Complaints Procedure (Data Protection)

1. Purpose of this procedure

This procedure sets out how individuals may raise complaints relating to TBC’s handling, use, sharing, or retention of data or access to data. 

An individual may complain if they consider that, in connection with personal data relating to them, there is an infringement of the UK GDPR (General Data Protection Regulation) or Part 3 of the Data Protection Act 2018.  

This procedure is intended to result in complaints being dealt with fairly, transparently, and within statutory timeframes.

2. Scope

This procedure applies to:

• clients of TBC
• project partners and subcontractors of TBC
• members of the public
• employees and self-employed consultants working for TBC.

 

It covers complaints relating to:

• improper access to data
• incorrect or non‑transparent data use
• delays or failures in responding to data access requests
• concerns about data accuracy, security, retention, or onward sharing
• any other alleged non‑compliance with the Data Protection Act.

3. How to make a complaint

Individuals may submit complaints via any of the following channels:

• Online:By using the online Complaint Form which can be found here: Complaint Form (Data Protection) Form
• By email: To enquiries@thebiodiversityconsultancy.com
• By post: To The Biodiversity Consultancy Limited, Newnham Mill, Newnham Road, Cambridge, CB3 9EY, United Kingdom.
• By telephone: Ring 01223 366238

 

Complaints should include:

• name and contact details of the person complaining
• details of the complaint and relevant dates
• any supporting documents
• if you wish, the desired outcome.

4. Acknowledgement of Complaint

TBC will:

• acknowledge receipt of the complaint usually within a week, but in any event within 30 days of receipt,
• appoint a responsible person.

5. Investigation Process

In order to respond to the complaint, the responsible person will make enquiries into the subject matter of the complaint, including:

1. reviewing all relevant information, including system logs, access records, communications, and policies,
2. consulting TBC’s staff, where necessary, including IT (information technology) staff, project managers, and senior management,
3. assessing compliance with the UK GDPR and the Data Protection Act 2018, and with internal data handling policies and any contractual obligations,
4. identifying whether there has been any breach of the law relating to data protection.

Where the matter involves sensitive or restricted data, access will be strictly limited to essential staff members only.

6. Response to complaint

TBC will inform the complainant about progress on the complaint.  A full written response will usually be provided within one month of receipt of the complaint, setting out the outcome of the complaint, including:

• a summary of the complaint
• the findings of the investigation
• any corrective action taken or to be taken
• details of steps to prevent recurrence if appropriate
• information on the complainant’s right to take the matter further.

If more time is needed, TBC will notify the complainant with reasons and an expected timeframe.

7. Remedies and corrective action

Where a complaint is upheld, TBC may take one or more of the following actions:

• correct inaccurate data
• restrict or halt certain data uses
• provide additional access or transparency
• issue an apology with explanation
• implement staff retraining
• update internal processes or data handling controls
• report material breaches to the appropriate regulator if required by law.

8. Taking the matter further

If the complainant is dissatisfied with the outcome, they may request:

1. internal review by a senior manager not previously involved,
2. external referral to the Information Commissioner’s Office in the UK. 

9. Record‑Keeping

TBC will securely retain:

• the complaint
• all investigation documents
• internal communications
• the rationale for the decision made
• evidence of remedial actions.

Records will be preserved for at least three years or longer if legally required.