can affect the value of the deal itself.
A well-known example is the ICO’s enforcement action against Marriott. The ICO fined Marriott £18.4 million in relation to a major data breach that originated from Starwood Hotels and affected around 339 million guest records. Although the cyberattack began before Marriott acquired Starwood, the ICO focused on Marriott’s failures following the acquisition, including weaknesses in monitoring, logging and encryption.
This case highlights an important point. Data protection should not be treated as a post-completion issue. It should be built into the full M&A lifecycle, from due diligence through to integration.
How Can Organisations Manage Data Protection Risks During M&A?
Organisations can manage these risks by addressing data protection early, clearly and practically. This means reviewing how personal data is collected, used, shared, stored and protected before, during and after the transaction.
The key areas to consider include:
- Transparency obligations
- Data protection due diligence
- Data sharing agreements
- Employee data and special category data
- Marketing activities
- Lawful basis assessments
- Retention and data minimisation
- Security during integration
Transparency Obligations Under Article 14 UK GDPR
Organisations must carefully consider their transparency obligations during mergers and acquisitions.
Where personal data is shared or obtained indirectly during the transaction process, Article 14 UK GDPR may apply. Article 14 requires organisations to provide individuals with privacy information where their personal data has not been collected directly from them.
This may arise where an acquiring organisation receives customer, employee, supplier or marketing data from the target organisation before or after completion.
Individuals may need to be informed about:
- The identity of the acquiring organisation
- The purposes for which their personal data will be used
- The lawful basis relied upon
- Any new recipients of the data
- Changes to retention periods
- Their rights under UK GDPR
The parties should clearly allocate responsibility for issuing privacy information within the transaction documents. Communications should be timely, clear and accessible.
Data Protection Due Diligence
Data protection should be built into the due diligence process for any prospective acquisition target.
This due diligence must be detailed enough to help the acquiring organisation assess the legal, operational and commercial impact of any data protection risks.
For example, where significant compliance gaps are identified, the acquiring organisation may need to involve privacy professionals before completion. This may include reviewing privacy notices, lawful bases, data sharing arrangements, retention schedules, data subject rights processes and security controls.
In some circumstances, personal data may have been collected unlawfully. If so, the acquiring organisation may not be able to use that data in the way originally anticipated during negotiations.
This can affect:
- The value of the target organisation
- The commercial viability of the transaction
- The cost and complexity of post-completion integration
- The risk of regulatory scrutiny
- The risk of complaints or data subject rights requests
Sellers should be ready to demonstrate compliance through appropriate documentation, policies and evidence of robust technical and organisational measures.
Buyers should request evidence that these controls have been implemented, maintained and followed by employees responsible for processing personal data.
Data Sharing Agreements
An appropriate data sharing agreement should be established where personal data is exchanged between the parties.
The agreement should clearly define the roles and responsibilities of each party. It should also specify the purposes for which personal data may be shared and processed.
A strong data sharing agreement should address:
- Confidentiality requirements
- Security measures
- Retention and data minimisation
- Data subject rights requests
- Restrictions on onward transfers
- Responsibility for transparency information
- Procedures for dealing with breaches
The parties should ensure that personal data is not retained for longer than necessary. Unnecessary or redundant data should be securely deleted or anonymised.
The agreement should also set out clear procedures for handling data subject rights requests, such as access, erasure and objection. This is especially important where systems and responsibilities are being integrated after completion.
A well-structured data sharing agreement supports compliance and helps reduce legal, operational and reputational risks.
Informing Data Subjects After a Transaction
Organisations must consider when data subjects need to be informed about changes to the processing of their personal data.
In most cases, the organisation that originally collected the personal data should provide the initial notification, particularly where it still has the direct relationship with the individuals concerned.
Following completion, the acquiring organisation may also need to issue updated privacy information where there are changes to:
- The identity of the controller
- The purposes of processing
- The way the information will be used
- The way the information will be shared
- The applicable retention periods
The parties should clearly agree who is responsible for these communications. This should be documented as part of the transaction process.
Employee Data and Special Category Data
Mergers and acquisitions often involve the transfer and integration of large volumes of employee information.
This may include:
- Payroll data
- Sickness records
- Occupational health information
- Disciplinary records
- Equality and diversity monitoring information
- Criminal offence or DBS-related information
- Performance records
- HR case files
Some of this information may include special category data or criminal offence data. This requires careful handling under UK GDPR and the Data Protection Act 2018.
Organisations should assess:
- Whether the processing is necessary and proportionate
- Who requires access to the information during integration
- Whether appropriate lawful bases and conditions for processing apply
- Whether retention periods remain appropriate
- Whether access controls and confidentiality measures are sufficient
Employee monitoring activities should also be reviewed during post-acquisition integration. This may include email monitoring, CCTV, call recording, productivity tracking or system access monitoring.
These activities should be transparent, proportionate and properly documented.
Marketing Data After a Merger or Acquisition
Marketing data can be a valuable asset in a transaction, but it can also create significant compliance risk.
After a merger or acquisition, the acquiring organisation should assess whether the lawful basis previously relied upon for direct marketing remains valid.
This is especially important where consent was obtained by the acquired organisation before the change in ownership.
The acquiring organisation should ask:
- Was consent freely given?
- Was it specific and informed?
- Was it broad enough to cover communications from the acquiring organisation?
- Were individuals told their data may be transferred or used by another organisation?
- Have existing opt-outs been respected?
Individuals should be informed of any changes affecting the processing of their personal data. Privacy notices should be updated to identify the acquiring organisation and explain any new marketing purposes.
The acquiring organisation must also comply with electronic marketing rules, including those under PECR. This includes respecting existing opt-outs and marketing preferences.
Inherited marketing databases should be reviewed carefully to ensure the data is accurate, relevant and lawfully usable.
Reviewing the Lawful Basis for Processing
Organisations should not assume that the lawful basis relied upon by the acquired organisation will automatically continue to apply after the transaction.
This is particularly important where the acquiring organisation intends to use the data for new or expanded purposes.
For example, if customer data was originally collected to provide a specific service, it may not automatically be appropriate to use that data for a new marketing campaign, profiling exercise or analytics project.
Organisations should review whether the existing lawful basis remains valid in the post-acquisition environment.
This may involve reassessing:
- Consent
- Legitimate interests
- Contractual necessity
- Legal obligations
- Special category data conditions
- Criminal offence data conditions
Where legitimate interests are relied upon, organisations should consider whether a new Legitimate Interests Assessment is needed.
International Data Transfers
Mergers and acquisitions frequently involve organisations that operate across multiple jurisdictions. As a result, personal data may be transferred internationally during the due diligence process, system integration or ongoing business operations.
Before transferring personal data outside the UK, organisations should establish whether an international transfer is taking place and ensure that appropriate safeguards are in place.
This may include transfers to:
- Parent companies or group organisations located overseas
- Cloud service providers hosting systems outside the UK
- International HR or payroll platforms
- Third-party suppliers supporting the integration process
- Overseas legal advisers, consultants or auditors
Where personal data is transferred internationally, organisations should assess whether the destination benefits from UK adequacy regulations or whether an appropriate transfer mechanism, such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, is required.
Organisations should also consider whether a Transfer Risk Assessment is necessary and ensure that any international transfers are reflected within their privacy information and Records of Processing Activities.
International data transfers should form part of the wider due diligence exercise, particularly where the target organisation relies heavily on overseas suppliers or cloud-based infrastructure.
Third-Party Suppliers and Processor Contracts
Many organisations rely on external suppliers to process personal data on their behalf. During a merger or acquisition, these supplier relationships should be reviewed carefully to ensure they continue to meet UK GDPR requirements.
The acquiring organisation should identify all processors and sub-processors involved in handling personal data and review the contractual arrangements already in place.
Organisations should consider:
- Whether Article 28 compliant processor agreements exist
- Whether suppliers continue to provide appropriate security measures
- Whether suppliers process personal data only on documented instructions
- Whether subcontracting arrangements have been authorised appropriately
- Whether supplier due diligence remains current
- Whether supplier contracts require updating following the transaction
Where new suppliers are appointed during integration, organisations should ensure that appropriate contractual safeguards are implemented before personal data is shared.
Supplier risk management should remain an ongoing process after completion, particularly where critical systems or large volumes of personal data are involved.
Records of Processing Activities
Following a merger or acquisition, organisations should review their Records of Processing Activities (ROPAs) to ensure they accurately reflect how personal data is processed across the newly combined organisation.
Business processes often change significantly during integration. Departments may merge, new systems may be introduced and personal data may begin flowing between teams that previously operated independently.
Records of Processing Activities should therefore be updated to reflect:
- New processing activities
- Changes to the purposes of processing
- Updated categories of personal data
- New recipients of personal information
- International transfers
- Revised retention periods
- New security measures
Maintaining accurate Records of Processing Activities helps organisations demonstrate accountability and provides an important foundation for wider compliance activities.
Data Protection Impact Assessments
The integration of systems, technologies and business processes may introduce new risks to the rights and freedoms of individuals. Where this is the case, organisations should consider whether a Data Protection Impact Assessment (DPIA) is required.
A DPIA helps organisations identify privacy risks before new processing begins and allows appropriate controls to be implemented at an early stage.
A DPIA may be appropriate where the merger or acquisition involves:
- Large-scale processing of personal data
- The introduction of new technologies
- Extensive profiling or automated decision making
- Large-scale processing of special category data
- Employee monitoring technologies
- The consolidation of multiple customer databases
Completing a DPIA during integration supports privacy by design and helps organisations demonstrate compliance with UK GDPR.
Cyber Security Due Diligence
Cyber security should be considered alongside legal and financial due diligence during every merger or acquisition. Weak cyber security controls within the target organisation can quickly become the acquiring organisation’s responsibility following completion.
Organisations should therefore assess the maturity of the target’s security framework before the transaction completes.
This review may include:
- Previous personal data breaches or cyber incidents
- Vulnerability management processes
- Patch management procedures
- Penetration testing results
- Access management controls
- Business continuity and disaster recovery arrangements
- Incident response procedures
- Cyber Essentials or ISO 27001 certification
Any weaknesses identified during due diligence should be documented, risk assessed and, where appropriate, addressed as part of the post-completion integration programme.
Artificial Intelligence and Automated Processing
Many organisations now use artificial intelligence tools to support customer service, recruitment, marketing, analytics and internal business operations. During a merger or acquisition, these technologies should be reviewed alongside more traditional data protection considerations.
The acquiring organisation should understand:
- How AI systems process personal data
- Whether automated decision making is taking place
- Whether meaningful human oversight exists
- Whether individuals have been informed appropriately
- Whether appropriate lawful bases have been identified
- Whether suppliers provide sufficient contractual safeguards
Organisations should also review whether personal data inherited through the transaction can lawfully be used to train, improve or develop AI systems. Using personal data for purposes that individuals would not reasonably expect could create compliance risks under UK GDPR.
As organisations increasingly adopt AI technologies, reviewing these systems during mergers and acquisitions is becoming an essential part of effective data protection due diligence.
Retention and Data Minimisation
After a merger or acquisition, organisations should review the personal data they have inherited.
The aim is to ensure that the data is still needed, still accurate and not being kept for longer than necessary.
In many cases, organisations inherit large volumes of old, duplicate or unnecessary information. This can create legal, operational and security risks.
This may include:
- Obsolete records
- Duplicate databases
- Old backups
- Inactive marketing lists
- Former employee records
- Archived files that are no longer required
- Shared drives containing historic personal data
- Old complaint or case files
- Legacy systems that are no longer actively used
If this information is retained without proper review, organisations may increase the risk of:
- Personal data breaches
- Unauthorised access
- Inaccurate information being used
- Longer and more complex Subject Access Requests
- Higher storage and management costs
- Greater exposure in the event of a cyber incident
As part of the integration process, organisations should assess:
- Whether the personal data is still needed
- Whether retention periods remain appropriate
- Whether the information is accurate and up to date
- Whether duplicate records exist across systems
- Whether there is still a lawful basis to retain the information
- Whether access to historic records is appropriately restricted
Particular attention should be given to inherited marketing databases and employee records.
Marketing data should be reviewed to ensure it was collected lawfully, remains accurate and can still be used in line with UK GDPR and PECR requirements. Existing opt-outs and suppression lists should continue to be respected.
Employee records should not automatically be retained indefinitely simply because they have transferred to a new organisation. Retention periods should continue to reflect legal, regulatory and business requirements.
Appropriate data clean-up exercises should be carried out during integration. This may include:
- Deleting obsolete or redundant records
- Removing duplicate information
- Reviewing and updating retention schedules
- Restricting access to historic data
- Securely archiving information that still needs to be retained
- Anonymising information where appropriate
Decisions about retention and deletion should be properly documented as part of the organisation’s wider accountability obligations.
Security During Integration
The integration phase can create heightened security risk.
Systems may be migrated, consolidated, reconfigured or retired. Access permissions may change. Data may move between platforms, suppliers, teams and locations.
During this period, organisations should ensure appropriate technical and organisational measures are in place.
This may include:
- Access controls
- Encryption
- Secure data transfer methods
- Audit logging
- Monitoring
- Role-based access permissions
- Supplier due diligence
- Clear incident response procedures
Personal data should only be accessible on a need-to-know basis.
Organisations should also ensure that integration activity does not weaken existing security controls or create unnecessary exposure.
Data Protection Due Diligence Checklist for Mergers and Acquisitions
Every merger or acquisition is different, but there are a number of core data protection checks that should be completed before, during and after the transaction. The checklist below provides a practical starting point for organisations looking to reduce compliance risk and support a smooth integration.
| Area | Key Question | Complete? |
|---|---|---|
| Due Diligence | Has a full data protection due diligence review been completed? | ☐ |
| Privacy Notices | Have transparency obligations under Article 14 UK GDPR been assessed? | ☐ |
| Lawful Basis | Has every processing activity been reviewed to confirm the lawful basis remains valid? | ☐ |
| Marketing | Can inherited marketing databases continue to be used lawfully under UK GDPR and PECR? | ☐ |
| Employee Data | Has special category and criminal offence data been identified and protected appropriately? | ☐ |
| Supplier Contracts | Have processor agreements and third-party supplier contracts been reviewed? | ☐ |
| International Transfers | Have all international data transfers been identified and appropriate safeguards implemented? | ☐ |
| Security | Have technical and organisational security measures been independently assessed? | ☐ |
| Cyber Security | Have previous cyber incidents, vulnerabilities and security certifications been reviewed? | ☐ |
| Retention | Has inherited personal data been reviewed against retention schedules and data minimisation requirements? | ☐ |
| Records of Processing | Have Records of Processing Activities (ROPAs) been updated following integration? | ☐ |
| DPIAs | Has a Data Protection Impact Assessment been completed where required? | ☐ |
| Data Subject Rights | Are processes in place to manage Subject Access Requests and other individual rights after the transaction? | ☐ |
| AI and New Technology | Have AI tools and automated processing activities been reviewed for compliance? | ☐ |
| Governance | Have accountability documents, policies and staff responsibilities been updated following completion? | ☐ |
Completing these checks before and during integration can help organisations identify compliance gaps early, reduce legal and operational risk, and demonstrate accountability under UK GDPR.
Conclusion
Data protection should be treated as a fundamental part of the mergers and acquisitions lifecycle.
It should not be left until after completion.
From due diligence through to integration, organisations must ensure that personal data is lawfully obtained, properly governed, transparently processed and securely managed in line with UK GDPR and PECR obligations.
By embedding data protection into due diligence, contractual arrangements, transparency obligations, lawful basis reviews, marketing activity, retention decisions and system integration, organisations can reduce risk and support a smoother post-acquisition transition.
Data Protection People can support organisations throughout this process. We can help identify and reduce compliance risks, support due diligence activity, review marketing and transparency obligations, and help implement practical data protection measures throughout the transaction lifecycle.
Planning a merger or acquisition?
Data Protection People can support your organisation with data protection due diligence, supplier reviews, transparency obligations, contract reviews, DPIAs, and post-acquisition integration to help reduce compliance risk throughout the transaction.
Frequently Asked Questions
Does UK GDPR apply during mergers and acquisitions?
Yes. UK GDPR applies whenever personal data is collected, reviewed, shared, transferred or integrated as part of a merger or acquisition. This includes customer data, employee records, supplier information, marketing databases and historic records.
What personal data should be reviewed during M&A due diligence?
Organisations should review all personal data that may transfer as part of the transaction. This may include customer records, employee files, payroll data, supplier information, contracts, complaints, marketing lists, archived data, backups and information held in legacy systems.
Can marketing databases be transferred after an acquisition?
Marketing databases can transfer as part of an acquisition, but the acquiring organisation must assess whether the data can still be used lawfully. This includes reviewing consent, legitimate interests, privacy notices, opt-outs and compliance with PECR.
What is Article 14 UK GDPR in mergers and acquisitions?
Article 14 UK GDPR applies where an organisation receives personal data indirectly, rather than collecting it directly from the individual. In an M&A context, this may require the acquiring organisation to provide privacy information to customers, employees, suppliers or other individuals whose data has been obtained through the transaction.
Why is data protection due diligence important?
Data protection due diligence helps organisations identify legal, operational and security risks before completing a transaction. It can reveal whether personal data has been collected lawfully, whether it can be used as intended and whether any compliance gaps could affect the value or viability of the deal.
Do organisations need a data sharing agreement during M&A?
Where personal data is shared between parties during a transaction, a data sharing agreement should be used to define roles, responsibilities, permitted purposes, security measures, retention rules and processes for handling individual rights requests.
Should employee data be treated differently during an acquisition?
Employee data should be handled carefully because it may include special category data, criminal offence data, sickness records, occupational health information, disciplinary records and payroll information. Access should be limited, lawful bases should be reviewed and retention periods should remain appropriate.
How can Data Protection People help with M&A data protection?
Data Protection People can support organisations with data protection due diligence, privacy notices, supplier reviews, lawful basis assessments, marketing data reviews, DPIAs, ROPAs, data sharing agreements and post-acquisition integration planning.
Trump v. Slaughter Decision
What the Trump v. Slaughter Decision Means for the EU-US Data Privacy Framework
The future of the EU-US Data Privacy Framework (DPF) has once again come under scrutiny following the recent US Supreme Court decision in Trump v. Slaughter. On 29th June, the US Supreme Court delivered its judgment ruling that the President can remove Federal Trade Commission (FTC) commissioners without the restrictions that previously applied, meaning the FTC can no longer be regarded as an independent agency in the same way as before.
This has led the privacy advocacy organisation noyb to argue that one of the key safeguards underpinning the European Commission’s adequacy decision has been weakened, as the Commission relied on the FTC’s independence when concluding that the United States provides an adequate level of protection for personal data.
Although the EU-US Data Privacy Framework remains legally valid, the judgment has raised questions about its long-term future and whether it may face another legal challenge before the Court of Justice of the European Union (CJEU).
This development is most relevant to organisations that transfer personal data to the US, particularly where rely on the EU-US DPPF or the UK Extension. This includes organisations using US-based cloud services, HR platforms, CRM systems, payroll providers and other software providers certified under DPF.
This is not the first time organisations have found themselves in this position.
Many will remember the end of Safe Harbour in 2015, followed by the Privacy Shield being struck down in the Schrems II judgment in 2020. On both occasions, organisations had to revisit their international data transfer arrangements and adopt alternative safeguards.
Whether or not the current challenge succeeds, it highlights a wider issue. International data transfers between Europe and the United States continue to depend on legal frameworks that are regularly challenged before the courts. For organisations, this creates uncertainty and makes long-term planning more difficult.
What does this mean in practice?
For now, there is no immediate action required.
The EU-US Data Privacy Framework (DPF), including the UK Extension, remains a valid transfer mechanism under both EU GDPR and UK GDPR, and organisations can continue relying on it for transfers of personal data to certified US organisations. There has been no change to the law and neither European nor UK regulators have advised organisations to stop using it.
That said, this is a timely reminder to understand how your organisation transfers personal data outside the UK and Europe.
Many organisations know they use Microsoft 365, Google Workspace, Salesforce or other US-based services, but have never documented exactly which transfer mechanisms they rely upon or whether appropriate transfer assessments have been completed.
If the legal position were to change, organisations that already understand their international transfers would be in a much stronger position than those starting from scratch.
What if the DPF was invalidated?
If the DPF were to be invalidated, organisations would not necessarily need to stop transferring personal data to the United States immediately, but they would need to rely on alternative transfer mechanisms such as Standard Contractual Clauses (SCCs) under EU law, or the International Data Transfer Agreement (IDTA) or UK Addendum under UK GDPR.
In practice, however, this would not be a simple “swap” of legal mechanisms.
This is because of the key principles established in the Schrems II judgment, where the Court of Justice of the European Union ruled that international data transfers must ensure an “essentially equivalent” level of protection to that guaranteed within the EU.
The Court also found that US surveillance laws could, in certain circumstances, allow public authorities to access personal data in ways that were not sufficiently limited or subject to effective legal remedies, which led to the invalidation of the previous Privacy Shield framework.
As a result, even when organisations rely on SCCs, the IDTA, or the UK Addendum, they are required to carry out a Transfer Risk Assessment (TRA) to assess whether the laws and practices in the destination country could impact the effectiveness of those safeguards. Where risks are identified, additional technical and organisational measures may be necessary to protect the data in practice.
Many large technology providers already offer SCCs and IDTAs alongside their participation in the DPF, meaning contractual arrangements may remain in place even if the DPF is removed. The main impact would therefore be on organisations’ legal assessment and justification for the transfers, which would need to be revisited and strengthened.
Does this mean organisations should move all their data to Europe or the UK?
Not necessarily. It’s true that some commentators have suggested that organisations should reduce their reliance on US technology providers or move more data into UK or European data centres.
While this may reduce some risks, it is not always a complete solution. If a US-based provider can still remotely access the data, the international transfer issues may still arise: the location of the server is only one part of the picture.
For most organisations, good governance remains far more important than where the server is physically located – for this reason, understanding what personal data leaves the UK, where it goes, why it is transferred and what safeguards are in place is likely to have a greater impact on compliance than simply changing suppliers.
So, what should organisations do now?
- Continue relying on the DPF where it is appropriate
- Identify which suppliers rely on the DPF or UK Extension (this should be already determined within RoPA)
- Monitor developments from the European Commission, EDPB and ICO.
Our view
The Trump v. Slaughter decision should not cause organisations to panic, but neither should it be ignored: the DPF remains valid and organisations should continue using it where appropriate. However, the judgment is another reminder that international data transfers remain one of the most legally complex areas of data protection law.
Rather than asking whether the DPF will survive, organisations should be asking themselves different questions:
- Do we know where our personal data is transferred?
- Have we identified which suppliers rely on the DPF?
- Have we completed Transfer Risk Assessments where they are required?
- If the legal position changed tomorrow, could we quickly identify the transfers that would be affected?
These are sensible governance questions regardless of what happens to the DPF.
It is important to note that many organisations assume they do not transfer personal data to the US because their supplier stores data in the UK or Europe. However, common business systems are operated by US companies or allow support, maintenance or remote access from the US – this means international transfers can occur even where data is hosted within Europe.
In summary, we are now waiting to see how this develops following the Trump v. Slaughter decision. For the moment, the EU-US Data Privacy Framework remains valid and in force. Organisations can continue to rely on it for international data transfers. However, its long-term stability is now being questioned. Further legal or regulatory developments will be important to watch closely.
Data Protection People can help you. Understanding international data transfers is no longer simply a contractual exercise; organisations should understand where personal data is transferred, which transfer mechanisms they rely upon and whether appropriate assessments have been completed. Our data protection consultancy team can help you:
- Review your international data transfers activities
- Identify where you rely on the DPF, SCCs or the UK IDTA
- Complete or review your TRAs
- Undertake due diligence on your suppliers and identify risks and opportunities, in particular assessing supplier arrangements
- Ensure your transfer documentation remains up to date.
If you would like to discuss your international transfer arrangements or understand how these developments may affect your organisation, please get in touch with our team.
Relevant links:
NOYB formally wrote to the European Commission calling for it to withdraw its adequacy decision on the US.
Data Protection Complaints Update
New Legal Duty: Data Protection Complaints Procedures Required by June 2026
The Data (Use and Access) Act 2025 introduces a new obligation for all organisations. By June 2026, you must have a formal procedure in place for handling data protection complaints.
The Information Commissioner’s Office (ICO) has published draft guidance to help organisations prepare. While the guidance is open to consultation until October 2025, the core requirements are unlikely to change.
This update explains what the law requires, how to prepare, and what steps you should take now.
Why is this change important?
Until now, if an individual complained to the ICO, the regulator often redirected the issue back to the organisation. From June 2026, the ICO will expect individuals to use your complaints procedure first before they escalate to the regulator.
If you do not have a clear and accessible procedure in place, the ICO may identify this as a compliance gap quickly.
What the law requires
From June 2026, every organisation must:
- Provide a procedure for people to raise data protection complaints directly.
- Acknowledge complaints within 30 days of receiving them.
- Investigate and take appropriate steps without undue delay, keeping the complainant informed.
- Provide an outcome without undue delay, including a clear explanation of actions taken.
- Keep records of all complaints and how they were handled.
How people can complain
The law does not prescribe one method, but you must make it easy for individuals to raise complaints. Options include:
- An electronic or written complaints form
- Telephone line for complaints
- Online complaints portal
- Live chat with escalation to a human agent
- In-person option if no online presence
Organisations must also publish their complaints procedure, either on their website or provide it at the earliest opportunity.
The 5-Step Data Protection Complaints Process
1. Acknowledge
Acknowledge within 30 days (email auto-response, letter, or written follow-up to verbal complaints). The timeframe begins the day after receipt, even if received on a weekend or holiday.
2. Investigate
Identify the issue clearly and gather relevant facts. Speak to staff, compare records, and review internal policies. Ask the complainant for clarification or evidence early on.
3. Update on progress
Keep the complainant informed if the investigation takes time. Provide a contact point and expected completion date.
4. Provide outcome
Respond as soon as possible with a clear explanation. State actions taken and provide enough detail for the individual to understand your conclusion. Inform them of their right to escalate to the ICO if they remain dissatisfied.
5. Record keeping
Keep a record of receipt, acknowledgement, investigation steps, outcome, and actions taken. Agree a suitable retention period for complaint records.
Key steps to take now
- Collaborate internally to agree your complaints handling process.
- Assign responsibility for investigating and resolving complaints.
- Draft and publish a complaints procedure before June 2026.
- Update staff training so all employees can recognise a data protection complaint.
- Integrate the procedure into your privacy notices to raise awareness.
FAQs
Who does this apply to?
All organisations that process personal data, regardless of size or sector.
Do we need a new procedure if we already have a complaints process?
You may adapt an existing process, but it must specifically cover data protection complaints.
What happens if we do not comply?
Failure to publish or follow a complaints procedure may expose your organisation to ICO scrutiny and could be treated as a breach of the Data (Use and Access) Act 2025.
Does the 30-day acknowledgement mean we must resolve complaints within 30 days?
No. You must acknowledge within 30 days. The investigation and outcome must be provided “without undue delay”, which means as quickly as reasonably possible.
Can complaints be made on someone else’s behalf?
Yes, but you must confirm the person is authorised, for example by checking a signed authority letter or power of attorney. If no evidence is provided, you do not have to investigate.
Should we publish this procedure online?
Yes, the ICO expects organisations to make the process easily accessible, ideally via your website and privacy notices.
Final thoughts
This is a significant compliance change that will affect every organisation. The ICO is clear that complaints procedures will become a focal point for accountability and transparency.
At Data Protection People, we recommend starting preparations now so you are not caught out in 2026. If you need help designing or embedding a compliant complaints procedure, our consultancy team can support you.