Data Protection Complaints Process
Version 1.0 — Effective 20 June 2026 — Next review 20 June 2027
Adopted to comply with: UK GDPR (retained in the Data Protection Act 2018) and the Data (Use and Access) Act 2025 (requirement for a documented complaints process, deadline 19 June 2026).
Responsible officer:Legal & Compliance Officer — WillSafe UK
1. Purpose
This document sets out how WillSafe UK (“WillSafe”, “we”, “us”) receives, investigates, and resolves complaints from individuals concerning the processing of their personal data. It fulfils the obligation under the Data (Use and Access) Act 2025 for organisations to maintain a documented data-protection complaints process.
2. Scope
This process applies to:
- All personal data processed by WillSafe in connection with willsafe.org.uk and its will-writing and estate-planning services.
- All employees, contractors, and agents acting on behalf of WillSafe.
- All individuals (“data subjects”) whose data we hold, including customers, newsletter subscribers, and website visitors.
3. Legal Framework
| Instrument | Relevance |
|---|---|
| UK GDPR Art. 12 | Obligation to provide transparent, easily accessible information on rights |
| UK GDPR Art. 77 | Data subjects’ right to lodge a complaint with the ICO |
| Data Protection Act 2018, s. 166 | ICO’s power to assess compliance and issue information/enforcement notices |
| Data (Use and Access) Act 2025 | Requires documented complaints process in force from 19 June 2026 |
4. Who Handles Complaints
| Role | Responsibility |
|---|---|
| Legal & Compliance Officer | First-line receipt, acknowledgement, investigation, and response for all data-protection complaints |
| Managing Director | Escalation owner for unresolved complaints; approves any ICO referral responses; keeps board informed |
| Customer Support Agent | Triages inbound communications and routes data-protection queries to the Legal & Compliance Officer within 1 working day |
Contact for data-protection complaints: privacy@willsafe.org.uk
5. How to Make a Complaint
Individuals can submit a data-protection complaint:
- By email: privacy@willsafe.org.uk
- By post:WillSafe UK, c/o Legal & Compliance Officer, 66 Paul Street, London EC2A 4NA
- Via the complaints form: willsafe.org.uk/complaints
Complaints should include: full name, contact details, description of the concern, and any relevant reference numbers.
6. Complaint Handling Procedure
Step 1 — Acknowledgement (within 5 working days)
The Legal & Compliance Officer will send a written acknowledgement confirming:
- Receipt of the complaint.
- The name of the person handling it.
- The expected response timeline (maximum 30 calendar days, extendable to 90 days for complex cases under UK GDPR Art. 12(3)).
- The complainant’s right to refer to the ICO at any time.
Step 2 — Investigation (within 30 calendar days of receipt)
The Legal & Compliance Officer will:
- Gather relevant records, processing logs, consent records, and system data.
- Assess whether WillSafe’s processing complies with UK GDPR and the DPA 2018.
- Consult the Managing Director for complaints involving a potential breach, enforcement risk, or reputational impact.
- Document findings in the Complaints Register (see Section 8).
Step 3 — Response
The Legal & Compliance Officer will provide a written response that:
- States whether the complaint is upheld, partially upheld, or not upheld.
- Explains the reasoning with reference to the applicable legal basis and facts.
- Sets out any corrective action taken (e.g. erasure, restriction, updated notices).
- Reminds the complainant of their right to escalate to the ICO if dissatisfied.
Step 4 — Escalation to ICO
If the complaint is not resolved to the complainant’s satisfaction, they may refer it to:
Information Commissioner’s Office (ICO)
- Website: ico.org.uk/make-a-complaint
- Phone: 0303 123 1113
- Post: ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
WillSafe will cooperate fully with any ICO investigation. The Managing Director must be informed immediately of any ICO contact.
Step 5 — Extension (if required)
Where a complaint is complex, the Legal & Compliance Officer may extend the response period to 90 days. The complainant must be notified within the original 30-day period, with reasons for the delay.
7. Special Categories and High-Risk Complaints
Where a complaint involves:
- Special category data (health, financial vulnerability, legal proceedings)
- A potential personal data breach (UK GDPR Art. 33/34 threshold)
- A complaint from a child (under 18)
The Legal & Compliance Officer must notify the Managing Director within 24 hours of receipt and treat the matter as high-priority. A potential breach must also trigger WillSafe’s Data Breach Response Procedure.
8. Complaints Register
The Legal & Compliance Officer maintains a Complaints Register recording:
| Field | Detail |
|---|---|
| Complaint ID | Unique sequential reference |
| Date received | Calendar date |
| Complainant name | Pseudonymised after closure |
| Nature of complaint | e.g. erasure refused, unlawful processing, consent issue |
| Date acknowledged | Calendar date |
| Date resolved | Calendar date |
| Outcome | Upheld / Partially Upheld / Not Upheld |
| Corrective action | Description |
| ICO referral? | Yes / No |
The Register is reviewed quarterly and reported to the Managing Director. It is retained for a minimum of 3 years.
9. Document Control
| Document key | data-protection-complaints-process |
| Author | Legal & Compliance Officer, WillSafe UK |
| Adopted | 20 June 2026 |
| Replaces | No prior version (first issue) |
| Next review | 20 June 2027 |
Related pages: Privacy Policy · General Complaints Procedure
Last updated: 20 June 2026 — WillSafe UK — WSC Group Ltd