GDPR complaints Policy

Policy Statement

A thorough and transparent complaints procedure is considered necessary to enable the Firm to consider what happened and how to rectify errors in relation to breaches of GDPR, the Data Protection Act and the Privacy and Electronic Communications Regulations. This Policy follows the Flocus B.V. Data Protection Policy.

This GDPR Complaints Policy ensures that all complaints are treated with due consideration, fairness and equitability.

General Data Protection Regulations (GDPR) Complaints

If anyone wishes to complain to Flocus B.V. about how their personal information has been processed, their GDPR complaint has been handled, or appeal against any decision made following a complaint, they can submit their complaint in writing. This should be addressed directly to Flocus B.V. at flocus@flocus.pro

Complaints receipt

Complaints regarding how personal data has been processed should be submitted to Flocus B.V.’s DPO. Receipt will be acknowledged within 7 working days. The DPO will review and respond in writing to a complaint within 14 working days of receipt of the complaint. If a longer time is required Flocus B.V. will notify the Complainant of the delay and will provide an estimate of when Flocus B.V. will provide a substantive response. If a Complainant is dissatisfied with the way in which their complaint has been handled then they can forward their complaint to:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilsmslow

Cheshire

SK9 5AF

UK.

Procedure

Flocus B.V.’s Complaints Procedure has three stages of handling and escalation:

Stage 1 - Informal Complaints – delegation by the DPO to a suitable person knowledgeable about the circumstances for their investigation, discussion and resolution with the Complainant.

Stage 2 - Formal Complaints – investigation, discussion and resolution with the Complainant by the DPO himself who is assigned to the role of dealing with Data Protection complaints.

Stage 3 - Final Escalation to the Directors – consideration of the complaint and the prior investigation and efforts to resolve by the directors of Flocus B.V..

All complaints should go fully through Stages 1 or 2 before/if they proceed any further to Stage 3. The DPO can elect to decide, on behalf of Flocus B.V., that a complaint is vexatious or of no merit to justify Stage 3 and can refuse any Complainant’s request for a Stage 3 review. Such a decision is to be undertaken in the knowledge that the Complainant’s next step would be to the ICO or legal action which are factors that shall be taken into account in such decision.

Any Stage 2 Formal Complaint that is reasonably established to have been a reportable breach of GDPR shall be reported to the ICO as soon as reasonably possible after it has been established, and within 72 hours.

1. Stage 1 - Informal Complaint

The Complainant makes a verbal complaint to a Flocus B.V. employee or Representative who then logs and reports it immediately to the DPO who decides whether it is a Stage 1 or Stage 2 process that is best required in all the circumstances.

The appointed Flocus B.V. employee hears the complaint, undertakes any required investigation into the circumstances of the allegation, agrees resolution with the Complainant and implements solution.

The Complainant confirms in writing that they are satisfied with the resolution.

Timeframe: Immediate to within 5 working days.

Method: Verbal initially; reference to DPO and his response to be in writing.

2. Stage 2 - Formal Complaint

The complaint is received either verbally, in writing by email, phone, website or by personal submission.

The complaint is logged and reported to the DPO to deal with and action.Receipt of the complaint is acknowledged within one working day. Investigation of the complaint by the DPO will then proceed.

As above, if it is reasonably established that a Data Protection breach of the use or application of personal data has occurred which is reportable to the ICO, then Flocus B.V. shall as soon as reasonably possible formally notify the ICO.

The Complainant will receive a response from Flocus B.V. authorised by the DPO within 10 working days.

If applicable, the results of the investigation into the matter shall be shared with the ICO and Flocus B.V. shall liaise with the ICO if and as required.

The Complainant has 10 working days after the response has been issued in which to respond further; in the absence of which it will afterwards be assumed the complaint is resolved.

Timeframe:Between one working day and, at the latest, 21 working days after submission of complaint.

Method: Email, verbal or written complaint submission; written response.

3. Stage 3 - Escalation to the Directors

This applies where the Complainant confirms:

a) that they are not content with the proposed course of action, explanation or resolution, and

b) the DPO does not consider the case to be vexatious or of no merit such as a Stage 3 is justified for purposes of transparency; or

c) the ICO considers that there has been a breach.

Receipt of the escalated complaint is acknowledged within one working day.

The DPO fully briefs the Director hearing the complaint concerning its history and the details and conclusions of any prior Stage 1 or Stage 2 investigations. Within 5 working days, the Complainant is advised of when the relevant Director of Flocus B.V. will be considering the complaint which will be no more than 2 working weeks from the date of the acknowledgement of the escalated complaint. The Complainant will be invited to make a final written submission to the said Director.If the Complainant is asked to attend a meeting in person, the Complainant may be accompanied by an independent person for the purposes of support. The Director concerned will proceed with review of the substance of the case and its handling. The Complainant will receive a response from the Director or, as he may delegate such task, the DPO within 10 working days after the Director’s consideration of the complaint. The Director’s decision is final, subject to any ruling or information relating thereto from the ICO. Timeframe: Between one working day and, at the latest, 28 working days after submission of complaint.

Method: Written response from a Director or on his behalf by the DPO.

Anonymous Complaints

Complaints submitted anonymously will be considered if there is enough information in the complaint to enable Flocus B.V. to make further enquiries. If, however, an anonymous complaint does not provide enough information to enable Flocus B.V. to take further action it may decide not to pursue it further. However, Flocus B.V. may give consideration to the issues raised, and will record the complaint so that corrective action can be taken as appropriate.

Any decision not to pursue an anonymous complaint must be authorised by the DPO who is responsible for dealing with Data Protection breaches. If an anonymous complaint contains serious allegations, it should be referred to the Board of Directors.

Data Protection Complaint Inventory

Flocus B.V. shall keep a written log of complaints received and actions taken and decisions reached in a Data Protection Complaint Inventory. This shall consist of an adequate record to be retained of a case, any reporting to the ICO, action taken by Flocus B.V. and action/conclusion required by the ICO (if any).

Abusive, Persistent or Vexatious Correspondence and Complaints

It is important to note that for this GDPR Complaints Policy purpose, it is the complaint which must be vexatious and not the individual making the complaint.

It is important to distinguish between people who make a number of complaints because they really think things have gone wrong, and people who are simply being difficult. It must be recognised that Complainants may sometimes act out of character at times of anxiety or distress and reasonable allowances should be made for this.

Features of the types of complaint and behaviour that this GDPR Complaints Policy covers can include the following (the list is not exhaustive, nor does one single feature on its own necessarily imply that the person will be considered as being in this category):

Persisting in a complaint after being advised that there are insufficient or no grounds for their complaint or that Flocus B.V. is not the appropriate authority.

Refusing to cooperate with the complaints process, without good reason, whilst still wanting their complaint to be resolved, including a failure or refusal to specify the grounds of a complaint despite offers of assistance, changing the basis of the complaint as inquiries of a complaint despite offers of assistance, changing the basis of the complaint as inquiries are made and introducing trivial or irrelevant new information and expecting this to be taken into account and commented on.

Submitting repeat complaints, after the complaints procedure has been completed essentially about the same issues, with additions/variations which the Complainant then insists on being treated as new complaints and put through the full GDPR Complaints Policy procedure again.

Refusing to accept the outcome of the GDP{R Complaints Policy procedure after its conclusion, repeatedly arguing the point, complaining about the outcome, and/or denying that an adequate response has been given.

Imposing Restrictions

Flocus B.V. will ensure that correspondence and/or complaints are being, or have been, investigated properly according to the appropriate procedure and are notified to the ICO if applicable and required.

If a decision has been taken to record the complaint formally, Flocus B.V. then has to decide on the next steps. This is the point at which it may consider whether a complaint is vexatious, persistent, repetitive or otherwise an abuse of process.

When the decision has been taken to apply this GDPR Complaints Policy, the individual will be written to with reasons for the decision and what action is being taken, subject to any requirements of the ICO. That decision may be amended if the individual Complainant continues to behave in a way which is unacceptable.

Where a Complainant’s behaviour is so extreme or it threatens the immediate safety and welfare of staff, Flocus B.V. may consider other options, for example reporting the matter to the police or taking legal action.

Document Owner and Approval

The DPO is the owner of this document and is responsible for ensuring that this GDPR Complaints Policy is reviewed from time to time.

A current version of this GDPR Complaints Policy is available to all members of staff.

This GDPR Complaints Policy was approved by the Board of Directors of Flocus B.V. on 14 May 2019