Iubenda logo
Start generating


Table of Contents

How to Handle Data Privacy Complaints | Your 5-Step guide

Your business can receive a privacy complaint if a user believes its rights have been infringed. Your business must respond as soon as feasible to complaints that involve users’ personal information. 

This 5-step guide will help you in responding to and resolving privacy complaints in a method that may mean the difference between settling the complaint effectively and having it escalated to your national Data Protection Authority. 

💡Privacy complaints can be useful to your business since they frequently identify areas where processes can be improved, and future risk decreased.

How to handle data privacy complaints

📌 Step 1 – Receive 

Acknowledge the complaint as soon as possible. A prompt acknowledgment offers an early impression that your business is responsive and efficient, and it saves time by preventing the users from sending a following-up.

Even if the complaint requires further investigation or will be handled informally, addressing it soon helps lay the groundwork for good contact with the user. 

This is also a chance to inform the users about how the complaint will be handled by:

  1. providing a link to your complaints procedure if you have one;
  2. outlining the stages in the complaint procedure and the expected timelines for resolution;
  3. providing information on how your business collects, uses, and discloses personal information when handling a complaint; and
  4. providing the users with a contact from within your business that will be handling the complaint.

📌 Step 2 – Recognise 

Any data protection issues should be handled as soon as feasible. Initially, attempt to study everything you can. You must collect all necessary data thoroughly, fairly, and precisely.

After you have understood the situation of the complaint, you should respond to a privacy complaint promptly. If your company waits, it is doubtful that the privacy issue will be resolved without being escalated.

If the inquiry is expected to take some time, follow up on your initial response. Inform them so that they are aware of your efforts to resolve the issue. 

💡 When possible, use simple language rather than technical or legal jargon. People will trust you more if you keep them informed, and if everyone knows what to expect, things will go more smoothly. A complainant who believes they have been heard, their concerns addressed, and they have been treated with respect is more likely to resolve their complaint

📌 Step 3 – Record 

Keep a record of all significant conversations as well as copies of any relevant papers, including the logic behind your decisions and any actions you take—or do not take—from start to finish. It will also provide proof of your actions, which your Data Protection Authority may require in the future.

📌 Step 4 – Respond

When your investigation is finished, notify the recipient of the findings. Describe what you did to address the data protection issue, as well as any following steps you took. Give them enough information to comprehend how you got at your conclusion. It may be useful to list the areas of concern in bullet points and, when possible, answer each one with relevant proof.

A statement such as “We have no been able to uphold your complaint,” “We were unable to confirm your version of events,” or “Your complaint did not show anything improper” is not an explanation; it is a conclusion.

You want your user to feel understood and taken seriously. If you can demonstrate to them that you have spent the time on their personal request, you will not only build trust with them but also reduce the chances of the complaint going any further.

Explain why you were unable to uphold the complaint. Your complaint outcome letter should demonstrate that you have, At the very least, have:

  1. assessed the complaint against the relevant privacy principles;
  2. considered all other relevant criteria, such as legislation applicable to the agency and any relevant policies, standards, or directives; and 
  3. determined the extent to which the complaint is or is not substantiated and all the reasons for this.

💡 Write in simple, accurate, and straightforward language. This will help you deliver your message to the user and avoid any misunderstandings. Provide your contact information so that your user can contact you if they have any more queries regarding the complaint.

📌 Step 5 – Review

After you’ve handled the complaint, take some time to think about what happened. Consider whether there is anything you can learn or do better to prevent future complaints. If you consistently find a high frequency of complaints, a small change can make a big difference. 

Taking these 5 steps will help ensure your compliance with privacy laws and reduce liability risks.

Important Reminder

You may be in violation of several laws if you do not have an up-to-date privacy policy. You can further your efforts to comply with laws such as the GDPR by providing user-friendly privacy notices when you collect personal information. See how to easily edit and update your privacy policy here.