Philipp Rosenauer
Partner Legal, PwC Switzerland
Even if a company has adequate data protection policies in place, employees, customers, contractors or other persons whose data is processed may be dissatisfied with how their personal data is handled. It is therefore possible that complaints will be filed concerning data protection. Statistics from the EU show that such complaints usually form the starting point for supervisory proceedings. This means it is important to respond quickly. We have summarised exactly how to respond to such complaints in our blog post.
Submitting an acknowledgement of receipt
The data subject should be informed as soon as possible that the data protection complaint has been received and is being investigated. The response should include information about what is being done at each stage. The data subject should be told when they can expect to receive further information and who the contact point is for any questions they may have in the meantime. If the complaint procedure follows a standardised process, a link to this procedure can be sent.
It is also important to establish the identity of the data subject.
Root cause analysis
All data protection complaints should be addressed as soon as possible. As much information should be collected as possible. If necessary, the data subject should be asked for further information that will help to clarify the facts. The better you understand the problem, the more able you are to solve it.
If it takes longer to clarify the facts than originally planned, the data subject should be informed of the current situation in the meantime.
A clear information policy creates trust, and things run more smoothly when everyone knows what to expect.
Documentation
The date on which the data protection complaint was received as well as when a response is due should be clearly recorded.
Details of all discussions held and copies of all relevant documents should be retained from start to finish, including the reasons for any decisions made and any actions taken or not taken. This also provides a record of the measures, which may be required by a supervisory authority.
Response
After all investigations have been completed, the result should be communicated to the data subject. The response should make clear what has been done to resolve the data protection complaint and what actions have been taken. You should include enough information so that the person understands how you arrived at your conclusion. It may be useful to summarise the complaint areas using bullet points and address each point individually – providing supporting evidence if possible.
It is important to use simple and understandable language.
Reviewing the lessons learnt
Once the response has been sent to the complainant, the opportunity should be taken to review what happened. It is important to consider what can be learnt or improved upon to prevent such complaints from being made in future. This will enable significant improvements to be made if you regularly receive a large number of complaints in similar areas.
Do you have any questions?
https://pages.pwc.ch/core-contact-page?form_id=7014L000000kkHMQAY&embed=true&lang=en
#social#
Data protection insights
Contact us
Associate | Data Privacy | ICT | Implementationᐩ, PwC Switzerland
Tel: +41 58 792 43 06