This policy explains how Creative Words Ltd. handles data protection complaints fairly, promptly, and in line with UK data protection law, including the internal complaints process requirements introduced by the Data (Use and Access) Act 2025 and set out in DPA 2018, s.164A.
This policy applies where an individual complains that we have infringed data protection law in connection with their personal data (or personal data of someone they are authorised to act for).
It covers complaints received from customers, staff, suppliers, website users, and any other individuals whose personal data we process. The duty to operate a complaints process applies broadly and the Information Commissioner’s Office (ICO) states there are no exemptions.
Personal data (or personal information) means information that identifies or relates to an individual.
The ICO is the UK’s independent regulator for data protection and privacy. It provides guidance to organisations, investigates complaints, and has legal powers to take enforcement action where organisations do not comply with data protection law.
A data protection complaint is any expression of dissatisfaction where the person considers we have breached data protection legislation in how we handled their personal information, and they do not need to use legal terms or cite legislation.
Examples include complaints about:
Sometimes people complain about service or other issues while also exercising data protection rights; the ICO explains that this doesn’t count as a data protection complaint (for example, an employee grievance combined with a request for copies of personal data, or a customer service complaint combined with a deletion request).
Where a complaint raises both data protection issues and other concerns (such as service or employment matters), we will treat it as a “mixed complaint”. We will handle the data protection aspects under this policy and ensure they are identified, recorded, and responded to separately and alongside any non-data protection issues.
If it is unclear whether the person intends to raise a data protection complaint, we will ask them to clarify.
We provide clear routes for individuals to complain directly to us, and we will accept complaints however they are received.
Preferred contact details:
Email: info@creativewords.cc
Post: Creative Words Ltd, Old School Hall, Well Street, Bury St Edmunds. IP33 2SE
Telephone: +44 1284 774797
We will facilitate the making of complaints (for example, by providing a complaint form that can be completed electronically and by other means).
When we receive a data protection complaint, we will:
We will tell people that they can complain to us (and that they can also complain to the ICO) at the point we collect their personal information, for example in our privacy notice, using clear and plain language.
We will also include information about this right when we respond to a subject access request.
We will verify identity where necessary. If we have doubts about the complainant’s identity, we may ask for proof of ID and we will do this as early as possible; if we already have enough information to confirm identity, we will not request more.
If someone complains on behalf of another person, we must check they are authorised to act for that person (for example, by a signed letter of authority or appropriate power of attorney). If we do not have evidence of authority, we will not investigate until we receive it.
We will log the complaint on receipt, record the channel it came through, and route it promptly to our data protection officer. The duty to investigate begins when the complaint is received, not after the acknowledgement is sent.
We will check whether it is a data protection complaint (see section 3) and, if unclear, we will ask the individual to clarify their intent.
We will acknowledge the complaint within 30 days. The acknowledgement will confirm receipt, that we will look into it, and the next steps. The 30 days start the day after receipt, including weekends/bank holidays, and if the last day falls on a weekend or public holiday the deadline moves to the next working day.
We will make operational arrangements to ensure acknowledgements are sent even during staff absence.
We will investigate without undue delay (meaning as soon as reasonably possible, and without unnecessary delay). What is “undue” depends on the circumstances, and factors such as complexity, scale, and any harm caused by any delay.
In most cases, we aim to provide a substantive response within one month, although complex complaints may take longer.
Our investigation will be proportionate and may include reviewing relevant records, speaking to staff, comparing the complaint with the data we hold, and checking compliance with our own policies and standards.
If we need more information to understand the complaint, we will ask as soon as possible. We may also ask what outcome the individual is seeking to help resolve matters efficiently.
We will keep the complainant updated about progress without undue delay, including timeframes, and where there are delays, the reason for these will be explained.
Once we have finished our investigation, we will inform the complainant of the outcome without an unjustifiable or excessive delay.
Our response will clearly explain what we did, what we found, and (where appropriate) what we changed or corrected. If we consider we complied with data protection law, we will explain why and provide enough detail to help the complainant understand how we reached that view; the ICO suggests itemising complaint points and responding to each.
If the complaint is upheld, we may (as appropriate) correct data, amend processes, provide training, or take other remedial steps.
If the complainant remains unhappy, we may offer a review by a different decision-maker or a senior member of staff, where practical. The ICO indicates organisations could consider having a review process, but people can complain to the ICO at any point and do not have to wait for an internal review.
Individuals can complain to the ICO at any time. The ICO will, in most cases, ask individuals to raise their complaint with the organisation first, but the ICO remains available to handle eligible data protection complaints.
ICO complaint information: https://ico.org.uk/make-a-complaint/data-protection-complaints/
We will keep records to demonstrate compliance, including:
We will not retain personal information for longer than necessary.
We may also monitor themes and trends to identify recurring issues and improve compliance.
Children have the same rights as adults, but merit specific protection; if we receive a complaint from a child, we will use clear, plain language and assess competence to exercise rights.
If we are within scope of the Age Appropriate Design Code (ICO rules for protecting children’s personal data online), we will also follow the ICO’s expectations for complaint mechanisms and escalation routes for urgent and/or safeguarding issues.
If we act as a joint controller (meaning we decide together with another organisation how and why personal data is used), we will maintain a transparent arrangement that covers complaint handling and coordination, noting that the timeframe starts when any joint controller receives the complaint.
Where we use data processors (organisations that process personal data on our behalf), we will ensure contracts/support arrangements enable us to meet our complaint-handling obligations; processors may assist administratively but the duty remains with us as controller.
We will train staff to recognise data protection complaints and route them appropriately, because complaints can be received through any part of the organisation.
This diversity and inclusion policy is fully supported by senior management.
Creative Words Ltd
Old School Hall, Well Street
Bury St Edmunds. IP33 1EQ
Creative Words, the ‘alchemy gold’ icon and ‘Content Alchemy’ are registered trademarks of Creative Words Ltd.
Creative Words Ltd is registered in the UK. Company number 11080173
Delving into content types – Part 2
/in Making Content Work for You/by The Content AlchemistDelving into content types – Part 1
/in Making Content Work for You, Uncategorized/by The Content Alchemist