Skip to content

Your data rights

What to Do When a Company's Response Is Incomplete

You asked for your data and got something back — but it feels partial. A calm guide to spotting the gaps, asking for the missing pieces, and knowing when an absence is actually allowed.

In short

If a company's response to your access request feels incomplete, compare what arrived against what you expected, then send a short written reply naming the specific gaps and asking it to confirm or supply them. Some absences are allowed under limited exemptions; if you stay unsatisfied, you can complain to the {authority}.

Tell an incomplete answer from a complete one

An incomplete response is different from a refusal or silence. Here something did arrive — but parts feel missing, vague, or thinner than you expected. Under the UK GDPR (Article 15) you are entitled to a copy of your personal data together with supporting information: the purposes it is used for, who it may be shared with, how long it is kept, and where it came from if that is known. A reply that hands over a single record but skips all of this context may simply be unfinished.

Start by comparing what arrived against what you reasonably expected. If you have held an account for years but received only a recent snapshot, or you know you contacted support several times but see no notes, those are concrete gaps worth naming. The aim is not to assume bad faith — it is to be specific, because a precise question is far easier for an organisation to answer than a general feeling that 'something is missing.'

  • Check whether you received the data itself and the supporting context (purposes, recipients, retention, source).
  • Compare the time span covered against how long you have actually been a customer or user.
  • List the specific categories you expected but cannot find, rather than a general sense of shortfall.

Know which gaps are allowed before you push back

Not every absence is a failing. The right of access has limits, and an organisation can hold back certain material under defined exemptions — for example, where releasing information would reveal another person's personal data, or where narrow exemptions in law apply. An organisation can also redact parts of a document for these reasons while still giving you the rest. Where it withholds something, it should be able to tell you, in general terms, that it has done so and why.

It also only has to provide personal data that it actually holds. If you expected records that were genuinely never collected, or that have already been deleted under its normal retention schedule, their absence is not a gap to be filled. Telling an allowed exemption apart from an oversight is what lets you ask the right question — challenging a lawful redaction wastes your effort, while a missing year of records you know exists is worth raising clearly.

This is general information, not legal advice. For guidance on your own situation, consider speaking with a qualified professional.

  • Data that would reveal someone else's personal information may be lawfully withheld or redacted.
  • An organisation only has to provide data it currently holds — not records never kept or already deleted.
  • If something is withheld under an exemption, it should generally tell you that and broadly why.

Ask for the missing pieces, step by step

Once you have separated likely gaps from allowed absences, a short written follow-up usually moves things forward. Keep it factual and specific: thank them for what they sent, name exactly what appears to be missing, and ask them to either supply it or confirm that it is being withheld and on what basis. Email is fine, and keeping a dated copy of everything matters if you later decide to escalate.

You do not need legal wording or a special form. A calm, dated message that references your right of access and lists the particular items is enough. If, after a fair follow-up, you still believe your response is genuinely incomplete, you have the right to complain to the data-protection regulator — in the UK, the the Information Commissioner's Office (ICO). Complaining is free and you can do it yourself, though it is usually worth giving the organisation a clear chance to put things right first.

  • Acknowledge what you received, so the organisation knows exactly which part you are querying.
  • List each missing item specifically and ask it to either supply it or explain why it is withheld.
  • Keep dated copies of every message in case you need to escalate.
  • If you remain unsatisfied after following up, you can complain to the the Information Commissioner's Office (ICO) — it is free and you can do it yourself.

Frequently asked questions

Is an incomplete response the same as a refusal?

No. With a refusal, the organisation declines to act or stays silent. With an incomplete response, it has given you something, but parts of your data or the supporting context appear to be missing. The two need different follow-ups, so it helps to be clear about which one you are dealing with.

What counts as a complete access response?

Under the UK GDPR you are entitled to a copy of your personal data plus supporting information: the purposes it is used for, who it may be shared with, how long it is kept, and its source where known. A reply that gives the data but none of this context may be unfinished.

Can a company leave parts out on purpose?

Yes, within limits. It can withhold or redact information under defined exemptions — for example where releasing it would reveal someone else's personal data. It also only has to provide data it actually holds. Where it withholds something, it should generally tell you, in broad terms, that it has done so.

What if my follow-up does not fix it?

If you have asked specifically for the missing pieces and still believe the response is genuinely incomplete, you have the right to complain to the data-protection regulator — in the UK, the the Information Commissioner's Office (ICO). It is free and you can do it yourself, but it is usually best to give the organisation a clear chance to put things right first.

Related terms

This is general information, not legal advice. For guidance on your own situation, consider speaking with a qualified professional.

Reviewed by OSINTA's founding lawyer — 2026-06-27.

Routing your own access request

OSINTA helps you see your own data and prepare your own requests in your own words — you stay in control, and you decide every step.

See the DSAR guideJoin the waitlist