DUAA June 19: Your Restaurant, Pub or Hotel Has 7 Days to Fix Its Data Complaints Process

The Data (Use and Access) Act's Section 164A comes into force on 19 June 2026. From that date, every business that handles personal data — including every restaurant, pub, hotel and café in the UK — must have a documented, formal process for customers to lodge data complaints. There are no exemptions for small businesses. The ICO's fines under the enhanced PECR framework now reach £17.5 million. You have seven days.

Hospitality businesses are in an unusual position: you collect more personal data per customer than almost any other sector — bookings, dietary requirements, CCTV footage, loyalty schemes, marketing lists — yet data governance has never been a front-of-house priority. DUAA changes that. This guide explains exactly what you need to have in place before June 19, and how to get it done without a solicitor or a DPO.

What DUAA Section 164A Actually Requires

Section 164A of the Data (Use and Access) Act amends the UK GDPR to introduce a mandatory formalised complaints handling procedure for all data controllers. This is the mechanism by which a customer — or employee, or supplier — can formally complain if they believe their personal data has been mishandled.

Your procedure must do five things:

• Be clearly documented — written down, accessible, and referenced in your privacy policy
• Acknowledge receipt within 30 days — Section 164A sets this as the legal minimum
• Investigate the complaint systematically — you must show that you looked into it, not just acknowledged it
• Respond with findings — what you found, what you did about it, and why
• Signpost ICO escalation — complainants must know they can take unresolved complaints to the ICO

This is not optional and it is not limited to large businesses. Section 164A applies to every data controller — which means every hospitality business that holds a customer's name, email address, dietary preference, or booking history. There is no micro-business exemption and no grace period after 19 June.

The ICO published its updated SME guidance in May 2026 specifically to remove any ambiguity on scope. If you process personal data, you are a data controller, and the obligation applies to you.

Why Hospitality Is Especially Exposed

The ICO named hospitality as one of its 2026 enforcement priority sectors. The reason is straightforward: hospitality businesses collect an unusually large volume of sensitive personal data, and they do so through multiple channels simultaneously — often without the governance infrastructure you would find in, say, a financial services business. That gap is what DUAA is designed to close.

Consider what your business actually holds:

Booking platform data

If you use OpenTable, TheFork, ResDiary, Resy, SevenRooms or any other reservation system, you hold customer names, email addresses, phone numbers, visit histories, dietary requirements, special occasion notes, and spending preferences. A loyal customer who has visited 15 times may have a profile that reads: "anniversary table, severe nut allergy, prefers table 7, requests quiet section." That is deeply personal data — and the dietary note is special category health data under UK GDPR. Your obligations around it are heightened.

Critically: OpenTable is your data processor, not your data controller. The responsibility for data complaints about that customer record rests with you, not the platform. Your agreement with the booking platform does not transfer ICO liability to them.

CCTV footage

Every customer who walks through your door is captured on your CCTV system. Do you have a documented retention policy? The ICO recommends no longer than 30 days unless there is a specific operational reason. Is your CCTV deletion schedule automated or manual? Is the retention period documented? If a customer asks why their image is being retained and for how long, can your staff answer that question? If not, you are already operating outside existing GDPR guidance — and Section 164A adds an enforcement layer to that gap.

Email marketing lists

Every email address on your restaurant newsletter, promotional list, or post-visit survey response is personal data. When did you last audit consent logs? Do you have a record of when each subscriber opted in and how? Under DUAA, a customer who wants to complain about receiving marketing emails without valid consent can now trigger a formal complaints procedure backed by ICO enforcement powers. "We just added them" is not a defence.

Loyalty schemes

Points balances, spend histories, beverage preferences, visit frequencies — loyalty scheme data is among the most comprehensive personal data profiles in any sector. If your scheme runs through a third-party app, the same rule applies as with booking platforms: you are the controller. The app provider is the processor. ICO complaints come to you.

Pre-orders, deposits and event bookings

Wedding venues, function rooms, corporate lunch accounts, pre-paid tasting menus: these all involve personal data, payment history, and often dietary or accessibility information. If any of that data handling is queried by the person it relates to, you now need a formal process for dealing with it.

What the ICO Can Do After June 19

DUAA strengthens the ICO's enforcement toolkit significantly. The PECR fine cap — which covers electronic marketing, communications tracking, and data cookies — rises to £17.5 million (or 4% of global annual turnover, whichever is higher). For a restaurant group sending marketing emails without a GDPR-compliant complaints procedure in place, that is real exposure.

More immediately, from 19 June, businesses that fail to handle data complaints under Section 164A risk:

• ICO formal investigation notices — the ICO can open an investigation if a complaint goes unacknowledged or unresponded to
• Reprimand notices — these are public record and visible on the ICO's website, which matters for any business where customer trust is central to trading
• Mandatory data audits — the ICO can require you to submit to an audit of your data processing activities
• Escalating fines — the fine structure is graduated: failure to have a procedure in place, combined with failure to respond to a complaint, combined with a substantive data breach, stacks enforcement exposure significantly

The ICO's 2026/27 enforcement strategy specifically targets "systematic non-compliance" — defined as businesses that had the information, had the time to comply, but chose not to act. June 19 has been publicly known since the DUAA received Royal Assent. The ICO has stated publicly that it will not treat post-June-19 non-compliance as an oversight.

For a hospitality business, an ICO reprimand notice is not just a financial risk. It is a reputational one. A public-facing business that mishandles a customer's personal data complaint — fails to respond, ignores an escalation — is exactly the kind of story that makes local press.

The Five-Step Data Complaints Procedure Your Business Needs

This does not require a data protection officer or an external consultant. For the vast majority of UK hospitality businesses — independent restaurants, small hotel groups, pub chains with 5–50 employees — a well-documented internal procedure is sufficient. Here is what it must contain.

Step 1: A dedicated data complaints contact point

You need a specific, discoverable route for customers to raise data complaints. A dedicated email address is the simplest solution — something like data@yourvenue.co.uk or privacy@yourvenue.co.uk. This address must be listed in your privacy policy and on your website. A generic info@ address that handles everything from table bookings to supplier invoices is not sufficient — you cannot demonstrate that a data complaint has been separated from routine correspondence and handled appropriately.

Step 2: 30-day acknowledgement

Section 164A sets 30 days as the minimum acknowledgement window. This means: when a data complaint arrives, a staff member must read it and send a confirmation reply within 30 calendar days. The acknowledgement does not have to contain your findings — it just has to confirm receipt and tell the complainant you are looking into it. A simple email template handles this. Set a calendar reminder when each complaint arrives.

Step 3: A documented investigation

This is the step that separates businesses that will survive ICO scrutiny from those that will not. You must show that you looked into the complaint — not just that you received it. A complaints log (a spreadsheet is entirely adequate for most businesses) must record: the date received, the nature of the complaint, who was assigned to investigate, what they found, and the date of resolution. If the complaint is about a subject access request not being fulfilled, you document what data you hold and why. If it is about marketing emails sent without consent, you check your consent log and document what you find.

Step 4: A written response to the complainant

Your response must do three things: explain what you found, tell the customer what action you have taken (or clearly explain why you have taken none), and confirm the outcome. If the complaint involves a personal data breach — a booking platform was hacked, a loyalty scheme data export went to the wrong person — you may also have a separate obligation to notify the ICO within 72 hours of becoming aware of the breach. Your response to the complainant and your ICO notification, if required, are separate processes.

Step 5: ICO escalation pathway

Your procedure must explicitly reference the ICO and the customer's right to escalate if unsatisfied with your response. Include the ICO's complaints page (ico.org.uk/make-a-complaint) in your response template. This is not optional — Section 164A requires it. And practically, a customer who knows you have been transparent about their right to escalate is less likely to immediately escalate. A customer who feels stonewalled will go straight to the ICO.

Checklist: What to Have in Place Before 19 June 2026

For hospitality businesses working to a tight deadline, these are the minimum actions required:

• ☐ Designate a named data complaints contact — this can be you, your manager, or any member of staff with access to emails
• ☐ Create a dedicated email address for data complaints (e.g., data@yourvenue.co.uk)
• ☐ Update your privacy policy to reference the Section 164A complaints procedure and the new contact address
• ☐ Create a complaints log — a Google Sheet or Excel spreadsheet with columns for: date received, complaint type, assigned to, investigation notes, resolution date, outcome
• ☐ Draft an acknowledgement email template — two or three sentences confirming receipt and your 30-day commitment
• ☐ Brief all managers and supervisors — they need to know the address exists and what to do when a complaint arrives
• ☐ Add ICO contact details to your website privacy page (ico.org.uk/make-a-complaint)
• ☐ Review your CCTV retention policy — if it says "until overwritten" or has no documented schedule, write one now (30 days recommended)
• ☐ Audit your email marketing consent logs — can you evidence when each subscriber opted in? Export this from Mailchimp, Klaviyo or your booking system now
• ☐ Check your booking platform privacy terms — confirm your privacy policy references the platforms you use and your role as data controller

This list is achievable in a single afternoon. ComplianceAlert's Action Centre includes a DUAA data complaints procedure template adapted specifically for hospitality businesses — covering the privacy policy amendment, acknowledgement email, investigation log, and customer response letter. You do not need to build these from scratch.

👉 Access the DUAA template in the Action Centre at compliancealert.co.uk/hospitality — free forever, no card required

Frequently Asked Questions

Does DUAA apply to my small café or family pub?

Yes. There is no size threshold in Section 164A. DUAA applies to every data controller — meaning every business that determines the purpose and means of processing personal data. A café with a Mailchimp newsletter list, a pub with a food booking form, a hotel with a rewards card: all are data controllers. All must have a complaints procedure from 19 June.

I use OpenTable for bookings — aren't they responsible for that data?

No. OpenTable is your data processor — they process data on your behalf, under your instructions. You are the data controller. The responsibility for data complaints, subject access requests, and ICO compliance rests with you. Your OpenTable agreement may include data processing terms, but it does not transfer your obligations to them.

I already have a general complaints procedure — does that count?

Only if it explicitly covers data complaints, includes a 30-day acknowledgement window, and references the ICO escalation route. A generic feedback process or a TripAdvisor response does not constitute a Section 164A compliant procedure. You need a procedure that is specific to personal data.

What if a customer complains about our CCTV before we have a policy in place?

You would be handling the complaint under existing GDPR rules, which already require you to respond to subject access requests within one month. The Section 164A obligation adds the formal complaints procedure layer. If a complaint arrives before June 19, handle it under your current GDPR framework. After June 19, the Section 164A procedure must be in place and actively used.

My loyalty scheme runs through a third-party app — do I still own the data?

Yes. If you defined the loyalty scheme, you determine what data is collected and why — that makes you the data controller. The app provider is the processor. Customer complaints about their loyalty scheme data come to you, not the app. Check your terms with the provider to understand their data processing agreement, and make sure your complaints procedure covers loyalty data specifically.

What happens if the ICO investigates us and finds we never had a procedure?

The ICO will issue a formal assessment and, depending on the severity of the underlying data handling, a reprimand or fine. The absence of a Section 164A procedure — especially after June 19 with several weeks of public notice — will be treated as evidence of systemic non-compliance rather than an honest oversight. This increases both the likelihood and the scale of enforcement action. It also becomes a matter of public record on the ICO's register.

Seven Days. One Afternoon's Work. No Excuses.

June 19 is a hard deadline. The DUAA has been on the legislative calendar since late 2025. The ICO has been publishing guidance on Section 164A for months. Hospitality businesses have had time to prepare — and from the ICO's perspective, that time is now up.

The procedure you need is not complicated. A dedicated email address. An acknowledgement template. A simple spreadsheet log. A brief to your managers. An updated privacy policy. These are an afternoon's work, not a six-month compliance project.

What they give you is protection: documentation that you took the law seriously, handled complaints properly, and gave customers a route to raise concerns that complied with what Parliament requires. For a business where customer trust is everything — where word of mouth, TripAdvisor reviews, and repeat bookings are the lifeblood — that protection is worth considerably more than an afternoon's effort.

ComplianceAlert's Action Centre walks you through this step by step. The DUAA hospitality template is already built. You customise it to your business, implement it in hours, and you are done.

Need professional help reviewing your data protection procedures or updating your privacy policy? Find a verified UK data protection consultant at compliancemarket.co.uk/data-protection.

👉 compliancealert.co.uk/hospitality — free forever, no card required