| Policy last reviewed | June 2026 |
| Approved By | Group Data Protection Officer |
| Published on | Fortus website under policies and procedures |
Contents
- Introduction
- Scope
- Responsibilities
- Making a Complaint
- Investigation and Complaint Outcome
- Review
- Independent External Review
- Use of Data from Complaints
Data Protection Complaints Procedure Flowchart
Data Protection Complaints Procedure
Introduction 1.1.
The UK General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018 (“DPA 2018”), and the Privacy and Electronic Communications Regulations (“PECR”) (together, the “Data Protection legislation”), give data subjects and applicable third parties rights in relation to personal data. This procedure details how Fortus will respond to complaints from data subjects and third parties relating to the use of personal data
Who are Data Subjects?
1.2. Data subjects are any natural living individuals whose personal data Fortus processes (collects, obtains, stores, retains, disposes of etc.). Data subjects can include staff members, clients and third-party stakeholders.
Data subjects’ rights
1.3. Under Data Protection legislation, data subjects have the right to the following and these rights can be exercised at any time:
A. Information about the processing of their data (UK GDPR Articles 12-14, and Recitals 58-62),
B. Access their own personal data (UK GDPR Articles 12 and 15, and Recital 63),
C. Correct personal data (UK GDPR Article16),
D. Erase personal data, also known as the right, to be forgotten (UK GDPR Article 17, and Recitals 65 and 66),
E. Restrict data processing (UK GDPR Article 18),
F. Object to data processing, including direct marketing (UK GDPR Article 21, and Recitals 69 and 70),
G. Receive a copy of their personal data or transfer their personal data to another data controller (data portability, UK GDPR Article 20, and Recital 68),
H. Not be subject to automated decision-making and rights in relation to profiling (UK GDPR Article 22, and Recital 71), and
I. Be notified of a data security breach (UK GDPR Article 34, and Recital 86).
What is a complaint?
1.4. A complaint is an expression of dissatisfaction about Fortus’s handling of a data subject’s personal data or the data of the individual they represent. This can also include dissatisfaction with how Fortus has responded to a previous data request, such as those detailed under 1.3.
Scope
2.1. This procedure addresses complaints made by data subjects regarding the use of their personal data. Complaints may be made in relation to any aspect of Fortus’s processing of personal data including individual rights requests.
2.2. This procedure also addresses complaints made by third parties in relation to Fortus use of personal data. These may be for example in relation to Fortus response to a data related request from a third party.
2.3. This procedure should also be followed for complaints in relation to use of personal data for direct marketing and/or profiling activity.
Responsibilities
3.1. The DPO has overall responsibility for this procedure but has delegated day-to-day responsibility for overseeing its implementation to the Head of Operations. All relevant members of staff have been made aware of the procedure and have received appropriate training.
3.2. All Employees/Staff are responsible for ensuring that any complaints that are made in relation to this procedure are reported to the Data Protection Officer/Data Protection Team dpo@fortus.co.uk and for cooperating with the Data Protection Officer in reviewing these complaints.
3.3. The Data Protection Officer will review this procedure (at least every two years) to ensure that its provisions continue to meet our legal obligations and reflect best practice.
Making a Complaint
4.1. Data subjects and third parties may make a complaint relating to Fortus’s use of personal data. Complaints should be sent directly to the Data Protection Officer/Team at dpo@fortus.co.uk A member of the Data Protection Team will acknowledge the complaint .The complaint must be acknowledged within 30 days and investigated without undue delay.
4.2. Although a complaint may be brought at any time, there may be limits as to what Fortus can do in historic cases.
4.3. Fortus will only accept a complaint from a data subject’s representative, if the representative provides the data subject’s written consent authorising the representative to act on the data subject’s behalf in relation to the complaint.
4 4. If there is any doubt about the identity of the complainant, the Data Protection Team will first seek to verify the data subject’s identity or third party’s entitlement to act on behalf of the individual. The forms of identification that are acceptable from a data subject are as follows.
a. Passport
b. Driving Licence
c. For third parties the identification requirements will vary dependent on their relationship to the data subject. Therefore, these will be assessed on a case-by-case basis.
Investigation and Complaint Outcome
5.1. Once all identification requirements have been met, the investigation will be carried out normally within 20 working days. If further clarification is required from the complainant or more time is required for the response to be completed Fortus will inform the complainant prior to the original deadline.
5.2. The complaint outcome will be communicated to the complainant in writing, normally by email.
Review
6.1. If the complainant does not agree with the outcome, they can request a review of the decision. This request must be made within 30 days of the original decision being communicated and should be sent to the Data Protection Team dpo@fortus.co.uk . The decision will be internally reviewed by the Data Protection Officer or Head of Operations normally within 20 working days from the receipt of the request for review.
6.2. Once the internal review has been completed, Fortus will communicate the outcome in writing, normally by email
Independent External Review
7.1. If the complainant remains dissatisfied, they can escalate their complaint to the Information Commissioner’s Office (the “ICO”). Information about how to make a complaint to the ICO can be found here: https://ico.org.uk/make-a-complaint/
7.2. In order to respond to the complaint, the Data Protection Officer will investigate the complaint based on the information provided by the ICO. This may necessitate access to personal data and other information held across Fortus. The cooperation of any staff members able to assist with the investigation will be required. The reason for the investigation may need to be disclosed to the relevant staff members. The Data Protection Officer will draft and submit a response to the ICO in consultation with the Head of Operations.
7.3. In the absence of the Data Protection Officer, Fortus will appoint another member of the Data Protection , Information Compliance or Legal teams to carry out the investigation and respond to the ICO.
Use of Data from Complaints
8.1 Fortus will collect data on complaint outcomes at each stage of this procedure and any complaints submitted by complainants to any regulators (including the ICO)
a) Internally for reporting, evaluation, learning and training; and
b) Externally for discussion with regulators.
8.2. The data used by Fortus for the purposes set out in paragraphs 8.1 a) and b) will be anonymised. Your personal data and sensitive personal data (‘Personal Data’) as defined by the Data Protection Act 2018 (the “DPA”) may be disclosed to Fortus members of staff and regulators only for the purpose of dealing with your complaint, or a complaint arising out of it and/or implementing any recommendations. Personal Data will not be shared with any other third parties unless Fortus has your express consent, has a statutory obligation to do so, or is otherwise permitted to do so under the DPA.