Data Protection Complaints Procedure
1. Purpose of this procedure
We are committed to protecting personal data and handling it lawfully, fairly and transparently.
This procedure explains how you can raise a complaint with us if you are concerned about the way we have collected, used, stored, shared, disclosed, retained or otherwise handled your personal data.
This procedure applies to data protection complaints made by clients, former clients, prospective clients, employees, former employees, job applicants, suppliers, witnesses, beneficiaries, counterparties, website users and any other individual whose personal data we process.
2. What is a data protection complaint?
A data protection complaint is a complaint that relates to our handling of your personal data.
For example, you may complain if you believe that:
- we have used your personal data unlawfully, unfairly or without proper transparency;
- we have collected more personal data than necessary;
- we have kept your personal data for longer than necessary;
- we have shared your personal data inappropriately;
- we have failed to keep your personal data accurate or secure;
- we have not responded properly to a data subject access request or other data protection rights request;
- we have sent you unwanted marketing communications;
- we have failed to respect an objection, restriction request or withdrawal of consent; or
- we have not properly explained how we use your personal data.
This procedure is for data protection complaints only. Other complaints about our legal services, fees, professional conduct or client care may be handled under our separate client complaints procedure.
3. How to make a data protection complaint
You can make a data protection complaint by contacting us using any of the following methods:
Email: mail@samuels-solicitors.co.uk
Post: Samuels Solicitors LLP, 18 Alexandra Road, Barnstaple, Devon EX32 8BA
Telephone: 01271 343457
If you need this procedure in another format, or if you need help making a complaint, please contact us and we will do our best to assist.
4. Information to include in your complaint
To help us deal with your complaint promptly, please provide:
- your full name;
- your contact details;
- your relationship with us, for example client, former client, employee, job applicant, supplier, witness or website user;
- a clear description of your concern;
- details of the personal data involved, if known;
- relevant dates, correspondence or reference numbers; and
- what outcome you are seeking.
You do not have to use a specific form, but providing this information will help us investigate your complaint effectively.
5. Acknowledgement of your complaint
We will acknowledge receipt of your data protection complaint within 30 days of receiving it.
Our acknowledgement will usually confirm:
- the date we received your complaint;
- who is handling it;
- whether we need any further information from you; and
- the next steps in our investigation.
6. How we will investigate your complaint
We will take appropriate steps to respond to your complaint without undue delay.
Depending on the nature of the complaint, this may include:
- reviewing relevant correspondence and records;
- checking our case management, document management, email, HR, finance, marketing or IT systems;
- speaking to relevant staff members;
- reviewing any data subject access request or rights request history;
- considering whether any legal professional privilege, client confidentiality, third-party rights or other legal restrictions apply;
- reviewing relevant contracts, policies, retention rules or security controls; and
- assessing whether any remedial action is required.
We will handle your complaint fairly, objectively and as promptly as possible.
7. Legal professional privilege and confidentiality
As a law firm, we owe duties of confidentiality to our clients and hold information that is protected by legal professional privilege, litigation privilege or other legal obligations.
This means that, when investigating and responding to a data protection complaint, we may be unable to disclose certain information to you if doing so would breach a duty of confidentiality, reveal privileged material, prejudice legal proceedings, disclose another person’s personal data unfairly, or breach another legal obligation.
Where we rely on a legal restriction or exemption, we will explain this where we are able to do so.
8. Keeping you informed
We will keep you informed about the progress of your complaint where appropriate.
If your complaint is complex, involves a large volume of information, requires input from third parties, or overlaps with legal proceedings or professional obligations, it may take longer to resolve. If that happens, we will tell you and explain the reason for the delay where we can.
9. Outcome of your complaint
Once we have investigated your complaint, we will inform you of the outcome.
Our response may include:
- whether we uphold, partially uphold or reject your complaint;
- the reasons for our decision;
- any steps we have taken or propose to take;
- any correction, deletion, restriction or other action we consider appropriate;
- whether there are legal reasons why we cannot provide further information;
- your right to escalate the matter to the UK data protection regulator.
Possible outcomes may include:
- correcting inaccurate personal data;
- updating or clarifying our privacy information;
- changing how we handle your personal data;
- deleting or restricting personal data where appropriate;
- improving internal procedures or training; or
- confirming that no further action is required.
10. Complaints involving a data subject access request or rights request
If your complaint relates to a data subject access request or another data protection rights request, we may review:
- whether the request was properly identified;
- whether any clarification was reasonably required;
- whether a reasonable and proportionate search was carried out;
- whether any exemptions or restrictions were correctly applied;
- whether our response was sent within the applicable timeframe; and
- whether privileged, confidential or third-party information was handled appropriately.
11. Complaints involving marketing
If your complaint relates to marketing communications, we will review:
- how we obtained your contact details;
- the lawful basis relied on for the communication;
- whether you had opted out or unsubscribed;
- whether our records were accurate; and
- whether our marketing systems require correction or suppression.
Where appropriate, we will update our records to ensure you no longer receive marketing communications from us.
12. Complaints involving cookies or website tracking
If your complaint relates to cookies, analytics or website tracking, we will review:
- what cookies or similar technologies were used;
- whether consent was required;
- whether consent or preference settings were properly recorded;
- whether appropriate information and opt-out controls were provided; and
- whether any changes are needed to our cookie banner, cookie settings or cookie notice.
13. Complaints involving security incidents
If your complaint relates to a suspected personal data breach or security incident, we will assess whether:
- personal data has been accidentally or unlawfully destroyed, lost, altered, disclosed or accessed;
- any containment or remediation steps are required;
- the incident needs to be notified to the Information Commissioner’s Office;
- affected individuals need to be informed; and
- any further security improvements are required.
14. Record keeping
We will keep a record of data protection complaints we receive, including:
- the nature of the complaint;
- when it was received;
- what steps were taken;
- the outcome;
- any remedial action; and
- any correspondence with the complainant or regulator.
We will retain complaint records for as long as necessary for legal, regulatory, professional indemnity, risk management and compliance purposes.
15. Escalating your complaint to the regulator
If you are dissatisfied with our response, or if you consider that we have not handled your complaint properly, you may complain to the UK data protection regulator.
The UK data protection regulator is currently the Information Commissioner’s Office.
You can contact the ICO at:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Website: www.ico.org.uk
Telephone: 0303 123 1113
We would encourage you to contact us first so that we have the opportunity to consider and respond to your concerns.
16. No charge for making a complaint
We do not charge a fee for responding to a data protection complaint.
However, if your complaint includes or leads to a data protection rights request, such as a subject access request, the normal rules under data protection law will apply. In limited circumstances, we may be entitled to refuse to act on a request or charge a reasonable fee where the law permits this, for example where a request is manifestly unfounded or excessive.
17. Contact details
If you have any questions about this procedure or wish to make a data protection complaint, please contact:
Judith Thompson
Samuels Solicitors LLP
18 Alexandra Road, Barnstaple, Devon EX32 8BA
01271 343457
18. Review of this procedure
We may update this procedure from time to time to reflect changes in law, regulatory guidance, our services or our internal processes.
Last updated: 3 July 2026
