Scope and Definition
MM Flowers Limited has legal complaint handling obligations under both the UK GDPR and Part 3 of the Data Protection Act 2018. If an individual considers that we have breached data protection laws, they have the right to make a complaint directly to us, to the Information Commissioner's Office (ICO) or to pursue legal action.
These complaints must relate to data protection, but the legislation does not specifically define a data protection complaint. The scope of complaints is therefore wide and could relate to the way we collect or use someone's personal information, their data protection rights (such as the right of access, correction or erasure), our privacy notices and policies, how long we keep their information or security.
This Policy outlines our approach to handling data protection complaints. It should be read together with our GDPR and privacy policies. It applies to all employees, workers, contractors and third parties acting on our behalf. It covers complaints from any data subject or their authorised representative.
Guiding Principles
We are committed to handling data protection complaints in line with our legal obligations and in an accessible, fair, transparent and timely manner. We will handle complaints confidentially and only share information where appropriate to investigate and resolve the complaint, as required or authorised by law or otherwise in accordance with our privacy policies. We will aim to avoid conflicts of interest.
Roles and Responsibilities
Our Data Protection Officer is responsible for co-ordinating how we handle data protection complaints. They will involve relevant business, HR, IT, security, risk or compliance and other teams as needed.
All staff are responsible for recognising complaints and referring them to our Data Protection Officer promptly as well as for providing supporting information and responding to requests from the Data Protection Officer when asked.
Data Protection Officer is responsible for ensuring staff are aware of and trained sufficiently to deal with data protection complaints. Training materials are available from Liz Michie, liz.michie@mm-flowers.com.
Transparency
We will provide information about how to submit a data protection complaint. We will make this obvious and easily accessible to individuals, including in our privacy notices, via our website, on social media, in person and, where relevant, through internal channels or customer-facing portals. Using plain and clear language, we will explain:
· Our data protection complaints process.
· How individuals can make a data protection complaint.
· How we will respond if we consider the complaint is not a data protection matter.
· The available complaint channels.
· The information we require to investigate a complaint such as any supporting documentation including, contact details, unique reference numbers, account numbers.
· What we do with that information and why (for example, investigations, establishing the facts, complaint resolution).
· How we handle complaints which might be sensitive in nature.
· What individuals can expect from the process.
· When individuals can expect to hear from us, including status update communications such as acknowledgements, progress updates and outcomes.
· Any reasonable support we provide to help individuals make complaints such as alternative formats or language options.
Non-Data Protection Complaints
Some complaints will include both data protection and non-data protection issues; we will handle the data protection aspects under this Policy and its associated procedures. Non-data protection issues will be addressed under the [relevant customer complaints, HR, grievance, or other] applicable procedure [available from [LINK]].
Complaints Involving Children or Vulnerable Individuals
Where we receive a complaint from, or on behalf of, a child or other vulnerable individual, we must follow additional safeguards and requirements to ensure our process is fair, transparent and accessible to the individuals concerned, having regard to age, understanding and any other relevant circumstances.
Complaint Channels
People may submit a data protection complaint to us using any of the following options:
· By using our online complaint form or portal.
· By email to DPO@mm-flowers.com.
· By post to APS, Enterprise Campus, Alconbury Weald, Huntingdon, PE28 4YA.
· By telephone at 07866 799742.
To expedite the complaint, we will encourage people to use our established complaint channels. They may still choose to submit a complaint through any of our "contact us" channels. We will accept and route these complaints appropriately.
Where a complaint is made through social media or another insecure public channel, we will ask the complainant to continue the complaint through a more secure method to protect their data.
Requesting Additional Information
Some complaints may be easy to resolve; others may require further investigation. Where reasonably necessary to investigate a complaint, we may ask the complainant for additional information, including information to verify their identity or to clarify the scope of the complaint. We will only request information that is reasonable and proportionate in the circumstances and will not request more information than we require to identify the complainant or their representative.
Where a complaint is made on behalf of another individual, we may require evidence such as a power of attorney or signed letter of authority indicating that their representative is authorised to act on their behalf. We cannot progress complaints unless adequate proof of authority is provided. Where this is the case, we will explain it to the person who submitted the complaint.
Complaints To or About Processors or Partners
Where a complaint received by us relates to the processing of personal information by our service providers, we will ask these providers to provide us with details and information relevant to the complaint without undue delay and in accordance with any agreed and specified terms within our contract with the service provider.
Where a service provider receives a complaint about the processing of our personal data whether by them or us, they should forward this to us without undue delay. Service providers are under no obligation to handle complaints on our behalf unless this has been agreed between us and the relevant service provider(s) under a binding contract. Where applicable, we will ask service providers to handle such complaints in line with our policies and procedures.
Where a complaint relates to joint arrangements we have with partners, we may choose to agree separate complaint handling procedures as part of those arrangements. Employees handling such complaints will be given adequate training and supporting resources to manage these effectively.
Where we process personal information acting as a service provider on behalf of a controller, we will only handle complaints under arrangements agreed and specified within a binding contract between us and the controller(s). If the controller disappears, no longer exists or has become insolvent, we will handle complaints in line with this Policy and its associated procedures. Any such complaint should be sent to Data Protection Officer.
Record Keeping
We will keep appropriate records about each data protection complaint in our complaints register. Records include:
· The date of receipt.
· The acknowledgement.
· Any relevant correspondence, conversations and documents.
· The outcome of the complaint, including escalation, and any actions taken in response.
These records will be used to demonstrate compliance, for audit and monitoring purposes, training, to support consistent handling and to identify recurring issues, trends or areas for organisational improvements or remediation.
We will not retain personal data relating to complaints for longer than is necessary and will handle such records in accordance with our records management and data protection policies.
Acknowledgement and Timeframes
We must acknowledge receipt of a complaint within 30 days of receipt.
We will aim to:
· Request any further information including for clarification or identification purposes within ten working days.
· Provide updates at least every 30 days.
· Reach an outcome within 60 working days.
For ongoing investigations, we will communicate this to individuals with an indication of our initial, anticipated timescales for resolving the complaint. We will continue to keep the complainant informed of our progress, including, where appropriate, the next steps, any further information required, and any expected timeframe for the next update, or outcome.
Investigations
We will take reasonable and proportionate steps necessary to investigate complaints fairly and in a timely manner and in accordance with our investigations policy which is available on request.
We have processes in place to classify and escalate complaints that are time-sensitive, more serious or sensitive in nature. It may take us longer to investigate and resolve complaints which are complex, serious or which relate to multiple data protection issues.
Outcomes and Escalation
We will communicate the outcome of the complaint to the complainant without undue delay, explaining our findings, whether the complaint is upheld (in whole or in part), any action taken or proposed, and, where no action is taken, the reasons for that decision.
We have processes in place for reviewing and escalating complaints where the complainant is unsatisfied with our complaint handling as we progress the complaint or the outcome.
If the complainant objects to our handling of their complaint or disputes the outcome or any aspect of our response and notifies us, we will escalate the matter to the Data Protection Officer or General Counsel. They will review the matter and respond to the individual with their decision on our complaint handling, whether to accept the original finding or to substitute a new finding or alternatively escalate the complaint to an appropriate reviewer.
Where reasonably practicable, any internal review will be carried out by a person who was not primarily responsible for the original response.
The Data Protection Officer or General Counsel will respond to the individual within 10 working days of the referral. If the complaint is upheld, the Data Protection Officer or General Counsel will ensure that necessary steps are taken as a result, such as correction, deletion, apology, security remediation, or process changes.
Once the matter has been escalated to the Data Protection Officer or General Counsel and a decision issued, this decision is final. No further action will be taken and the complainant will be informed of this.
If the complainant is dissatisfied with the outcome of the complaint, we will inform them that they have the right to lodge a complaint with the ICO and, where appropriate, provide them with details of how to do this. They also have the right to complain to the ICO at any time and to lodge a claim before a competent court, irrespective of whether they have lodged a complaint with us using our complaints process.
Monitoring and Audits
We will routinely monitor and audit our data protection complaint handling to ensure we can maintain performance levels in line with our legal obligations, our own performance targets and to demonstrate our compliance.