Data Protection Complaints Policy

Introduction

The Data Protection Act 2018 is the main law governing data protection. You have the right to complain directly to us if you consider that we have breached data protection laws because of the way we have handled your personal data (or the personal data of someone you are acting on behalf of). This Policy explains your right to complain and how we will handle your complaint.

Roles & responsibilities

1. Our Executive Assistant is responsible for handling data protection complaints within our organisation. They will work alongside other members of our organisation who have been identified as relevant to the investigation of each complaint.
2. All staff are responsible for recognising data protection complaints.
3. Staff who receive or identify a data protection complaint, whether in person, via social media or through any other channels, must inform our Executive Assistant as soon as possible.
4. We are committed to handling data protection complaints in line with our legal obligations and in an accessible, fair, transparent and timely manner. We will handle complaints confidentially and only share information where appropriate to investigate and resolve the complaint, as required or authorised by law or otherwise in accordance with our privacy notices.

Types of Complaint

1. Examples of a data protection complaint include (but are not limited to) the following:
   
   • the way we have responded to a subject access request (SAR), or other data rights request.
   • the security measures we have used to store your information (e.g. where you have been impacted by a data breach); or
   • how we have collected or used your personal information (e.g. where we have stored it, how long we have kept it for, or its accuracy).
   This list is not exhaustive. You have the right to complain to us at any time if you consider that there has been an infringement of any of your rights in relation to your personal data. Information on how we handle your personal data and your data rights are set out in our separate privacy notices which can be found in the footer of the respective ADL Smartcare Service you are using.
2. Complaints about other matters that do not relate to data protection, such as customer service issues, will not be treated as a data protection complaint. If you have a complaint that is not about data protection, please use the contact form here or email support@adlsmartcare.com.
3. If we are not sure whether you are making a data protection complaint, we will contact you to clarify the nature of your complaint.
4. Employees who want to raise a grievance should do so under our grievance procedure.
5. If your complaint relates to whistleblowing, please read our separate whistleblowing procedure (.PDF, 70.7 KB).

How to make a data protection complaint to us

1. You can submit a complaint directly to us using any of the following methods:
   
   • Online complaint form: 2026-Data-Protection-Complaint-Form--adl-smartcare.docx (.docx, 2.4MB)
   • Email: privacy@adlsmartcare.com
   • Post: ADL Smartcare Limited, Electric Works, Concourse Way, Sheffield, S1 2BJ
   • Telephone: +44 (0)800 612 6845
   This is not an exhaustive list. We will take appropriate steps to respond to data protection complaints that we receive from any other channels, including via social media.
2. We will comply with our duty to make reasonable adjustments to our data protection complaints process for disabled people under the Equality Act 2010. If you feel that you would benefit from any adjustments to our data protection complaints process, you should raise this with us when making your complaint.

Complaints on Social Media

1. Although data protection complaints may be made on social media, we would advise that a complaint may be dealt with more efficiently and effectively if it is made using one of the methods set out above.
2. Where we identify a data protection complaint about our organisation on social media, we will take appropriate steps to respond to the complaint in line with this Policy. However, as responding on social media is not usually a secure way of providing information, we will ask the individual making the complaint for an alternative contact method that we can use to respond to their complaint.

Complaints from children

We will respond to data protection complaints from children in plain, clear language they can understand at all stages of the complaints process. We will comply with our obligations to assess the competence of the child to understand and exercise their rights.

Responding to your complaint

1. When we receive a data protection complaint, we will acknowledge receipt no later than 30 days from receiving it.
2. If we have any doubts about your identity, we may need to ask you for proof of ID before we respond to your complaint.
3. Complaints made on your behalf by a third party must be accompanied by evidence that the third party is authorised to act on your behalf. If this is not provided, we will contact the third party to ask that such evidence is provided before we respond to your complaint. If we are unsure whether a letter of authority is valid, we will contact you about this before we respond to your complaint.
4. We will take appropriate steps to respond to your complaint without undue delay, including making enquiries into the complaint and keeping you informed about the progress of our investigation and timescales for the next update or outcome.
5. We may need to contact you to request further information to assist with our investigation. It may take us longer to investigate and resolve complaints which are complex, serious or which relate to multiple data protection issues.
6. Following our investigation, we will inform you of the outcome of your complaint without undue delay, explaining our findings, whether the complaint is upheld (in whole or in part), any action taken or proposed, and, where no action is taken, the reasons for that decision.
7. If you are dissatisfied with the outcome, you should contact the Executive Assistant to request a review of the original decision. Where reasonably practicable, any internal review will be carried out by a person who was not primarily responsible for the original response.

Complaints about data processors

Where we receive a complaint that relates to the processing of personal information by our service providers, we will ask them to provide us with information relevant to the complaint without undue delay and in line with our contractual terms with the service provider.

Training

We will provide training for all staff on recognising a data protection complaint and what to do if they receive one, including where to direct a complaint within our organisation.

Record Keeping

1. We will keep a record of:
   
   • the date we receive the data protection complaint
   • our acknowledgement
   • any relevant conversations and documents
   • the outcome of the complaint; and
   • any actions we take because of our investigation.
2. We will use these records to demonstrate compliance, for audit and monitoring purposes, training, to support consistent handling and to identify recurring issues, trends or areas for organisational improvements or remediation.
3. We will not retain personal data relating to complaints for longer than is necessary. A standard best practice period aligns with relevant statutory limitation periods (typically six years) to allow defence against any subsequent litigation or regulatory audits by the Information Commissioner's Office.

Complaints to the Information Commissioner’s Office (ICO)

1. You have the right to make a data protection complaint at any time to the Information Commissioner's Office (ICO).
2. The ICO's contact details are as follows:

   ICO Helpline number: 0303 123 1113

   ICO website: https://www.ico.org.uk

   Address:
   Information Commissioner's Office
   Wycliffe House
   Water Lane
   Wilmslow
   Cheshire
   SK9 5AF