TL;DR
- The ICO handles complaints about data protection and privacy law breaches — not billing errors, coverage, or contract disputes, which fall to Ofcom and the telecoms Alternative Dispute Resolution (ADR) schemes.
- You must first complain directly to the operator and give it a reasonable opportunity to respond before the ICO will assess your complaint.
- Complaints are submitted via the ICO’s online portal; the process is free of charge.
- ICO investigations typically take several months; the ICO provides updates but cannot guarantee a specific outcome for individual complainants.
- Enforcement outcomes can include warnings, reprimands, enforcement notices, and fines of up to £17.5 million or 4% of global turnover for the most serious UK GDPR breaches.
What the ICO can and cannot investigate
The Information Commissioner’s Office is the UK’s supervisory authority for data protection and information rights law. Its jurisdiction covers complaints arising from the Data Protection Act 2018, UK GDPR, the Privacy and Electronic Communications Regulations 2003 (PECR), and the Freedom of Information Act 2000. In the mobile context, this means the ICO can investigate: failure to respond to a subject access request, unlawful direct marketing by SMS or email, failure to notify individuals of a personal data breach, inadequate security leading to a breach, excessive or unlawful data retention, and refusal to honour erasure or objection rights without lawful grounds.
What the ICO cannot investigate includes billing errors, poor network coverage, slow customer service, contract pricing, number portability delays, and similar commercial or service-quality disputes. Those matters fall to Ofcom’s consumer-protection framework and, where a formal dispute exists, to one of the two approved telecoms ADR schemes — Ombudsman Services: Communications, or the Communications Ombudsman. If you are uncertain which regulator applies to your problem, the Ofcom website provides a clear boundary guide, and the ICO website describes the scope of its own jurisdiction.
Before you approach the ICO
The ICO generally expects you to have raised the issue formally with the operator before submitting a complaint. This means sending a clear, written complaint (email is sufficient) identifying the specific data protection concern, citing the right or obligation you believe has been breached, and requesting a substantive response. The ICO suggests allowing the operator at least eight weeks to reply — though where ongoing harm is evident or a breach notification has already been received, a shorter period may be reasonable. Keep copies of all correspondence as you will need to provide these to the ICO.
If the operator acknowledges the complaint but fails to respond substantively within eight weeks, or provides a response that does not resolve the issue, or issues a “deadlock letter” indicating it will not move further, you have sufficient grounds to escalate to the ICO. You do not need to wait for the operator to admit fault; the ICO will assess the evidence independently. It is also worth noting that the ICO complaint process is free; there is no fee for filing a complaint.
| Stage | What happens | Typical timeframe | Your action |
|---|---|---|---|
| 1. Operator complaint | Raise data protection concern in writing with operator | Allow up to 8 weeks for response | Keep copies of all correspondence |
| 2. ICO submission | Submit complaint via ICO online portal at ico.org.uk | ICO acknowledges within days | Upload operator correspondence and describe harm |
| 3. ICO assessment | ICO decides whether to investigate or close with advice | Weeks to several months | Respond promptly to any ICO requests for information |
| 4. Investigation | ICO may issue information notices to operator and review evidence | Several months to over a year | Await ICO updates; you may be interviewed |
| 5. Outcome | ICO issues finding: no action, advisory letter, reprimand, enforcement notice, or fine | Notified when concluded | Consider civil claim if damages are sought |
How to submit an ICO complaint
The ICO’s complaint portal at ico.org.uk/make-a-complaint/ guides you through a structured form. You will need to identify the organisation (your mobile operator), describe the data protection issue in plain terms, specify the right you believe was breached or the obligation not met, upload copies of relevant correspondence, and provide your contact details. The portal routes different types of complaint — subject access, direct marketing, data breach notification, general data protection — through separate pathways, so selecting the correct category ensures your complaint reaches the right casework team.
The ICO will acknowledge receipt and assign a reference number. It will assess whether the complaint falls within its jurisdiction and whether it meets the threshold for investigation. Not every complaint proceeds to full investigation; in some cases the ICO will write to the operator asking it to reconsider its position and then close the complaint with advice to you. In others, the ICO will open a formal investigation. The ICO publishes its prioritisation criteria: it focuses resources on cases with evidence of significant harm, systemic issues affecting large numbers of people, or clear and serious breaches of law.
ICO powers and possible outcomes
If the ICO decides to investigate, it has wide information-gathering powers under the Data Protection Act 2018. It can issue information notices requiring the operator to provide documents and explanations, and assessment notices allowing ICO officers to audit the operator’s systems. If the investigation identifies a breach, the ICO can issue a written warning, a formal reprimand (which the operator must publish), an enforcement notice requiring specific remedial action within a defined period, or a penalty notice imposing a fine.
Fines under UK GDPR can reach £17.5 million or 4% of global annual turnover — whichever is higher — for the most serious infringements, such as processing without any lawful basis or failing to implement adequate security. For infringements of a lower tier (for example, failure to maintain adequate records of processing activities), fines can reach £8.7 million or 2% of global turnover. PECR fines are capped at £500,000 per incident for serious contraventions. The ICO publishes all monetary penalties and reprimands on its website. Importantly, the ICO does not directly award compensation to individual complainants; for damages you need a civil court claim.
Overlap with Ofcom and ADR schemes
Mobile operators are subject to dual regulatory oversight — Ofcom for communications law and the ICO for data protection. The two bodies have a memorandum of understanding and work collaboratively where matters overlap, such as location data used in network management or emergency-services obligations. If your complaint has both a data dimension (for instance, your location data was shared unlawfully) and a service dimension (your number was ported without your consent), you may need to engage both regulators, as neither can fully resolve both aspects. Ofcom’s ADR schemes — which operate independently of Ofcom — handle binding financial awards for service disputes, which the ICO cannot do.
What this means in practice
Damien receives repeated unsolicited marketing text messages from his mobile operator even though he never provided consent and explicitly opted out six weeks earlier. He sends a written complaint to the operator’s data protection officer citing Regulation 22 PECR and Article 21 UK GDPR, requesting confirmation that marketing has ceased and evidence of the consent basis previously relied upon. Eight weeks pass without a substantive response. Damien submits an ICO complaint, uploading his correspondence, the opt-out confirmation email, and screenshots of the marketing texts received after the opt-out. The ICO investigates and issues a formal reprimand to the operator, requiring it to audit its marketing consent database. The reprimand is published on the ICO website. Damien then brings a small claims court action under Section 168 DPA 2018 for the distress caused, referencing the ICO reprimand in his particulars of claim.
Related Guides
Related Guides
How we verified this
This article was verified against the Data Protection Act 2018, UK GDPR Articles 33, 34, 77 and 83, the Privacy and Electronic Communications Regulations 2003, ICO published guidance on making complaints and its regulatory approach, ICO enforcement and fines published at ico.org.uk, and Ofcom’s consumer-complaint and ADR framework guidance at ofcom.org.uk.
Disclaimer: Kaeltripton.com is an independent UK editorial publisher. We are not regulated by Ofcom or the FCA and we do not sell or arrange mobile services, insurance, or financial products. This content is for general information only and is not legal, financial, or technical advice. Rules, prices, and operator policies change. Verify the current position with Ofcom, GOV.UK, the ICO, or your provider before acting. ICO registered ZC135439. Last reviewed: 2026-06-05.
Frequently Asked Questions
What can the ICO do about a mobile operator?
The ICO can investigate whether a mobile operator has complied with UK GDPR, the Data Protection Act 2018, and PECR. It can issue information notices compelling the operator to provide documents, conduct audits, issue formal reprimands, and issue enforcement notices requiring specific remedial action. In serious cases it can impose fines of up to £17.5 million or 4% of global annual turnover. It cannot award financial compensation to individuals or resolve billing or service-quality disputes.
How do I complain to the ICO about a mobile network?
First, raise the data protection concern formally with the operator in writing and allow up to eight weeks for a substantive response. If unresolved, submit a complaint via the ICO’s online portal at ico.org.uk/make-a-complaint/, selecting the relevant complaint type (subject access, direct marketing, data breach, or general data protection). Upload your correspondence, describe the breach and any harm suffered, and provide your contact details. The service is free of charge.
How long does an ICO investigation take?
There is no fixed statutory deadline for the ICO to conclude an investigation. Simple complaints about, for example, an unanswered subject access request may be resolved in weeks. Complex investigations involving large-scale data breaches, systemic marketing consent failures, or security incidents affecting many individuals can take a year or longer. The ICO will provide updates but cannot guarantee a specific timetable. Decisions involving significant enforcement action are published on the ICO’s website.
What can the ICO order a mobile operator to do?
The ICO can issue an enforcement notice requiring a mobile operator to take specific steps: stopping unlawful processing, implementing adequate security measures, responding to outstanding subject access requests, ceasing non-consensual direct marketing, or making systems changes to comply with data protection law. Enforcement notices specify a deadline for compliance. Failure to comply with an enforcement notice is a criminal offence under the Data Protection Act 2018 and can result in prosecution.
Can the ICO fine a mobile operator?
Yes. Under UK GDPR and the Data Protection Act 2018, the ICO can impose penalty notices up to £17.5 million or 4% of global annual turnover (whichever is higher) for the most serious infringements, and up to £8.7 million or 2% of global turnover for a lower-tier category of infringements. For PECR breaches (such as unlawful direct marketing), the maximum is £500,000. All monetary penalties are published on the ICO’s enforcement register.
