Data Protection Complaints Procedure

Shoptimised Ltd · Version V1 · Released 16 June 2026

This procedure outlines how Shoptimised receives, investigates, manages, and responds to complaints relating to data protection. It ensures complaints are handled fairly, consistently, and promptly, that individuals can raise concerns about how their personal information has been processed, and that Shoptimised complies with its obligations under UK GDPR, the Data Protection Act 2018 and the Data (Use and Access) Act 2025.

1. Purpose

This procedure outlines how Shoptimised receives, investigates, manages, and responds to complaints relating to data protection.

The aim is to ensure:

• Data protection complaints are handled fairly, consistently, and promptly.
• Individuals can raise concerns about how their personal information has been processed.
• Complaints are investigated appropriately and outcomes communicated clearly.
• Shoptimised complies with its obligations under UK GDPR, the Data Protection Act 2018 and the Data (Use and Access) Act 2025.
• Lessons learned from complaints are captured and used to improve practices and controls.

2. Scope

This procedure applies to all data protection complaints received by Shoptimised relating to:

• Subject Access Requests (SARs) and other information rights requests.
• The security of personal information, including concerns relating to data breaches.
• The collection, use, sharing, storage, retention, correction, or deletion of personal information.
• Any concerns regarding Shoptimised's compliance with applicable data protection legislation.

This procedure applies to complaints received from customers, employees, suppliers, website users, or any other individual whose personal information is processed by Shoptimised.

3. Process Statement

Shoptimised will:

• Provide accessible channels for individuals to raise data protection complaints.
• Acknowledge complaints promptly.
• Investigate complaints fairly and objectively.
• Ensure complaints are reviewed by the Data Protection Lead or their authorised delegate.
• Respond within reasonable timescales and keep complainants informed of progress.
• Maintain records of complaints and outcomes.
• Use complaint outcomes to improve policies, procedures, and data protection practices.
• Reasonable adjustments will be made where required to enable individuals to submit and pursue complaints.

4. Receiving a Data Protection Complaint

Complaints may be submitted via email, letter, or telephone.

Individuals do not need to use specific legal terminology or refer to data protection legislation when making a complaint. Where there is uncertainty as to whether a concern constitutes a data protection complaint, Shoptimised will seek clarification from the individual where appropriate.

5. Information Required

Where possible, complainants should provide:

• Their name and contact details.
• The name and contact details of the individual they are acting for (if applicable).
• A description of the concern.
• Relevant dates and events.
• Details of the personal information involved.
• The outcome they are seeking.

Where a complaint is submitted on behalf of another individual, Shoptimised may request evidence of authority to act on their behalf.

Where necessary and proportionate, identity verification information may be requested before progressing the complaint.

6. Complaint Assessment and Allocation

Upon receipt:

• The complaint will be logged.
• The Data Protection Lead will review the complaint.
• Responsibility for investigation may be assigned to authorised employees under the supervision of the Data Protection Lead.

Wherever practicable, investigations will be conducted by employees who are independent of the matter being complained about. Where this is not possible due to the size or structure of the organisation, appropriate measures will be taken to ensure the investigation remains objective and impartial.

Where correspondence also contains an information rights request, that element will be handled separately in accordance with the applicable rights request process.

7. Acknowledgement Process

Shoptimised will handle all data protection complaints diligently and without undue delay, seeking to provide a substantive response as soon as reasonably practicable while ensuring the investigation is thorough and proportionate.

Shoptimised aims to acknowledge receipt of complaints within five working days. The acknowledgement will:

• Confirm receipt of the complaint.
• Outline the next steps in the investigation process.
• Provide contact details for any queries relating to the complaint.

Where a full response can be issued within that timeframe, a separate acknowledgement may not be necessary.

8. Investigation Process

Shoptimised will investigate complaints without undue delay. The investigation may include:

• Reviewing relevant records and correspondence.
• Speaking with relevant employees or stakeholders.
• Assessing compliance with internal policies and legal obligations.
• Requesting additional information from the complainant where required.

Throughout the investigation, Shoptimised will keep the complainant informed of significant developments where appropriate.

Where an investigation identifies a personal data breach or significant compliance issue, the matter will be escalated immediately to the Data Protection Lead and assessed in accordance with Shoptimised's Data Breach Procedure, including consideration of any applicable ICO notification requirements.

9. Response Timescales

Shoptimised aims to provide a substantive response within 30 days of receiving the complaint.

Where a complaint is particularly complex or requires additional investigation:

• The complainant will be informed of the delay.
• Updates will be provided as appropriate.
• Revised response timescales will be communicated.

10. Complaint Outcome

The final response will include:

• A summary of the complaint.
• Details of the investigation undertaken.
• Findings and conclusions reached.
• Any corrective actions taken or planned.
• Information about further escalation options where relevant.

Where an error or compliance issue is identified, appropriate remedial actions will be implemented.

Where appropriate, investigations will also seek to identify root causes and implement preventative measures to reduce the likelihood of recurrence.

11. Data Protection and Record Keeping

Complaint information will be used to identify trends, improve controls, and support continuous improvement.

All data protection complaints shall be recorded in the Data Protection Complaint Log upon receipt. The log will be maintained by the Data Protection Lead and used to monitor the progress, outcome, and resolution of complaints. As a minimum, the log should record the complaint reference number, date received, complainant details, nature of the complaint, investigator assigned, key actions taken, dates of communications, outcome, corrective actions implemented, and date of closure. The complaint log will be reviewed periodically to identify trends, recurring issues, and opportunities for improvement to Shoptimised's data protection practices, policies, and controls. Access to the complaint log will be restricted to authorised employees and maintained in accordance with Shoptimised's data retention and information security requirements.

Complaints may be categorised for reporting and trend analysis purposes, including information rights, data breaches, data accuracy, retention, marketing, data sharing, employee data, and other data protection matters.

Complaint records will be retained for a period of 6 years following closure, unless a longer retention period is required to meet legal, regulatory, contractual, insurance, or litigation requirements. Retention and disposal of complaint records will be managed in accordance with Shoptimised's Data Retention Policy.

Information relating to complaints will be treated confidentially and will only be shared with employees, contractors, advisers, or third parties who have a legitimate need to know for the purposes of investigating, managing, or resolving the complaint.

12. Roles and Responsibilities

Data Protection Lead

Responsible for:

• Oversight of all data protection complaints.
• Ensuring investigations are conducted appropriately.
• Reviewing findings and approving responses.
• Identifying corrective actions where required.

Authorised Investigators

Responsible for:

• Conducting investigations.
• Gathering evidence.
• Maintaining accurate records.
• Reporting findings to the Data Protection Lead.

All Employees

All employees are responsible for recognising potential data protection complaints and escalating them promptly to the Data Protection Lead or designated representative.

Employees should:

• Escalate data protection complaints promptly.
• Cooperate with investigations.
• Follow applicable data protection policies and procedures.

13. Exceptions

This procedure does not apply to:

• General customer service complaints unrelated to personal information.
• Commercial disputes not involving data protection concerns.
• Requests for information rights that do not contain a complaint element (these will be managed under the relevant rights request process).

Where a complaint contains both a data protection concern and another issue, each aspect may be handled under the relevant procedure.

14. Review and Updates

This procedure will be reviewed:

• Annually.
• Following significant legislative or regulatory changes.
• Following material changes to Shoptimised's processing activities.
• Following significant data protection incidents or complaints.
• Where audit findings identify a need for amendment.

15. Summary

This procedure ensures data protection complaints are managed consistently, fairly, and transparently. It supports compliance with UK data protection legislation while providing individuals with a clear route to raise concerns and seek resolution.

Individuals also have the right to complain to the Information Commissioner's Office (ICO) if they believe their personal information has been processed unlawfully or their information rights have not been respected. The ICO can be contacted using the details below: