Data Protection Complaints Policy V01 05/06/2026

1. Purpose

Olton Alexander Limited is committed to protecting personal data and respecting the privacy rights of individuals. This policy sets out how we receive, investigate, and respond to complaints relating to our handling of personal data.

We aim to:

  • Resolve data protection concerns fairly, transparently, and promptly.
  • Comply with UK data protection legislation, including the UK GDPR and Data Protection Act 2018.
  • Learn from complaints and improve our data protection practices.
  • Ensure individuals understand their rights and how to raise concerns.

2. Scope

This policy applies to complaints from:

  • Customers
  • Employees
  • Contractors
  • Suppliers
  • Service users
  • Website users
  • Any individual whose personal data we process

The policy covers complaints concerning:

  • Collection, use, sharing, or retention of personal data
  • Accuracy of personal data
  • Data security and confidentiality
  • Data breaches
  • Direct marketing activities
  • Automated decision-making
  • Responses to data subject rights requests
  • Any other alleged infringement of data protection law

3. Definitions

Data Protection Complaint

A data protection complaint is any expression of dissatisfaction or concern about how we have handled an individual’s personal data or exercised our obligations under data protection law.

A complaint does not need to mention “UK GDPR”, “Data Protection Act”, or any legal terminology to be treated as a data protection complaint.

4. How to Make a Complaint

Complaints may be submitted through any of the following channels:

Email: DPO@olton-alexander.co.uk

Post: Data Protection Officer, Olton Alexander Limited, Morland House, 18 The Parks, Newton-le-Willows, WA12 0JQ

Telephone: 01942 800 000

We will treat any communication that appears to be a data protection complaint appropriately, regardless of the channel used.

5. Information We May Require

To help us investigate, complainants should provide:

  • Full name and contact details
  • Details of the concern
  • Relevant dates
  • Copies of any supporting documents
  • Desired outcome (if known)

If we require further information to understand the complaint, we will request it as soon as possible.

6. Identity Verification

Where necessary, we may request evidence of identity before investigating a complaint.

We will only request information that is reasonable and proportionate for verification purposes. We will not ask for additional identification where we already have sufficient evidence of identity.

7. Complaints Made on Behalf of Others

Where a complaint is submitted by a representative, we may require evidence that they are authorised to act on behalf of the individual concerned.

Examples may include:

  • A signed authority letter
  • Power of attorney
  • Legal representative authorisation

We may pause our investigation until suitable authority has been confirmed.

8. Acknowledgement of Complaints

We will acknowledge receipt of all data protection complaints within 30 calendar days of receiving them.

The acknowledgement will normally include:

  • Confirmation that the complaint has been received
  • A reference number
  • Contact details for the person handling the complaint
  • An explanation of the next steps

Where possible, we aim to acknowledge complaints sooner.

9. Investigation Process

Upon receipt of a complaint, we will:

  1. Assess the nature and scope of the complaint.
  2. Clarify any issues where necessary.
  3. Identify relevant records, systems, and personnel.
  4. Conduct appropriate enquiries.
  5. Assess compliance with applicable data protection legislation.
  6. Consider remedial actions where appropriate.

Investigations will begin promptly and will not be delayed until the acknowledgement period has expired. Complaints will be investigated without undue delay.

The extent of the investigation will depend on the complexity and seriousness of the complaint.

10. Keeping Complainants Informed

Where an investigation is likely to take longer than expected, we will provide progress updates.

Updates may include:

  • Actions undertaken
  • Reasons for any delays
  • Anticipated timescales
  • Requests for additional information

We will maintain clear and transparent communication throughout the process.

11. Complaint Outcomes

Once the investigation is complete, we will provide a written outcome without undue delay.

The response will normally include:

  • A summary of the complaint
  • The investigation undertaken
  • Findings
  • Any actions taken or proposed
  • Any lessons learned or process improvements
  • Information about escalation rights

Possible outcomes include:

  • Complaint upheld
  • Complaint partially upheld
  • Complaint not upheld
  • Complaint resolved informally

Where appropriate, remedial actions may include:

  • Correcting inaccurate data
  • Completing a delayed rights request
  • Updating procedures
  • Additional staff training
  • Restricting or ceasing processing activities
  • Apologising for service failures

12. Escalation and ICO Rights

If an individual remains dissatisfied after receiving our final response, they may complain to the Information Commissioner’s Office (ICO).

We will provide details of the ICO when issuing our final complaint outcome.

The ICO generally expects individuals to give organisations an opportunity to address concerns before approaching the regulator.

For further information, individuals may visit:

Information Commissioner’s Office (ICO)

13. Record Keeping

We will maintain records of:

  • Complaints received
  • Acknowledgements issued
  • Investigations undertaken
  • Evidence reviewed
  • Correspondence
  • Outcomes and actions taken

Complaint records will be retained in accordance with our retention schedule and applicable legal requirements.

Complaint records may be used to:

  • Identify trends
  • Improve compliance
  • Demonstrate accountability
  • Support regulatory enquiries

14. Staff Responsibilities

All staff must:

  • Recognise potential data protection complaints
  • Forward complaints promptly to the appropriate team
  • Cooperate with investigations
  • Maintain confidentiality

The Data Protection Officer (or nominated privacy lead) is responsible for:

  • Overseeing investigations
  • Advising on legal compliance
  • Monitoring complaint trends
  • Reporting significant issues to management

Staff will receive periodic training on recognising and handling data protection complaints.

15. Monitoring and Review

This policy will be reviewed:

  • Annually; or
  • Following significant legal, regulatory, or organisational changes.

Lessons learned from complaints will be used to improve data protection governance and practices.