This is the procedure for handling Data Protection Complaints in accordance with the Data Protection Act 2018 (DPA 208) and the Data (Use and Access) Act 2025.

Right to complain

Individuals have a right to make a Data Protection Complaint to ‘Data Controllers’.   An individual’s right to make a Data Protection Complaint to us (as controller) is separate to the individual’s right to make a Data Protection Complaint to the Information Commissioners Office (ICO).

Who can make a Data Protection Complaint?

Any individual whose Personal Data is held or processed by BESTrustees (or their processors) can make a Data Protection Complaint to us.

If an individual has made a Data Protection Complaint to us but has subsequently died, the Data Protection Complaint may be continued on behalf of the complainant by their personal representative.

A Data Protection Complaint addressed to us may be made, or continued, on behalf of the complainant by a representative of the complainant who shall be:

  • if the complainant is a minor or is otherwise incapable of acting on their own behalf, a member of the complainant’s family, or another person suitable to represent the complainant; or
  • in any other case, a representative nominated by the complainant in writing.

We reserve the right to request confirmation that a representative, or personal representative, acting on behalf of the complainant has been appropriately appointed.

What is the complaints process?

On receipt of a Data Protection Complaint, we will acknowledge receipt of the complaint within the period of 30 days of the date that the complaint was received.  Where possible, this acknowledgment will be in writing.    If not already received, the acknowledgment may ask for further details of the Data Protection Complaint.

To enable a Data Protection Complaint to be considered by us we will require the following information:

  • the complainant’s name, address, date of birth, national insurance number (if an employee or former employee) and relationship to BESTrustees;
  • if a representative is appointed, the representative’s name, address and proof of appointment; and
  • full reason(s) for the complaint.

The complainant should supply this information to the Office Manager, BESTrustees, 1 Cornhill, London, EC3V 3ND.

We will take the following steps without undue delay:

  • Investigate and consider the Data Protection Complaint. In doing so, we will conduct such investigations as we consider necessary to ensure all the appropriate information is available for us to make an informed decision.  We may request additional information/documentation as we reasonably consider to be necessary.
  • Keep the complainant updated on the progress of the investigation.
  • Inform the complainant of the outcome of the Data Protection Complaint in writing. The written notice will:
  • explain the decision and set out the reasons for it;
  • explain any actions taken as a consequence of the complaint; and
  • inform the complainant of their right to complain to the ICO and provide the ICO’s contact details.

We will keep a record of the following:

  • The date the Data Protection Complaint was received.
  • The acknowledgement from the Trustee of receipt of the Data Protection Complaint.
  • Any relevant conversations, evidence gathered and documents.
  • The outcome of the Data Protection Complaint.
  • Communications with the complainant regarding the progress of the investigation and the outcome of the Data Protection Complaint.
  • Any actions taken as a result of the investigation.

These records will be retained for no more than six years and then securely deleted.

Broader considerations

If the Data Protection Complaint concerns an actual, suspected or potential Personal Data Breach or Cyber Incident, the existence of which the Directors were not previously aware, the Directors will consult their Data Breach – Incident Response Plan and ensure that the procedures described in that policy are followed and that the relevant requirements of data protection legislation (including the GDPR and DPA 2018) are met.

If the Data Protection Complaint raises concerns regarding non-compliance, the Directors will consider whether any remedial action is required to address areas of non-compliance.