Data protection complaints procedure

1.0  Introduction

1.1 The Council is a data controller as defined by the UK General Data Protection Regulation. The Data Use and Access Act (2025) (DUAA) introduces a requirement for data controllers to put in place a complaint handling process ensuring that data subjects are able to lodge complaints directly with the controller. The Act requires controllers to acknowledge receipt of the complaint within a period of 30 days and take appropriate steps to respond to the complaint.

2.0   Purpose

2.1 This procedure sets out the actions that the Council will take to meet its obligations under the DUAA when responding to complaints relating to individual data subject rights or how the Council is processing personal data.

3.0   Scope 

3.1 This procedure covers all complaints relating to the Council’s processing of personal data, including special category data, under the UK GDPR and Data Protection Act (2018).

3.2 This procedure applies to all staff and contractors at the Council. This includes temporary, casual, agency staff, volunteers, suppliers and data processors working for or on behalf of the Council.

3.3 The objective of this procedure is to ensure the Council meets its obligations and that data subjects receive an appropriate resolution to any complaint.

3.4 Data protection complaints are not handled under the corporate complaints process. The Council’s Data Protection Officer is tasked with monitoring compliance with the UK GDPR and other data protection law. This will include investigating complaints. The Data Protection Officer is also the Council’s point of contact with the regulator (the Information Commissioner) who the data subject can engage with if they remain dissatisfied. 

4.0   Complaints that will be handled under this procedure

4.1 Failure to comply with data subjects rights request under UK GDPR:

  • Article 13 and 14 – the right to be informed
  • Article 15 – the right of access
  • Article 16 – the right to rectification
  • Article 17 – the right to erasure - ‘the right to be forgotten’
  • Article 18 – the right to restriction of processing
  • Article 19 – notification obligations regarding Article 17 and Article 18 requests
  • Article 20 - the right to data portability

4.2 Complaints about breaches of the data protection principles set out in the UK GDPR:

  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality (security)
  • Accountability

4.3 Complaints about automated decision-making or profiling.

5.0   Making a complaint

5.1 Complaints should be addressed to the Data Protection Officer and made in writing. An electronic form is available on the council website for this purpose Customer feedback and complaints – Hartlepool Borough Council, or alternatively you can use the contact details below. Complaints that are made in person or via the telephone should be transcribed by the officer.

5.2   Any officer receiving a complaint about data protection matters should pass this to the Data Protection Officer without delay. Complaints that have been made verbally may be confirmed by the Data Protection Officer in writing prior to investigation to ensure clarity on the scope of the complaint.

6.0   Handling complaints

6.1 The Data Protection Officer will log and acknowledge complaints, seeking ID and confirmation of authority to act where appropriate.

6.2 Complaints will be acknowledged within 30 days of receipt in accordance with the requirements of the legislation.

6.3 We aim to provide a response without undue delay and in any event within one calendar month of the complaint being acknowledged.

6.4 The Data Protection Officer will investigate the complaint by making appropriate enquiries into the subject matter of the complaint. Services are required to provide appropriate information and support where requested. The Data Protection Officer will inform the complainant about progress of the complaint.

6.5 If the complaint relates to health or social care records, the Data Protection Officer will inform the Caldicott Guardian and, where appropriate, seek their view on the complaint.

7.0   Investigation

7.1  If a complaint requires investigation this will be undertaken by the Data Protection Officer with due consideration of other existing procedures, e.g. complaints about potential data breaches will be investigated as a breach under that procedure initially.

7.2  The investigation will take into account the following:

  • The nature of the complaint
  • The type of data involved
  • The sensitivity of the data involved
  • The protection in place (for example, encryption)
  • The relationship with the data subject(s) and the potential effects on them

8.0   Evaluation and response

8.1  When the investigation is completed a response will be provided to the individual. This will include information about any further actions open to them if they remain dissatisfied such as escalating a complaint to the Information Commissioner, who can be contacted at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. ICO Website

8.2 Depending on the outcome of the investigation the Data Protection Officer will determine whether any changes to systems, policies or procedures should be undertaken. Existing controls will be reviewed to determine their adequacy, and whether any action should be taken by the service to enhance compliance with our obligations as a data controller.

8.3  A log of complaints will be maintained by the Data Protection Officer. This will be regularly analysed for trends and to identify actions that may arise from these. A regular report to the SIRO will provide a summary of complaints received.

Contact us:

Laura Stones
Data Protection Officer
01429 523087
dataprotection@hartlepool.gov.uk
Hartlepool Borough Council, Civic Centre, Hartlepool, TS24 8AY
 
Version: 1.0
Date: 12 June 2026
Approved by: Director of Legal, Governance and HR.