At London Law Collective we are committed to providing a high-quality service, in accordance with UK data protection law including the UK General Data Protection Regulation (UK GDPR), Part 3 of the Data Protection Act 2018, and the Data (Use and Access) Act 2025 (DUAA 2025).

We acknowledge that we may not always get things right. If something has gone wrong, we need you to tell us. This will help us improve our standards of service and strengthen our data protection controls.

This Policy sets out how we handle data protection complaints. It applies to complaints made by any individual (or their authorised representative) about how we collect, use, store or otherwise process personal data.

Contents

1. Purpose and scope
2. Guiding principles
3. Roles and responsibilities
4. Transparency
5. Non-data protection complaints
6. Complaints involving children or vulnerable individuals
7. Complaint channels
8. Requesting additional information
9. Complaints to or about processors or partners
10. Record keeping
11. Acknowledgement and timeframes
12. Investigations
13. Outcomes and escalation
14. Monitoring and audits

1. Purpose and scope

London Law Collective has legal obligations relating to the handling of data protection complaints under the UK GDPR, Part 3 of the Data Protection Act 2018, and the Data (Use and Access) Act 2025 (DUAA 2025).

If you believe we have breached data protection law, you have the right to make a complaint directly to us, to the Information Commissioner’s Office (ICO), or to pursue legal action through the courts.

The legislation does not narrowly define a “data protection complaint”. Complaints may relate to any aspect of how we handle personal information, including:

• how we collect or use personal information;
• the exercise of data protection rights (access, correction, erasure, restriction, portability, or objection);
• our privacy notices and policies;
• our data retention periods; or
• the security measures we apply to personal data.

This Policy applies to all employees, workers, contractors and third parties acting on behalf of London Law Collective. It covers complaints from any data subject or their authorised representative.

2. Guiding principles

We are committed to handling complaints in line with our legal obligations and in a manner that is accessible, fair, transparent and timely. Our guiding principles are:

• We handle complaints confidentially, sharing information only where necessary to investigate and resolve the matter, or as required or authorised by law.
• We aim to avoid conflicts of interest in complaint handling.
• We treat all complainants with respect and courtesy.
• We seek to resolve complaints as quickly as reasonably practicable.

3. Roles and responsibilities

Joanna Farquharson, as Data Protection Lead, co-ordinates how London Law Collective handles data protection complaints. Depending on the nature of the complaint, relevant colleagues across the business may be involved.

All staff are responsible for recognising data protection complaints and referring them promptly to the Data Protection Lead. Staff must also provide supporting information as requested during any investigation.

The Data Protection Lead ensures that staff are aware of this Policy and are appropriately trained to identify and escalate complaints.

4. Transparency

We provide clear, accessible information about how to submit a data protection complaint. This information is published in our privacy notices, on our website, and through other relevant channels.

In plain, clear language we explain:

• our complaints process and how to make a complaint;
• the complaint channels available;
• what information we need from you;
• what we do with that information and why;
• how we handle sensitive complaints;
• what you can expect from us, including when you will hear from us (acknowledgement, progress updates and outcome); and
• any reasonable support available, such as alternative formats or language options.

5. Non-data protection complaints

Some complaints include both data protection and non-data protection issues. Where this is the case, we handle the data protection aspects under this Policy and address non-data protection issues under our relevant client complaints, HR, grievance or other internal procedure.

6. Complaints involving children or vulnerable individuals

Where a complaint is from or on behalf of a child or a vulnerable individual, we apply additional safeguards to ensure the process remains fair, transparent and accessible. We have regard to age, understanding and any other relevant circumstances when deciding how best to communicate and engage with the complainant.

7. Complaint channels

If you need to make a data protection complaint, you can contact Joanna Farquharson using any of the following methods:

• Email: Joanna@londonlawcollective.com
• Post: 2 Bloomsbury Place, London WC1A 2QA

8. Requesting additional information

Some complaints are straightforward to resolve; others require further investigation. Where reasonably necessary, we may ask you for additional information. This may include verifying your identity or clarifying the scope of your complaint.

We will only request information that is reasonable and proportionate and will not request more than we need.

If the complaint is made on behalf of someone else, we will need to check that the person making the complaint is properly authorised to do so. This may involve requesting evidence such as a power of attorney or signed letter of authority. If adequate proof of authority cannot be provided, we may be unable to progress the complaint, and we will explain this to you.

9. Complaints to or about processors or partners

Where a complaint relates to processing carried out by one of our service providers, we will request relevant details from them without undue delay and in accordance with our contractual arrangements.

Where a service provider receives a complaint relating to personal data we control, they will forward it to us without undue delay. Service providers are not obliged to handle complaints on our behalf unless expressly agreed under a binding contract.

Where complaints relate to joint arrangements with partners, separate complaint handling procedures may be agreed.

10. Record keeping

We maintain appropriate records about each complaint in a complaints register. Records include:

• the date of receipt;
• our acknowledgement;
• relevant correspondence, conversations and documents;
• the outcome, including any escalation and actions taken.

Records are used to demonstrate compliance, for audit and monitoring, for training purposes, for consistent handling, and to identify recurring issues or areas for improvement.

We do not retain personal data relating to complaints longer than necessary and handle all records in accordance with our data retention and data protection policies.

11. Acknowledgement and timeframes

Statutory obligation: For complaints received on or after 19 June 2026, we are required by the Data (Use and Access) Act 2025 to acknowledge receipt within 30 days.

Our commitment: We aim to go further than the statutory minimum and will endeavour to acknowledge your complaint within five working days of receipt.

Our target timeframes are as follows:

• Acknowledgement: within five working days (statutory maximum: 30 days).
• Request for further information (if needed): within ten working days of receipt.
• Progress updates: at least every 30 days during an ongoing investigation.
• Outcome: within 60 working days where reasonably practicable.

Where an investigation is complex or ongoing, we will communicate anticipated timescales and keep you informed of progress.

12. Investigations

We take reasonable and proportionate steps to investigate every complaint fairly and in a timely manner. This will usually involve:

• reviewing your complaint;
• locating and reviewing the records we hold about you; and
• establishing the relevant facts.

We may need to ask you for further information or documents to assist our investigation. If so, we will ask you to provide the information within a specific period of time.

Complaints that are time-sensitive, more serious or particularly sensitive will be classified and escalated accordingly. Complex or multi-issue complaints may take longer to resolve.

13. Outcomes and escalation

We will inform you of the outcome of your complaint without undue delay. We will explain clearly:

• our findings;
• whether the complaint is upheld in whole or in part;
• any action we have taken or propose to take; and
• where no action is taken, the reasons why.

Internal escalation: If you are unhappy with the outcome, you may ask us to review the decision. Any internal review will, where reasonably practicable, be carried out by a person who was not primarily responsible for the original response. The reviewing person will respond within 30 working days of referral.

Where a complaint is upheld, we will take any necessary steps, which may include correcting or deleting data, issuing an apology, implementing security remediation, or making process changes.

External escalation: If you remain dissatisfied after our internal process, you have the right to complain to the Information Commissioner’s Office (ICO). You should generally complain to the ICO within three months of your last meaningful contact with us. You also have the right to seek a remedy through the courts at any time, irrespective of whether you have used our process.

The ICO’s contact details are:

Information Commissioner’s Office

Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

Helpline: 0303 123 1113

www.ico.org.uk

14. Monitoring and audits

We routinely monitor and audit our complaint handling to maintain performance in line with our legal obligations and the targets set out in this Policy, and to demonstrate compliance.

Questions about this Policy should be directed to Joanna Farquharson at Joanna@londonlawcollective.com.