Data Protection Complaints Handling Process

Purpose

The purpose of this Data Protection Complaints Handling Process (“Process”) is to provide a fair, transparent, and effective mechanism for individuals to raise concerns regarding the processing of their personal data and to ensure compliance with:

UK General Data Protection Regulation (UK GDPR);
Data Protection Act 2018 (DPA 2018);
Data (Use and Access) Act 2025 (DUAA);
Information Commissioner’s Office (ICO) guidance on data protection complaints.

This Process applies to all complaints received on or after 19 June 2026.

Scope

This Process applies to complaints relating to:

Collection of personal data;
Use of personal data;
Disclosure or sharing of personal data;
Data retention practices;
Data security measures;
Direct marketing activities;
Automated decision-making;
International transfers of personal data;
Handling of data subject rights requests;
Personal data breaches;
Any alleged infringement of UK data protection legislation.

This Process applies to complaints from:

Customers;
Employees;
Job applicants;
Contractors;
Suppliers;
Website users;
Any individual whose personal data is processed by the Organisation.

Definitions

Data Protection Complaint

A complaint made by or on behalf of an individual alleging that the Organisation has failed to comply with UK data protection legislation in relation to personal data.

A complaint does not need to:

Refer to legislation;
Use legal terminology;
Be labelled as a “data protection complaint.”

Any expression of dissatisfaction relating to the handling of personal data must be considered for assessment under this Process.

Complainant

The individual making the complaint or their authorised representative.

Complaints Principles

The Organisation will ensure that all data protection complaints are:

Handled fairly and impartially;
Investigated objectively;
Managed without undue delay;
Documented appropriately;
Resolved at the earliest opportunity;
Escalated where necessary;
Used as a source of organisational learning.

Making a Complaint

The Organisation shall facilitate the making of data protection complaints through multiple accessible channels.

Complaints may be submitted via:

Email;
Online complaint form;
Website contact form;
Post;
Telephone;
In person;
Live chat services;
Social media channels;
Any employee of the Organisation.

Individuals shall not be required to use a specific complaint channel.

Where a complaint is received by an employee, the employee must immediately forward the complaint to the Data Protection Team.

Information Provided to Individuals

The Organisation shall inform individuals:

Of their right to complain to the Organisation;
How complaints can be submitted;
Of their right to complain to the Information Commissioner’s Office (ICO);
How the complaint will be handled.

This information shall be included within:

Privacy Notices;
Data Subject Rights correspondence;
Complaint acknowledgement letters;
The Organisation’s website.

Complaint Receipt and Logging

Upon receipt of a complaint, the Organisation shall:

Create a complaint record.
Assign a unique reference number.
Record:
- Date received;
- Complainant details;
- Nature of complaint;
- Relevant processing activities;
- Assigned investigator;
- Deadlines and actions.

All complaints shall be entered into the Data Protection Complaints Register.

Acknowledgement

The Organisation shall acknowledge receipt of the complaint within thirty (30) calendar days of receipt.

The acknowledgement shall include:

Complaint reference number;
Name or role of investigator;
Summary of the complaint;
Expected next steps;
Contact details for further enquiries;
Information regarding the complainant’s rights.

Initial Assessment

Within ten (10) working days of allocation, the investigator shall determine:

Whether the matter constitutes a data protection complaint;
Whether additional information is required;
Whether immediate remedial action is necessary;
Whether the complaint indicates a personal data breach;
Whether escalation is required.

Where clarification is needed, the investigator shall contact the complainant promptly.

Investigation

The investigator shall conduct an appropriate and proportionate investigation.

Activities may include:

Reviewing relevant records;
Interviewing personnel;
Examining technical logs;
Reviewing policies and procedures;
Assessing legal obligations;
Consulting the Data Protection Officer (DPO);
Consulting Legal Counsel where required.

The Organisation shall make appropriate enquiries and keep the complainant informed of progress where investigations are ongoing.

Escalation Criteria

The complaint shall be escalated to the Data Protection Officer immediately if:

Special category data is involved;
Criminal offence data is involved;
A personal data breach is suspected;
Significant regulatory risk exists;
Multiple individuals are affected;
Legal proceedings are threatened;
The complaint raises systemic compliance concerns.

Complaint Outcomes

Following investigation, the Organisation may determine that:

Complaint Upheld

The Organisation accepts that a breach of data protection requirements has occurred.

Actions may include:

Apology;
Corrective action;
Rectification of personal data;
Erasure of personal data;
Restriction of processing;
Additional staff training;
Process improvements.

Complaint Partially Upheld

The Organisation accepts some aspects of the complaint but not all.

Complaint Not Upheld

The Organisation concludes that data protection obligations were met.

Response to the Complainant

The Organisation shall provide the outcome of the complaint without undue delay.

The final response shall include:

Summary of the complaint;
Investigation undertaken;
Findings;
Actions taken or proposed;
Explanation of decisions made;
Information regarding escalation rights.

The response shall also explain the individual’s right to complain to the Information Commissioner’s Office if dissatisfied.

ICO Escalation Information

The Organisation shall inform complainants that they may contact:

Information Commissioner’s Office (ICO)

Website: https://www.ico.org.uk

The Organisation shall cooperate fully with any subsequent ICO investigation.

Personal Data Breach Identification

Where a complaint reveals a potential personal data breach, the matter shall immediately be referred to the Organisation’s Personal Data Breach Response Procedure.

The complaint investigation and breach investigation may proceed in parallel.

Record Keeping

The Organisation shall maintain records of:

Complaints received;
Acknowledgements issued;
Investigation activities;
Communications with complainants;
Outcomes;
Corrective actions;
Lessons learned.

Records shall be retained in accordance with the Organisation’s Retention Schedule.

Monitoring and Reporting

The Data Protection Officer shall review complaint data at least quarterly.

Reports shall include:

Number of complaints received;
Categories of complaints;
Response times;
Outcomes;
Root causes;
Trends and recurring issues;
Corrective actions implemented.

Management shall review reports to identify opportunities for improvement.

Training

All employees shall receive training covering:

Recognition of data protection complaints;
Escalation procedures;
Complaint handling obligations;
UK GDPR requirements;
ICO expectations.

Training shall be refreshed at least annually.

Continuous Improvement

The Organisation shall periodically review:

Complaint trends;
Root causes;
Policy effectiveness;
Regulatory developments;
ICO guidance.

Processes shall be updated where necessary to maintain compliance and improve customer outcomes.

Review

This Process shall be reviewed:

Annually;
Following significant complaints;
Following regulatory changes;
Following ICO enforcement action or guidance updates.

Document Control

Document Owner: Data Protection Officer

Approved By: George Harris, General Manager – CyprusMove Limited

Review Frequency: Annual

Effective Date: 9^th June 2026

Version: 1.0

Office Hours

Contact Details

+1 840 841 25 69