Data Protection Complaints Procedure

V1.0 June 2026

INTRODUCTION

This procedure explains how individuals can make a complaint about the way Drystone Chambers has handled their personal data, what information we may need to investigate the complaint, and when they can expect a response.

Drystone Chambers is committed to handling personal data lawfully, fairly, securely and transparently. This procedure provides a clear route for individuals to raise data protection complaints with us.

Drystone Chambers is required to have a data protection complaints procedure as set out in the Data (Use and Access) Act 2025, which amended the UK GDPR and the Data Protection Act 2018. This requirement came into force on 19 June 2026.

WHEN TO USE THIS PROCEDURE

This procedure should be used where an individual has a Data Protection Complaint (DPC) and believes that Drystone Chambers may have infringed data protection legislation in the way we have collected, used, stored, shared, retained, protected, or otherwise handled their personal data, or the personal data of someone they are authorised to act for.

WHAT THIS PROCEDURE COVERS

How Drystone Chambers responded to a request made under the Data Protection Act 2018, including requests for access, rectification, erasure, restriction, objection, portability, or other applicable data protection rights.

Concerns about the security measures used to protect personal data, including concerns arising from an actual or suspected data breach.

How Drystone Chambers collected, used, shared, stored, retained, or deleted personal data.

Concerns about the accuracy of personal data Drystone Chambers holds.

Any other matter relating to Drystone Chambers compliance with data protection legislation.

MAKING A COMPLAINT

Time limits

Drystone Chambers will only consider a DPC received within six months of the matter complained about. Complaints received outside this period will only be considered in exceptional circumstances, for example, where the complainant became aware of the matter more than six months after it occurred.

HOW TO MAKE A DATA PROTECTION COMPLAINT

A DPC can be made by email to the Head of Operations using the email address Russell.Burton-Lawrence@drystone.com or in writing addressed to:

The Head of Operations, Drystone Chambers, 1 Bedford Row, London, WC1R 4BU.

Please provide as much detail as possible so that we can understand and investigate the complaint. This should include your name and contact details, a description of the issue, relevant dates, copies of correspondence, reference numbers, the personal data involved, and the outcome sought.

SUPPORTING INFORMATION REQUIRED TO INVESTIGATE A COMPLAINT

Drystone Chambers may need to ask someone who has made a complaint for proof of identity before we can proceed. If proof of identity is required, we will ask for it at the earliest opportunity.

A DPC may be made by someone acting on behalf of another person, such as a family member, solicitor, representative, advocate, or relevant not-for-profit organisation. In these cases, Drystone Chambers will check that the person making the complaint is authorised to act on the other person’s behalf. This may require evidence such as:

• an appropriate power of attorney; or
• a signed letter of authority from the person they are acting on behalf of.

In the absence of appropriate evidence, Drystone Chambers will not investigate the complaint.

ACKNOWLEDGEMENT AND INVESTIGATION

Drystone Chambers will aim to acknowledge receipt of a DPC received within 5 working days.

We will then aim to investigate the DPC and provide an outcome within one calendar month. However, complex complaints may take longer to resolve. If additional time is needed, we will tell the complainant.

When necessary, Drystone Chambers will request additional information or clarification to ensure our substantive response is complete.

We will keep the person who has made the complaint updated on the progress of the investigation where we can.

OUTCOME AND POSSIBLE REMEDIES

We will provide the complainant with the outcome of the DPC without undue delay once the investigation is complete. The response will explain, where appropriate, what we investigated, our findings, whether we uphold the complaint in whole or in part, any action we will take, and any further steps available to the complainant.

Where a DPC is upheld, possible actions may include correcting inaccurate data, completing or revisiting a data protection request, improving security measures, changing internal processes, providing further explanation, offering an apology, updating records, or taking other appropriate remedial action.

ESCALATION TO THE INFORMATION COMMISSIONER’S OFFICE

If the complainant remains dissatisfied after receiving our response, or believes Drystone Chambers has not handled the original DPC appropriately, they may raise the matter with the Information Commissioner’s Office, the UK regulator for data protection and information rights:

Information Commissioner’s Office

Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.

Website: https://ico.org.uk/make-a-complaint/  Telephone: 0303 123 1113.

RECORD KEEPING AND LEARNING

We will keep appropriate records of each DPC, including the issues raised, steps taken, decisions made, communications with the complainant, and any remedial actions. We will use complaints to identify lessons learned, improve our handling of personal data, and strengthen data protection governance.

REVIEW OF THIS PROCEDURE

This procedure will be reviewed periodically and updated where required to reflect changes in data protection law, regulatory guidance, organisational structure, or operational practice.

19 June 2026