Fexillon Data Protection Complaints Procedure
Introduction
The General Data Protection Regulation (“GDPR”), the Data Protection Act 2018 (“DPA 2018”), and the Privacy and Electronic Communications Regulations (“PECR”) (together, the “Data Protection legislation”), give data subjects and applicable third parties rights in relation to personal data. This procedure details how Fexillon will respond to complaints from data subjects and third parties relating to the use of personal data.
General Information
Data Subjects
Data subjects are any natural living individuals whose personal data Fexillon processes (collects, obtains, stores, retains, disposes of etc.). Data subjects can include customers, prospective customers, marketing communication recipients, staff members, applicants, prospective applicants, ex-employees, visitors, individuals captured by the Fexillon CCTV cameras, etc.
Data Subjects' rights
Under Data Protection legislation, data subjects have the right to the following and these rights can be exercised at any time:
a. information about the processing of their data (GDPR Articles 12-14, and Recitals 58-62),
b. access their own personal data (GDPR Articles 12 and 15, and Recital 63),
c. correct personal data (GDPR Article 16),
d. erase personal data, also known as the right to be forgotten (GDPR Article 17, and Recitals 65 and 66),
e. restrict data processing (GDPR Article 18),
f. object to data processing, including direct marketing (GDPR Article 21, and Recitals 69 and 70),
g. receive a copy of their personal data or transfer their personal data to another data controller (data portability, GDPR Article 20, and Recital 68),
h. not be subject to automated decision-making and rights in relation to profiling (GDPR Article 22, and Recital 71), and
i. be notified of a data security breach (GDPR Article 34, and Recital 86).
Complaint Definition
A complaint is an expression of dissatisfaction about Fexillon handling of a data subject’s personal data or the data of the individual they represent. This can also include dissatisfaction with how Fexillon has responded to a previous data request, such as those detailed in data subjects’ rights section.
Scope
This procedure addresses complaints made by data subjects regarding the use of their personal data. Complaints may be made in relation to any aspect of Fexillon processing of personal data including individual rights requests.
This procedure also addresses complaints made by third parties in relation to Fexillon use of personal data. These may be for example in relation to the Fexillon response to a data related request from a third party, such as the Police or Local Government Agencies.
This procedure should also be followed for complaints in relation to use of personal data for direct marketing and/or profiling activity.
Responsibilities
The board of directors has overall responsibility for this procedure but has delegated day-to-day responsibility for overseeing its implementation to the Data Protection Officer. All relevant members of staff have been made aware of the procedure and have received appropriate training.
All Fexillon employees and staff are responsible for ensuring that any complaints that are made in relation to this procedure are reported to the Data Protection Officer (privacy@fexillon.com), and for cooperating with the Data Protection Officer in reviewing these complaints.
The Data Protection Officer and Fexillon solicitor will review this procedure from time to time (and at least every two years) to ensure that its provisions continue to meet our legal obligations and reflect best practice.
Making Complaint
Data subjects and third parties may make a complaint relating to Fexillon use of personal data. Complaints should be sent directly to the Data Protection Officer (privacy@fexillon.com). Complaints will normally be acknowledged within 5 working days. Fexillon reserves the right to extend the period we need for response during vacation periods and public holidays.
Although a complaint may be brought at any time, there may be limits as to what Fexillon can do in historic cases.
Fexillon will only accept a complaint from a data subject’s representative, if the representative provides the data subject’s written consent authorising the representative to act on the data subject’s behalf in relation to the complaint.
If there is any doubt about the identity of the complainant the Data Protection Team will first seek to verify the data subject’s identity or third party’s entitlement to act on behalf of the individual. The forms of identification that are acceptable from a data subject are as follows;
a. Passport
b. Driving Licence
c. For third parties the identification requirements will vary dependent on their relationship to the data subject. Therefore these will be assessed on a case by case basis.
Investigation and Complaint Outcome
Once all identification requirements have been met, the investigation will be carried out normally within 20 working days. If further clarification is required from the complainant or more time is required for the response to be completed Fexillon will inform the complainant prior to the original deadline.
The complaint outcome will be communicated to the complainant in writing, normally by email.
Review
If the complainant does not agree with the outcome, they can request a review of the decision. This request must be made within 1 month of the original decision being communicated and should be sent to the Data Protection Officer (privacy@fexillon.com). The decision will be internally reviewed by the Data Protection Officer normally within 20 working days from the receipt of the request for Review.
Once the internal review has been completed, Fexillon will communicate the outcome in writing, normally by email.
Independent External Review
If the complainant remains dissatisfied, they can escalate their complaint to the relevant authority based on the geographical location of the data subject. Full list of the relevant authorities can be found via the European Data Protection Board.
In order to respond to the complaint, the Data Protection Officer will investigate the complaint based on the information provided by the relevant authority. This may necessitate access to personal data and other information held across Fexillon. The cooperation of any staff members able to assist with the investigation will be required. The reason for the investigation may need to be disclosed to the relevant staff members.
The Data Protection Officer will draft and submit a response to the relevant authority in consultation with Fexillon solicitor and the board of directors.
In the absence of the Data Protection Officer, the Fexillon solicitor will carry out the investigation and respond to the relevant authority.
Manifestly unfounded, abusive, vexatious or excessive correspondence and complaints
In some scenarios we can refuse to handle the complaint. This will be when a complaint is deemed to be manifestly unfounded, abusive, vexatious or excessive. Each complaint will be considered on a case by case basis. The following factors will be taken into consideration:
a. the data subject has explicitly stated that they intend to cause disruption (whether in the complaint, or in other correspondence), and has threatened individuals;
b. the data subject has made unsubstantiated accusations against individuals, and is persisting in those accusations;
c. the data subject is targeting particular individuals, against whom they have a personal grudge;
d. the data subject makes frequent complaints intended to cause disruption;
e. the data subject continues to repeat the substance of previous complaints which have already been investigated.
Where a complaint is deemed to be manifestly unfounded, excessive, abusive or vexatious Fexillon will contact the individual and in a reasonable timeframe explain to them:
a. the reasons for refusing to consider the complaint;
b. their right to make a complaint to the relevant authority; and their right to pursue their data subject rights through a judicial remedy.