# DUAA Data Protection Complaints Procedure (Template) **Organisation:** [Your organisation name] **Version:** 1.0 **Last reviewed:** [Date] **Owner:** [Name / role] > **Disclaimer:** This template is for informational purposes only and is not legal advice. Review and adapt for your organisation. Consult qualified advisers where needed. ## 1. Purpose This procedure explains how [Organisation name] handles data protection complaints under the Data (Use and Access) Act 2025 and UK GDPR. ## 2. Scope This procedure applies to all complaints from individuals (or their representatives) alleging an infringement of UK GDPR or Part 3 of the Data Protection Act 2018 in connection with their personal data. There is no exemption based on organisation size or sector. ## 3. How to make a complaint Individuals may complain using any of the following: - **Online form:** [URL to complaint form] - **Email:** [complaints@yourdomain.co.uk] - **Post:** [Address] - **Phone:** [Number] — verbal complaints will be logged and acknowledged in writing Complaints may also be received via social media or to any member of staff. Staff must escalate data protection complaints to [role/email]. ## 4. Acknowledgement (30 days) We will acknowledge receipt of every data protection complaint within **30 calendar days** of receipt. - The 30-day period starts the day **after** the complaint is received. - If the final day falls on a weekend or bank holiday, acknowledgement is due by the end of the next working day. - Acknowledgement confirms we received the complaint and will investigate. ## 5. Investigation We will: - Begin investigation **without undue delay** (immediately where possible, not after the acknowledgement period ends) - Gather relevant information and speak to appropriate staff - Keep the complainant informed of progress and expected timelines - Maintain records of all steps taken ## 6. Outcome We will communicate the outcome to the complainant **without undue delay**, including: - What we investigated - Our conclusion and reasoning - Any remedial actions taken - The complainant's right to complain to the Information Commissioner's Office (ICO): https://ico.org.uk ## 7. Records We retain records of: - Date of receipt - Acknowledgement (date and method) - Correspondence - Investigation steps - Outcome and remedial actions Records are retained in line with our data retention policy and not longer than necessary. ## 8. Privacy notice paragraph Add the following to your privacy notice: > You have the right to make a complaint to us if you believe we have infringed UK data protection law in connection with your personal data. You can submit a complaint via [form URL / email]. We will acknowledge your complaint within 30 days and investigate without undue delay. You also have the right to complain to the Information Commissioner's Office (ICO). ## 9. Staff training Staff who may receive complaints will be trained to: - Recognise data protection complaints (not only those labelled "GDPR") - Escalate to [role] immediately - Not dismiss complaints received via informal channels ## 10. Review This procedure is reviewed at least annually and when legislation or ICO guidance changes. --- **ComplaintsDesk** — [complaintsdesk.co.uk](https://complaintsdesk.co.uk)