Data Protection Complaints Procedure

Aim of the procedure

1. ANDigital Limited (AND Digital, we or us) takes seriously its obligations to protect the rights and freedoms of data subjects. We are committed to building privacy by design and default into our systems and services to minimise any risks to data subjects that might arise through our processing activities. 

 

2. We recognise however, that there may be circumstances in which individuals raise concerns or complaints about the way AND Digital is processing their personal data. 

 

3. This procedure gives AND Digital a framework for managing data protection complaints consistently and transparently to ensure fair outcomes for complainants. 

Scope and interpretation

4. This procedure applies to you if your personal data is processed by AND Digital. If that is the case, you are regarded as a data subject under the law. The term ‘data subject’ will be used throughout this data protection complaints procedure.

 

5. Personal data is processed by AND Digital if the personal data forms part of a business activity carried out by AND Digital.

 

6. This procedure only applies to complaints relating to infringements of data subjects’ data protection rights.

 

7. If you are exercising your rights under data protection legislation (by asking for access to your personal data, for your personal data to be restricted, erased, corrected or updated, or you are objecting to our processing of your data or would like us to send your personal data to another IT environment) please contact us by email at dataprotection@and.digital. If you are unhappy with the outcome of our response to your request, or you do not hear from us within one month, you can make a complaint under this procedure. If it is not possible to complete your request within one month, we will write to you to let you know about the delay and the reasons for it.

 

8. Data breaches are investigated separately under our Information Security Incident Management Policy, however, complaints from data subjects about damage or distress they experienced as a consequence of a data breach caused by AND Digital are eligible and can be considered under this procedure.

 

9. The terms “data subject”, “processing”, “personal data”, “data breach”, and “data controller” have the meaning given in Article 4 of the UK General Data Protection Regulations (UK GDPR).

 

Representation

10. Complaints made under this procedure cannot be made anonymously.

 

11. A third party may submit the complaint on your behalf with your written authorisation.

 

12. If you need us to make any reasonable adjustments under the Equality Act 2010 in connection with this procedure, please let us know in advance.

Making a complaint

13. If you have a complaint about AND Digital’s processing of your personal data, you can:

a. complete our complaints form available here; or
b. email us dataprotection@and.digital detailing your complaint.

 

14. The Data Protection Representative or their delegate will acknowledge receipt of your complaint within 30 days, the 30 days starting the day after we receive your complaint. They will inform you:

a. whether your complaint is eligible for consideration under this procedure. If it is not considered eligible, you will be told why (for further information, please refer to Annex 1); and
b. of the expected deadline for completion of the investigation.

 

15. The Data Protection Representative or their delegate will aim to conclude the formal investigation and provide you with an outcome within 3 months of the date of your complaint.

 

16. At the end of the investigation, the investigator will provide you with an investigation report. The outcome section of the report will tell you whether your complaint is:

a. Fully upheld
b. Partially upheld
c. Not upheld

 

17. In the report, the investigator will set out any recommendations proposed by AND Digital.

 

18. The formal investigation report marks the final stage of AND Digital’s data protection complaints procedure. AND Digital will aim to put in place any recommendations within one calendar month of the date of the report where possible.

Confidentiality

19. Your complaint will be treated in confidence. We will only share your identity or the details of your complaint with a third party if it is necessary to do so to fully investigate your complaint, or with your consent.

 

20. Records relating to your complaint will be held securely. The records relating to your complaint will be retained in line with our data retention policy and schedule.

 

21. It may be necessary during the investigation to reveal to you the identities and personal data of staff members or other third parties involved in responding to the complaint. This information will be provided to you only as required, and you must respect the confidentiality of third parties at all times.

Your right to an external review

22. If you disagree with the outcome of our investigation, you can make a complaint to the Information Commissioner’s Office (ICO) using their online reporting tool here: https://ico.org.uk/make-a-complaint/ or by calling 0303 123 1113.

 

23. Whilst you have the right to make a complaint to the ICO without seeking a remedy through this procedure, you must follow this procedure in the first instance.

Governance and approval

24. This procedure is owned by AND Digital’s Data Protection Representative, who can be contacted via email at dataprotection@and.digital.

Annex  1 – Types of complaints

To assist complainants, the types of data protection complaints which would be eligible for investigation under this procedure are listed below. This list is indicative and not exhaustive.

  • AND Digital has processed the data subject(s) personal data without a lawful basis (breach of Article 6 of the GDPR)
  • AND Digital failed to act on a Data Subject Rights Request within one month (breach of Arts 12 & 15-22 of the GDPR)
  • AND Digital failed to provide an adequate information notice (breach of Arts 13-14 of the GDPR)
  • AND Digital failed to uphold one or more of the data protection principles (breach of Article 5 of the GDPR):
    • personal data was processed unlawfully;
    • personal data was processed for an additional incompatible purpose;
    • excessive personal data was processed;
    • we processed inaccurate or out of date personal data;
    • we processed personal data beyond the terms set out in our retention policies;
    • we did not keep personal data secure;
    • damage or distress arising from a personal data breach caused by AND Digital; or
    • AND Digital made a restricted transfer of personal data to a third country without safeguards in place.
  • AND Digital refused to process your Data Subject Access Request or has charged you a fee to process the request (and was not permitted to do so).