Data Protection Complaint Policy
1. Purpose
The UK General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018 (“DPA 2018”), Data (Use and Access) Act 2025 (“DUAA”), and the Privacy and Electronic Communications Regulations (“PECR”) (together, the “Data Protection law”), give data subjects and applicable third parties rights in relation to personal data. This procedure details how entrust IT Group Ltd & its subsidiaries (collectively “entrustIT”) will respond to complaints from data subjects and third parties relating to the use of personal data.
2. Scope
This policy applies to all data subjects whose personal or sensitive data is held or processed by entrustIT, including customers, employees, contractors, and service users.
This policy addresses complaints made by data subjects regarding the use of their personal data, including marketing. Complaints may be made in relation to any aspect of entrustIT’s processing of personal data including individual rights requests.
3. Responsibility
The Group Chief Executive has overall responsibility for this policy.
All Employees are responsible for ensuring that any complaints that are made in relation to this procedure are reported to privacy@entrustIT.co.uk, and for cooperating in reviewing these complaints.
The Chief Executive and relevant members of the team will review this procedure from time to time (and at least every two years) to ensure that its provisions continue to meet our legal obligations and reflect best practice.
4. Complaints
A complaint is an expression of dissatisfaction about entrustIT’s handling of a data subject’s personal data or the data of the individual they represent. This can also include dissatisfaction with how entrustIT has responded to a previous data request.
5. Making a Complaint
Data subjects and third parties may make a complaint relating to entrustIT’s use of personal data. Complaints should be sent directly to privacy@entrustIT.co.uk.
Please include the following information:
- Your full name and contact details
- A clear description of the issue
- The date or period of the incident
- Supporting evidence (if applicable)
A member of the team will normally acknowledge the complaint within 5 working days. However, we reserve the right to extend the period we need for response during holiday and business closures.
Although a complaint may be brought at any time, there may be limits as to what we can do in historic cases.
entrustIT will only accept a complaint from a data subject’s representative, if the representative provides the data subject’s written consent authorising the representative to act on the data subject’s behalf in relation to the complaint.
We will first seek to verify the data subject’s identity or third party’s entitlement to act on behalf of the individual and the timings outlined in this procedure will not start until identity has been confirmed.
6. Complaint Resolution Procedure
| Step | Timeline | Description |
| Acknowledgment | Within 5 working days | Complaint receipt will be acknowledged in writing. |
| Investigation | Within 15–30 working days | entrustIT will investigate, gather evidence, and assess the claim. |
| Resolution | By day 30 (or extended with notice) | A written response will be issued detailing findings and any corrective actions. |
7. Internal Review
If the complainant does not agree with the outcome, they can request a review of the decision. This request must be made within 1 month of the original decision being communicated and should be sent to privacy@entrustIT.co.uk. The decision will be internally reviewed normally within 20 working days from the receipt of the request for Review. Once the internal review has been completed, we will communicate the outcome in writing.
8. External Review
If the complainant remains dissatisfied, they can escalate their complaint to the Information Commissioner’s Office (the “ICO”). Information about how to make a complaint to the ICO can be found here: Make a complaint | ICO.
9. Complaint refusal
These Terms shall be governed by, and construed in accordance with, English law.
The parties irrevocably agree that the courts of England shall (subject to the paragraph below) have exclusive jurisdiction to settle any dispute which may arise out of, under, or in connection with these Terms or the legal relationship established by them, and for those purposes irrevocably submit all disputes to the jurisdiction of the English courts.
- the reasons for refusing to consider the complaint; and
- their right to make a complaint to the ICO;
10. Confidentiality and Protection
All complaints will be handled confidentially and retaliation against complainants is strictly prohibited.
11. Record Keeping and Audit
Complaint records will be maintained in accordance with entrustIT’s normal data retention policy. Records may be used for compliance audits and regulatory reporting.
