Caselaw Digest
Caselaw Digest

Ben Peter Delo, R (on the application of) v The Information Commissioner

[2023] EWCA Civ 1141
Someone complained to the government's data protection office (the Commissioner) about a company. The office said the company was probably okay and didn't investigate further. The court ruled that the office didn't have to investigate every complaint fully; it can decide on a case-by-case basis whether further investigation is needed. They said the office was right not to investigate more in this case.

Key Facts

  • Mr. Delo made a data subject access request (DSAR) to Wise Payments Limited, which partially refused the request.
  • Mr. Delo complained to the Information Commissioner (Commissioner), who advised that Wise likely complied with its obligations and took no further action.
  • Mr. Delo judicially reviewed the Commissioner's decision, arguing the Commissioner had a duty to determine the merits of his complaint.
  • Mr. Delo's claim against Wise was settled before the judicial review.
  • The central issue is whether the Commissioner is obliged to reach a definitive decision on the merits of every complaint or has discretion to decide otherwise.

Legal Principles

UK GDPR protects individual rights regarding personal data processing; the Commissioner monitors its application.

UK GDPR

Data subjects have the right to lodge a complaint with the Commissioner if they believe their data protection rights are infringed.

Article 77 UK GDPR

Data subjects have the right to an effective judicial remedy against the Commissioner's legally binding decisions or their failure to handle a complaint within three months.

Article 78 UK GDPR

The Commissioner must handle complaints, investigate (to the extent appropriate), and inform the complainant of the progress and outcome.

Article 57(1)(f) UK GDPR

The Crime and Taxation Exemption allows withholding of personal data if disclosure would prejudice crime prevention or tax collection.

Schedule 2 Part 1 paragraph 2 DPA 2018

Data subjects can concurrently pursue a claim against the data controller (Article 79) and a claim against the Commissioner (Article 78).

CJEU Case C-132/21 (BE v Nemzeti Adatvédelmi)

Section 166 DPA 2018 allows the First-tier Tribunal to order the Commissioner to take appropriate steps to respond to a complaint if the Commissioner fails to do so within a specified time.

Section 166 DPA 2018

Section 167 DPA 2018 empowers courts to issue compliance orders to secure compliance with data protection legislation if a data subject's rights have been infringed.

Section 167 DPA 2018

Outcomes

Appeal dismissed.

The Commissioner is not obliged to determine the merits of every complaint but has discretion to decide the appropriate outcome, including taking no further action. The Commissioner acted lawfully in this case.

Similar Cases

Caselaw Digest Caselaw Digest

UK Case Law Digest provides comprehensive summaries of the latest judgments from the United Kingdom's courts. Our mission is to make case law more accessible and understandable for legal professionals and the public.

Stay Updated

Subscribe to our newsletter for the latest case law updates and legal insights.

© 2025 UK Case Law Digest. All rights reserved.

Information provided without warranty. Not intended as legal advice.