GDPR complaints procedure

1 Introduction

1.1 The UK General Data Protection Regulation (“GDPR”), the Data Protection Act 2018 (“DPA 2018”), and the Privacy and Electronic Communications Regulations (“PECR”) (together, the “Data Protection Legislation”), give data subjects and applicable third parties rights in relation to personal data.

1.2 This procedure details how the TLT LLP and TLT NI LLP (collectively “TLT”) will respond to complaints from data subjects and third parties relating to the use of personal data.

1.3 It addresses complaints made by data subjects regarding the use of their personal data. Complaints may be made in relation to any aspect of TLT’s processing of personal data including individual rights requests.

1.4 This procedure also addresses complaints made by third parties in relation to TLT’s use of personal data.

2 Responsibilities

2.1 TLT’s Data Protection Officer (“DPO”), has overall responsibility for this procedure but has delegated day-to-day responsibility for overseeing its implementation to the GDPR Team who will following the advice of the DPO and acknowledge any complaints issued in writing via email directly to the GDPR@tlt.com or post.

2.2 All TLT partners and employees are responsible for ensuring that any GDPR complaints made directly to them in relation to this procedure are reported to the DPO at GDPR@tlt.com.

2.3 The DPO and the Risk Director will review this procedure from time to time (and at least annually) to ensure that its provisions continue to meet our legal obligations and reflect best practice and any changes in Data Protection Legislations.

3 Who are data subjects?

3.1 Data subjects are any natural living individuals whose personal data is processed (collected, obtained, stored, retained, securely disposed of etc.). Data subjects can include staff members, students, applicants, prospective applicants, visitors, individuals.

4 Data subjects’ rights

4.1 Under Data Protection Legislation, data subjects can exercise the following rights:

• ask for access their own personal data by receiving a copy of their personal data;
• ask for their personal data to be corrected or amended;
• ask for their personal data to be deleted (also known as the right to be forgotten);
• ask for their personal data to be transferred to another data controller using data; portability;
• ask to restrict the processing of their personal data;
• ask not to be subject to automated decision-making and rights in relation to profiling; and
• object to their personal data being processing, including for direct marketing purposes
  
  

5 What is a GDPR complaint?

5.1 A complaint is an expression of dissatisfaction about how TLT is handling a data subject’s personal data. This can also include dissatisfaction with how TLT has responded to an earlier data request, or allegation of a data breach or rights of a data subject such as those detailed under clause 3.1.

6 Making a complaint

6.1 Data subjects and third parties may make a complaint relating to TLT’s use of their personal data. When a data subject makes a valid complaint, they become a ‘complainant’.

6.2 Complaints should be sent to the DPO at GDPR@tlt.com when received by any TLT partner or employee. Your complaint will normally be acknowledged within 5 business days. TLT reserves the right to extend the period of acknowledgment should your complaint be received during bank holidays, national holidays like Christmas, New Year’s Day, Easter break or/ and when TLT is closed for an official business reason.

6.3 Although a complaint may be brought at any time, there may be limits as to what TLT can do with historic cases due to our retention policy. Please review our Privacy Notice for how long we retain information for.

6.4 TLT will only accept a complaint from a data subject’s representative, if the representative provides the data subject’s written consent authorising the representative to act on the data subject’s behalf in relation to the complaint such as a letter of authority.

6.5 If there is any doubt about the identity of the complainant the Data Protection Officer will first seek to verify the data subject’s identity or third party’s entitlement to act on behalf of the individual. The forms of identification that are acceptable from a data subject are as follows:

• passport
• driving licence
• for third parties the identification requirements will vary dependent on their relationship to the data subject. Therefore, these will be assessed on a case by case basis.

7 Manifestly unfounded, vexatious or excessive correspondence and serial complaints

7.1 In limited circumstances we may refuse to handle a complaint when it is manifestly unfounded, vexatious or excessive.

7.2 Each complaint will be considered on a case by case basis. The following factors will be taken into consideration:

• the data subject has explicitly stated that they intend to cause disruption (whether in the complaint, or in other correspondence), and has threatened individuals;
• the data subject has made unsubstantiated accusations against individuals at TLT and/ or our clients, and is persisting in those accusations;
• the data subject is targeting particular individuals at TLT, against whom they have a personal grudge;
• the data subject makes frequent complaints intended to cause disruption;
• the data subject continues to repeat the substance of previous complaints which have already been investigated and a full and outcome disclosed to the complainant.

7.3 Where a complaint is deemed to be manifestly unfounded, excessive or vexatious the Data Protection Officer will contact the individual and in a reasonable timeframe explain to them:

• the reasons for refusing to consider the complaint;
• their right to make a complaint to the ICO; and
• their right to pursue their remedy through the courts

8 Investigation and complaint Outcome

8.1 Once all necessary requirements are satisfied and your concerns are clearly identified as a valid complaint, the investigation will be carried out normally within the statutory period of one calendar month.

8.2 If further clarification is required from the complainant or more time is required for the response to be completed; the Data Protection Officer will inform the complainant prior to the original deadline detailed in the acknowledgment letter or email.

8.3 The complaint outcome will be communicated to the complainant in writing, normally by email or by post.

8.4 The complaint will then be officially closed by the Data Protection Officer.

9 External review of complaint outcome

9.1 If the complainant remains dissatisfied with the outcome to the complaint, the complainant can escalate their concerns directly to the UK Data Protection Regulator, the Information Commissioner’s Office (the “ICO”).

9.2 Information about how to make a complaint to the ICO can be found here: Make a complaint | ICO.

9.3 In order to respond to the complaint escalated to the ICO, the Data Protection Officer will review and investigate the complaint based on the information provided by the ICO. This may necessitate access to personal data and other information held across TLT. The cooperation of any TLT staff members able to assist with the investigation will be required. The reason for the investigation may need to be disclosed to the relevant staff members.

9.4 The Data Protection Officer will submit a response directly to the ICO following any escalation by the complainant.

9.5 Any actions requested by the ICO will be discussed and actioned by the Data Protection Officer. Where no further action is taken by the ICO concerning the complaint the Data Protection Officer will close the complaint.