Fitii Ltd - GDPR Complaints Policy
Policy Statement
A thorough and transparent complaints procedure is considered necessary to
enable the Firm to consider what happened and how to rectify errors in
relation to breaches of GDPR, the Data Protection Act and the Privacy and
Electronic Communications Regulations. This Policy follows the Fitii Data
Protection Policy.
This GDPR Complaints Policy ensures that all complaints are treated with
due consideration, fairness and equitability.
General Data Protection Regulations (GDPR) Complaints
If anyone wishes to complain to Fitii about how their personal information
has been processed, their GDPR complaint has been handled, or appeal
against any decision made following a complaint, they can submit their
complaint in writing. This should be addressed directly to the Fitii Data
Protection Officer (“DPO”) at www.support.mypthub.net.
Fitii’s Subscription Agreement, with its direct customers and registration
onto Fitii’s website services, will contain details of this GDPR Complaints
Policy and directions to find it.
Complaints receipt
- Complaints regarding how personal data has been processed should be
submitted to Fitii’s DPO. Receipt will be acknowledged within 7 working
days.
- The DPO will review and respond in writing to a complaint within 14
working days of receipt of the complaint. If a longer time is required
Fitii Limited will notify the Complainant of the delay and will provide an
estimate of when Fitii Limited will provide a substantive response.
- If a Complainant is dissatisfied with the way in which their complaint
has been handled then they can forward their complaint to:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilsmslow
Cheshire
SK9 5AF
UK.
Procedure
Fitii Ltd’s Complaints Procedure has three stages of handling and
escalation:
- Stage 1 - Informal Complaints – delegation by the DPO
to a suitable person knowledgeable about the circumstances for their
investigation, discussion and resolution with the Complainant.
- Stage 2 - Formal Complaints – investigation, discussion
and resolution with the Complainant by the DPO himself who is assigned to
the role of dealing with Data Protection complaints.
- Stage 3 - Final Escalation to the Directors – consideration of the complaint and the
prior investigation and efforts to resolve by the directors of Fitii
Limited.
All complaints should go fully through Stages 1 or 2 before/if they proceed
any further to Stage 3. The DPO can elect to decide, on behalf of Fitii
Limited, that a complaint is vexatious or of no merit to justify Stage 3
and can refuse any Complainant’s request for a Stage 3 review. Such a
decision is to be undertaken in the knowledge that the Complainant’s next
step would be to the ICO or legal action which are factors that shall be
taken into account in such decision.
Any Stage 2 Formal Complaint that is reasonably established to have been a
reportable breach of GDPR shall be reported to the ICO as soon as
reasonably possible after it has been established, and within 72 hours.
1. Stage 1 - Informal Complaint
- The Complainant makes a verbal complaint to a Fitii employee or
Representative who then logs and reports it immediately to the DPO who
decides whether it is a Stage 1 or Stage 2 process that is best required in
all the circumstances.
- The appointed Fitii employee hears the complaint, undertakes any required
investigation into the circumstances of the allegation, agrees resolution
with the Complainant and implements solution.
- The Complainant confirms in writing that they are satisfied with the
resolution.
Timeframe: Immediate to within 5 working days.
Method: Verbal initially; reference to DPO and his response to be in writing.
2. Stage 2 - Formal Complaint
- The complaint is received either verbally, in writing by email, phone,
website or by personal submission.
- The complaint is logged and reported to the DPO to deal with and action.
- Receipt of the complaint is acknowledged within one working day.
- Investigation of the complaint by the DPO will then proceed.
- As above, if it is reasonably established that a Data Protection breach
of the use or application of personal data has occurred which is reportable
to the ICO, then Fitii Limited shall as soon as reasonably possible
formally notify the ICO.
- The Complainant will receive a response from Fitii Limited authorised by
the DPO within 10 working days.
- If applicable, the results of the investigation into the matter shall be
shared with the ICO and Fitii Limited shall liaise with the ICO if and as
required.
- The Complainant has 10 working days after the response has been issued in
which to respond further; in the absence of which it will afterwards be
assumed the complaint is resolved.
Timeframe:Between one working day and, at the latest, 21 working days after
submission of complaint.
Method: Email, verbal or written complaint submission; written response.
3. Stage 3 - Escalation to the Directors
- This applies where the Complainant confirms:
- a) that they are not content with the proposed course of action,
explanation or resolution, and
- b) the DPO does not consider the case to be vexatious or of no merit such
as a Stage 3 is justified for purposes of transparency; or
- c) the ICO considers that there has been a breach.
- Receipt of the escalated complaint is acknowledged within one working
day.
- The DPO fully briefs the Director hearing the complaint concerning its
history and the details and conclusions of any prior Stage 1 or Stage 2
investigations.
- Within 5 working days, the Complainant is advised of when the relevant
Director of Fitii Limited will be considering the complaint which will be
no more than 2 working weeks from the date of the acknowledgement of the
escalated complaint. The Complainant will be invited to make a final
written submission to the said Director.
- If the Complainant is asked to attend a meeting in person, the
Complainant may be accompanied by an independent person for the purposes of
support.
- The Director concerned will proceed with review of the substance of the
case and its handling.
- The Complainant will receive a response from the Director or, as he may
delegate such task, the DPO within 10 working days after the Director’s
consideration of the complaint.
- The Director’s decision is final, subject to any ruling or information
relating thereto from the ICO.
Timeframe: Between one working day and, at the latest, 28 working days after submission of complaint.
Method: Written response from a Director or on his behalf by the DPO.
Anonymous Complaints
Complaints submitted anonymously will be considered if there is enough
information in the complaint to enable Fitii Limited to make further
enquiries. If, however, an anonymous complaint does not provide enough
information to enable Fitii Limited to take further action it may decide
not to pursue it further. However, Fitii Limited may give consideration to
the issues raised, and will record the complaint so that corrective action
can be taken as appropriate.
Any decision not to pursue an anonymous complaint must be authorised by the
DPO who is responsible for dealing with Data Protection breaches. If an
anonymous complaint contains serious allegations, it should be referred to
the Board of Directors.
Data Protection Complaint Inventory
Fitii shall keep a written log of complaints received and actions taken and
decisions reached in a Data Protection Complaint Inventory. This shall
consist of an adequate record to be retained of a case, any reporting to
the ICO, action taken by Fitii Limited and action/conclusion required by
the ICO (if any).
Abusive, Persistent or Vexatious Correspondence and Complaints
It is important to note that for this GDPR Complaints Policy purpose, it is
the complaint which must be vexatious and not the individual making the
complaint.
It is important to distinguish between people who make a number of
complaints because they really think things have gone wrong, and people who
are simply being difficult. It must be recognised that Complainants may
sometimes act out of character at times of anxiety or distress and
reasonable allowances should be made for this.
Features of the types of complaint and behaviour that this GDPR Complaints
Policy covers can include the following (the list is not exhaustive, nor
does one single feature on its own necessarily imply that the person will
be considered as being in this category):
- Persisting in a complaint after being advised that there are insufficient
or no grounds for their complaint or that Fitii Limited is not the
appropriate authority.
- Refusing to co-operate with the complaints process, without good reason,
whilst still wanting their complaint to be resolved, including a failure or
refusal to specify the grounds of a complaint despite offers of assistance,
changing the basis of the complaint as inquiries of a complaint despite
offers of assistance, changing the basis of the complaint as inquiries are
made and introducing trivial or irrelevant new information and expecting
this to be taken into account and commented on.
- Submitting repeat complaints, after the complaints procedure has been
completed essentially about the same issues, with additions/variations
which the Complainant then insists on being treated as new complaints and
put through the full GDPR Complaints Policy procedure again.
- Refusing to accept the outcome of the GDP{R Complaints Policy procedure
after its conclusion, repeatedly arguing the point, complaining about the
outcome, and/or denying that an adequate response has been given.
Imposing Restrictions
Fitii Ltd will ensure that correspondence and/or complaints are being,
or have been, investigated properly according to the appropriate procedure
and are notified to the ICO if applicable and required.
If a decision has been taken to record the complaint formally, Fitii
Limited then has to decide on the next steps. This is the point at which it
may consider whether a complaint is vexatious, persistent, repetitive or
otherwise an abuse of process.
When the decision has been taken to apply this GDPR Complaints Policy, the
individual will be written to with reasons for the decision and what action
is being taken, subject to any requirements of the ICO. That decision may
be amended if the individual Complainant continues to behave in a way which
is unacceptable.
Where a Complainant’s behaviour is so extreme or it threatens the immediate
safety and welfare of staff, Fitii Limited may consider other options, for
example reporting the matter to the police or taking legal action.
Document Owner and Approval
The DPO is the owner of this document and is responsible for ensuring that
this GDPR Complaints Policy is reviewed from time to time.
A current version of this GDPR Complaints Policy is available to all
members of staff.
This GDPR Complaints Policy was approved by the Board of Directors of Fitii
Limited on 23 May 2018.