1. Purpose and Scope
This policy sets out how Taylors Legal Limited ("we", "us", "our") handles data protection complaints from individuals. It has been prepared to comply with the mandatory complaints-handling requirements introduced by the Data (Use and Access) Act 2025 ("DUAA 2025"), which take effect on 19 June 2026.
Under section 103 of the DUAA 2025, all data controllers are required to maintain and operate a formal complaints process that individuals can use to raise concerns about how their personal data has been handled. This policy applies to:
- All complaints from any individual about how we have processed personal data
- Complaints relating to alleged failures to comply with the UK GDPR or Part 3 of the Data Protection Act 2018
- Complaints from any individual — not just customers or employees — including members of the public, job applicants, contractors, and third parties
This policy applies across all departments and functions of Taylors Legal Limited and to all staff who may receive or handle data protection complaints.
2. What Is a Data Protection Complaint?
A data protection complaint is any expression of concern by an individual about the way in which we have handled their personal data. This includes — but is not limited to — concerns about:
- Unlawful processing or use of personal data
- Failure to honour a data subject rights request (e.g. access, erasure, rectification, portability)
- Inadequate security measures leading to a data breach affecting the individual
- Use of personal data for a purpose inconsistent with the original collection
- Failure to provide adequate privacy information
- Retention of personal data beyond the applicable retention period
- Sharing personal data with third parties without a lawful basis
Individuals do not need to use legal language or cite specific legislation for something to count as a data protection complaint. Where a complaint also engages other rights (e.g. a concurrent data subject access request), we will handle them in a co-ordinated manner to avoid conflicting timelines.
3. How to Submit a Complaint
We are committed to making it easy for anyone to raise a data protection complaint. Complaints can be submitted through any of the following channels:
| Electronic Form | Available on our website www.taylorslegal.com/data-protection-complaints-policy |
| [email protected] | |
| Post | Data Protection Manager, Taylors Legal Limited, 184 Manor Road, Chigwell, Essex, IG7 5PZ |
We will accept complaints regardless of how they are received, even if submitted informally. Staff who receive complaints through any channel (including verbally) must route them to the Data Protection Manager promptly.
Where a complaint involves a child, we will assess whether the child has sufficient competence to exercise their rights independently and will use clear, age-appropriate language in all communications.
4. Handling a Complaint: The Process
4.1 Acknowledgement
We will acknowledge all data protection complaints within 30 days of receipt. This is a statutory requirement under the DUAA 2025. Acknowledgement will:
- Confirm we have received the complaint
- Provide the complainant with a reference number
- Set out the next steps and expected timescales
- Identify the contact person handling the complaint
4.2 Investigation
Following acknowledgement, we will:
- Conduct a fair, thorough, and impartial investigation into the complaint
- Make all reasonable enquiries necessary to understand the facts
- Keep the complainant informed of progress without undue delay, particularly where the investigation is likely to take some time
- Engage relevant internal teams (e.g. IT, HR, Legal) as appropriate
We aim to provide a substantive response within eight weeks of receipt. Where this is not possible due to exceptional circumstances, we will notify the complainant of the reason for any delay and provide a revised estimated timeframe.
4.3 Outcome
Once the investigation is complete, we will communicate the outcome to the complainant without undue delay. The outcome communication will:
- Set out our findings in plain, accessible language
- Explain any remedial action taken or proposed
- Where the complaint is upheld in full or in part, describe the steps we have taken or will take to address the issue
- Where the complaint is not upheld, provide clear reasons for that decision
- Inform the complainant of their right to escalate to the Information Commissioner's Office (ICO) if they remain dissatisfied (see Section 6)
5. Unreasonable or Excessive Complaints
We will handle all complaints in good faith. However, where a complaint is manifestly unfounded, repetitive, or unjustifiably burdensome — taking into account all the circumstances — we may, in limited circumstances, take reasonable steps to manage the volume of contact. Any such decision will be made on a case-by-case basis and will not be applied as a blanket approach. We will always notify the complainant of our reasoning.
6. Right to Escalate to the ICO
Individuals retain the right to complain directly to the Information Commissioner's Office (ICO) at any time. However, under the DUAA 2025, individuals are expected to raise concerns with us first before escalating to the ICO, unless exceptional circumstances apply.
If an individual is dissatisfied with our response, or if we fail to respond within the required timeframes, they may contact the ICO:
- Website: www.ico.org.uk/make-a-complaint
- Telephone: 0303 123 1113
- Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
We will always signpost complainants to the ICO in our outcome communications.
7. Record-Keeping and Monitoring
We maintain a central complaints log to track all data protection complaints received. The log records:
- Date of receipt and date of acknowledgement
- Nature and summary of the complaint
- Steps taken during the investigation
- Outcome and any remedial actions
- Date of final response
Records are retained in accordance with our data retention schedule and are used to identify trends, systemic issues, and opportunities for improvement.
We process personal data in connection with complaints in accordance with our Privacy Notice, available at https://www.taylorslegal.com/privacy-policy
8. Roles and Responsibilities
| Data Protection Manager (DPM) | Policy owner; oversees the complaints process; handles escalated or complex complaints; day-to-day intake, acknowledgement, investigation and logging of complaints; maintaining the complaints register. |
| All Staff | Recognise and promptly route data protection complaints to the DPM; do not attempt to handle data protection complaints independently. |
9. Staff Training
All staff will receive training to enable them to:
- Recognise a data protection complaint when received (regardless of how it is worded)
- Understand their obligation to route complaints to the DPM without delay
- Avoid prejudging or attempting to resolve complaints outside of this process
Training will be provided on induction and refreshed at least annually, or when this policy is updated.
10. Relationship to Other Policies and Rights
This policy should be read alongside:
- Our Privacy Policy
Where a complaint also constitutes (or arises from) a data subject access request or other rights request, both processes will run in a coordinated manner to avoid duplication or conflicting outcomes.
11. Policy Review
This policy will be reviewed at least annually, or sooner following any significant change in relevant legislation, ICO guidance, or our internal practices. The DPM is responsible for maintaining and updating this policy.
The next scheduled review date is: 18 June 2027.
12. Contact
If you have any questions about this policy, or wish to submit a data protection complaint, please contact:
Nicola Daniel, Data Protection Manager
Taylors Legal Limited
184 Manor Road, Chigwell, Essex, IG7 5PZ
Email: [email protected]
Web: https://www.taylorslegal.com/data-complaint-submission