Data Protection Complaints Handling Process

1 Purpose

The purpose of this Data Protection Complaints Handling Process (“Process”) is to provide a fair, transparent, and effective mechanism for individuals to raise concerns regarding the processing of their personal data and to ensure compliance with:

  • UK General Data Protection Regulation (UK GDPR);
  • Data Protection Act 2018 (DPA 2018);
  • Data (Use and Access) Act 2025 (DUAA); and
  • Information Commissioner’s Office (ICO) guidance on data protection complaints.

This Process applies to all complaints received on or after 19 June 2026.

2 Scope

This Process applies to complaints relating to:

  • Collection of personal data;
  • Use of personal data;
  • Disclosure or sharing of personal data;
  • Data retention practices;
  • Data security measures;
  • Direct marketing activities;
  • Automated decision-making;
  • International transfers of personal data;
  • Handling of data subject rights requests;
  • Personal data breaches; and
  • Any alleged infringement of UK data protection legislation.

This Process applies to complaints from:

  • Customers;
  • Employees;
  • Job applicants;
  • Contractors;
  • Suppliers;
  • Website users; and
  • Any individual whose personal data is processed by Definition Group Ltd.

3 Definitions

Data Protection Complaint

A complaint made by or on behalf of an individual alleging that Definition Group Ltd has failed to comply with UK data protection legislation in relation to personal data.

A complaint does not need to:

  • Refer to legislation;
  • Use legal terminology; or
  • Be labelled as a “data protection complaint”.

Any expression of dissatisfaction relating to the handling of personal data must be considered for assessment under this Process.

Complainant

The individual making the complaint or their authorised representative.

4 Complaints Principles

Definition Group Ltd will ensure that all data protection complaints are:

  • Handled fairly and impartially;
  • Investigated objectively;
  • Managed without undue delay;
  • Documented appropriately;
  • Resolved at the earliest opportunity;
  • Escalated where necessary; and
  • Used as a source of organisational learning.

5 Making a Complaint

Definition Group Ltd shall facilitate the making of data protection complaints through multiple accessible channels. Individuals shall not be required to use a specific complaint channel.

Complaints may be submitted via:

Where a complaint is received by an employee, the employee must immediately forward the complaint to Adam Sumnall.

6 Information Provided to Individuals

Definition Group Ltd shall inform individuals:

  • Of their right to complain to Definition Group Ltd;
  • How complaints can be submitted;
  • Of their right to complain to the Information Commissioner’s Office (ICO); and
  • How the complaint will be handled.

This information shall be included within:

  • Privacy Notices;
  • Data Subject Rights correspondence;
  • Complaint acknowledgement letters; and
  • The Definition website at www.thisisdefinition.com.

7 Complaint Receipt and Logging

Upon receipt of a complaint, Definition Group Ltd shall:

  • Create a complaint record;
  • Assign a unique reference number; and
  • Record:
    • Date received;
    • Complainant details;
    • Nature of complaint;
    • Relevant processing activities;
    • Assigned investigator; and
    • Deadlines and actions.

All complaints shall be entered into the Data Protection Complaints Register. The Data Protection Complaints Register shall be maintained in a restricted-access online folder under the control of Adam Sumnall.

8 Acknowledgement

Definition Group Ltd shall acknowledge receipt of the complaint within thirty (30) calendar days of receipt.

The acknowledgement shall include:

  • Complaint reference number;
  • Name or role of investigator;
  • Summary of the complaint;
  • Expected next steps;
  • Contact details for further enquiries; and
  • Information regarding the complainant’s rights.

9 Initial Assessment

Within ten (10) working days of allocation, the investigator shall determine:

  • Whether the matter constitutes a data protection complaint;
  • Whether additional information is required;
  • Whether immediate remedial action is necessary;
  • Whether the complaint indicates a personal data breach; and
  • Whether escalation is required.

Where clarification is needed, the investigator shall contact the complainant promptly.

10 Investigation

The investigator shall conduct an appropriate and proportionate investigation.

Activities may include:

  • Reviewing relevant records;
  • Interviewing personnel;
  • Examining technical logs;
  • Reviewing policies and procedures;
  • Assessing legal obligations;
  • Consulting Adam Sumnall as the responsible privacy lead; and
  • Consulting legal counsel where required.

Definition Group Ltd shall make appropriate enquiries and keep the complainant informed of progress where investigations are ongoing.

11 Escalation Criteria

The complaint shall be escalated to Adam Sumnall immediately if:

  • Special category data is involved;
  • Criminal offence data is involved;
  • A personal data breach is suspected;
  • Significant regulatory risk exists;
  • Multiple individuals are affected;
  • Legal proceedings are threatened; or
  • The complaint raises systemic compliance concerns.

12 Complaint Outcomes

Following investigation, Definition Group Ltd may determine that:

Complaint Upheld

Definition Group Ltd accepts that a breach of data protection requirements has occurred.

Actions may include:

  • Apology;
  • Corrective action;
  • Rectification of personal data;
  • Erasure of personal data;
  • Restriction of processing;
  • Additional staff training; or
  • Process improvements.

Complaint Partially Upheld

Definition Group Ltd accepts some aspects of the complaint but not all.

Complaint Not Upheld

Definition Group Ltd concludes that data protection obligations were met.

13 Response to the Complainant

Definition Group Ltd shall provide the outcome of the complaint without undue delay.

The final response shall include:

  • Summary of the complaint;
  • Investigation undertaken;
  • Findings;
  • Actions taken or proposed;
  • Explanation of decisions made; and
  • Information regarding escalation rights.

The response shall also explain the individual’s right to complain to the Information Commissioner’s Office if dissatisfied.

14 ICO Escalation Information

Definition Group Ltd shall inform complainants that they may contact:

Definition Group Ltd shall cooperate fully with any subsequent ICO investigation.

15 Personal Data Breach Identification

Where a complaint reveals a potential personal data breach, the matter shall immediately be referred to Definition Group Ltd’s Personal Data Breach Response Procedure.

The complaint investigation and breach investigation may proceed in parallel.

16 Record Keeping

Definition Group Ltd shall maintain records of:

  • Complaints received;
  • Acknowledgements issued;
  • Investigation activities;
  • Communications with complainants;
  • Outcomes;
  • Corrective actions; and
  • Lessons learned.

Records shall be retained in accordance with Definition Group Ltd’s Retention Schedule and any applicable legal or regulatory requirements.

17 Monitoring and Reporting

Adam Sumnall shall review complaint data at least quarterly.

Reports shall include:

  • Number of complaints received;
  • Categories of complaints;
  • Response times;
  • Outcomes;
  • Root causes;
  • Trends and recurring issues; and
  • Corrective actions implemented.

Management shall review reports to identify opportunities for improvement.

18 Training

All employees shall receive training covering:

  • Recognition of data protection complaints;
  • Escalation procedures;
  • Complaint handling obligations;
  • UK GDPR requirements; and
  • ICO expectations.

Training shall be refreshed at least annually.

19 Continuous Improvement

Definition Group Ltd shall periodically review:

  • Complaint trends;
  • Root causes;
  • Policy effectiveness;
  • Regulatory developments; and
  • ICO guidance.

Processes shall be updated where necessary to maintain compliance and improve outcomes.

20 Review

This Process shall be reviewed:

  • Annually;
  • Following significant complaints;
  • Following regulatory changes; and
  • Following ICO enforcement action or guidance updates.

21 Document Control

  • Document Owner: Adam Sumnall
  • Approved By: Adam Sumnall
  • Review Frequency: Annual
  • Effective Date: 19/06/2026
  • Version: 1