• Home
  • Complaint procedure

Data Protection Complaints Procedure

This procedure sets out how we handle complaints relating to our processing of personal data, in line with our obligations under the Data (Use and Access) Act (DUAA) 2025.

1. Purpose, scope and legal basis

This procedure applies to complaints from any individual who believes that we have infringed data protection law in the way we have collected, used, stored, shared, retained, secured or otherwise handled their personal data. It applies to complaints received from customers, service users, employees, workers, contractors, former staff, applicants, suppliers, website users and any other individual whose personal data we process. This procedure is designed to support compliance with the UK GDPR, the Data Protection Act 2018 and the Data (Use and Access) Act 2025, including the requirement to provide a process for handling data protection complaints.

2. What is a data protection complaint?

A data protection complaint is any expression of dissatisfaction or concern that relates to the way we have handled personal data or complied with data protection law. This may include concerns about how we responded to a data subject access request or other rights request, the lawfulness of processing, the accuracy of personal data, retention, security, disclosure to third parties, direct marketing, international transfers, or the handling of a personal data breach. A person does not need to use legal terms or mention specific legislation for a concern to amount to a data protection complaint. If it is unclear whether a concern is a complaint under this procedure, we will clarify this with the individual where appropriate.

3. How to make a complaint

You can submit a complaint if you believe:

  •  We have mishandled your personal data.

  • We have not complied with data protection laws.

  • We have failed to respond to a data rights request appropriately.

Complaints can be made via:

Email: dataprotectionteam@railpen.com

Post: Data Protection Team, Railpen, Stooperdale Offices, Brinkburn Road, Darlington, DL3 6EH.

Please include as a minimum:

  • Your name and contact details.

  • Details of your complaint.

  • Any relevant evidence or correspondence.

We have included a template complaint form within this procedure to assist in providing the required information.

5. Receipt and acknowledgement

We will record the date a complaint is received and acknowledge receipt within 30 days.

The acknowledgement will confirm that the complaint has been received, explain the next steps, identify the contact point for communications where appropriate, and request any information reasonably needed to understand the complaint. If clarification is required, we will request only information that is relevant and proportionate to the issues raised.

Please note that, at this stage, and only if required, we may request additional ID verification documents in order to ensure that we are responding to the correct person or representative.

6. Investigation and communications

We will take appropriate steps to investigate each complaint without undue delay. What is appropriate will depend on the nature, complexity and seriousness of the issues raised, including any risk of harm to the complainant. Investigative steps may include reviewing relevant systems and records, speaking to staff, checking decisions taken in relation to the complainant’s personal data, assessing whether any breach of law or internal policy has occurred, and considering whether urgent containment or remedial action is needed. We will keep the complainant informed of progress where the matter cannot be resolved quickly, including expected timeframes and reasons for any delay.

Your complaint will be reviewed by our Data Protection team.

We will aim to resolve your complaint within three months of receipt, as required by the DUAA.

If we need more time due to complexity, we will inform you in writing, explaining the reason and expected timeframe.

7. Outcome and remedies

We will inform you of the outcome of the complaint without undue delay once our investigation is complete. The outcome will explain our decision in clear language and, where relevant, set out any action we have taken or will take. This may include correcting or deleting personal data, restricting processing, improving internal processes, providing further explanation, offering an apology, retraining staff, or taking other appropriate remedial action. If we do not uphold the complaint, we will explain why.

8. Right to complain to the ICO

If you are not satisfied with our response, you can contact the ICO:

Website: https://ico.org.uk/make-a-complaint/

Telephone: 0303 123 1113

9. Record keeping

We will keep an internal record of data protection complaints, including the date received, the issues raised, key actions taken, the date of acknowledgement, correspondence with the complainant, the outcome, and any follow-up actions. Records will be retained in line with our retention schedule and used to identify trends, improve compliance, and demonstrate accountability. Records will be retained for at least three years in accordance with DUAA requirements.

10. Accessibility and fairness

We will handle complaints fairly, objectively and in a way that is proportionate to the circumstances. No one will be disadvantaged for raising a genuine data protection concern.

11. Training, monitoring and review

Relevant staff will receive training so they can recognise and escalate data protection complaints appropriately. We will monitor the operation of this procedure, review complaint trends and outcomes, and update this procedure when there are changes to the law, regulatory guidance or our organisational arrangements. This procedure will be reviewed at least annually.

Data Protection Complaint Form