Among the recent changes to UK privacy law, UK controllers of personal data will need to update their privacy policies, processing agreements and related procedures by June this year to include a process for handling complaints about a breach of the UK's data protection law and regulation, including by providing a complaint form which can be completed by data subjects electronically. This post is for information purposes only. Please let me know if you need any drafting or advice on how to comply.
Controllers must acknowledge receipt of a complaint within 30 days and, "without undue delay" take appropriate steps to respond and inform the complainant of the outcome. That includes making enquiries into the subject matter of the complaint, "to the extent appropriate", and informing the complainant about progress.
The Information Commissioner has consulted on guidance on complaints handling requirements.
What if we already have a complaints procedure?
Some service providers are already required to have complaints handling policies and processes (e.g. financial services firms), and it's common for a customer to complain about more than one issue at the same time, so it's best to sweep up data protection complaints in the same process.
Will we need to report the number of complaints received etc?
There's also the potential for the ICO to require controllers to report the number of complaints they receive in a given period, which may be in the pipeline.
What other changes have been made?
The Information Commissioner has also issued more general guidance on the changes made under the Data (Use and Access) Act 2025, including changes relating to 'legitimate interests'.
This post is for information purposes only. Please let me know if you need any drafting or advice on how to comply.
No comments:
Post a Comment