Skip to content
CIFAS Marker Removal UK
04Stage 4 of 5

NIIB GroupICO Data Protection Complaint

When the institution's Data Protection Officer fails to respond to your Subject Access Request within 30 days, this is a GDPR breach. We file a complaint with the Information Commissioner's Office to create regulatory pressure.

The ICO investigates data protection breaches. This creates pressure but the ICO cannot order marker removal directly

What this stage means

This is a data protection complaint to the UK's regulator. When NIIB Group's Data Protection Officer fails to respond to your Subject Access Request within the 30-day legal deadline, that is a standalone GDPR breach — regardless of the marker dispute itself. The ICO investigates this breach and creates regulatory pressure on NIIB Group.

When you reach this stage

You reach this stage when NIIB Group's DPO has failed to respond to your SAR within 30 calendar days. Because we submit the SAR in parallel with the initial complaint, this clock is already running from the start of your case.

What they will assess

  • Whether NIIB Group's DPO received the SAR
  • Whether they responded within the 30-day statutory deadline
  • Whether the response was complete and accurate
  • Whether NIIB Group has adequate data protection procedures
  • Whether there is a pattern of non-compliance

What strengthens your case

  • Clear proof the SAR was submitted with date and delivery confirmation
  • Evidence that 30 days have passed without a response or with an incomplete response
  • The link between the SAR failure and the broader marker dispute
  • Any evidence of NIIB Group having systemic data protection issues
  • The fact that an active ICO complaint significantly strengthens a court claim

What we provide at this stage

  • ICO complaint documenting the DPO's failure to respond
  • Evidence of SAR timeline breach (30-day limit)
  • UK GDPR accuracy arguments for the marker data
  • Documentation strengthening any future court claim

What you need for this stage

  • Proof your SAR was submitted (date and method)
  • Evidence the DPO failed to respond within 30 days
  • Any partial response received

Common outcomes at this stage

The ICO contacts NIIB Group about the SAR breach — creating regulatory pressure

NIIB Group responds to the SAR (often producing evidence that helps the marker complaint)

The ICO issues guidance or a reprimand to NIIB Group

The active ICO complaint strengthens the court claim documentation

Many institutions settle the broader dispute once the ICO is involved

What happens next

The ICO complaint creates pressure but cannot directly remove the marker. Its main value is twofold: it often forces NIIB Group to finally respond to the SAR (revealing their evidence), and it strengthens any future court claim by documenting a pattern of data protection non-compliance.

FOS ComplaintStart Your CaseCourt Claim