Data Protection Complaint Handling Policy


1. Purpose and scope

Taylor Wimpey has legal complaint handing obligations under both the UK GDPR and Part 3 of the Data Protection Act 2018. If an individual considers that we have breached data protection laws, they have the right to make a complaint directly to us, to the Information Commissioner's Office (ICO) or to pursue legal action. 

These complaints must relate to data protection, but the legislation does not specifically define a data protection complaint. The scope of complaints is therefore wide and could relate to the way we collect or use someone's personal information, their data protection rights (such as the right of access, correction or erasure), our privacy notices and policies, how long we keep their information or the security of the personal data being processed.

This Policy outlines our approach to handling data protection complaints. It should be read together with the Taylor Wimpey Privacy Notice. It applies to all employees, workers, contractors and third parties acting on our behalf, where such third parties act as our data processor. Third parties which act as our processor are generally contractually required to forward such complaints to Taylor Wimpey, who will manage the complaint in accordance with this policy.

2 Guiding principles

We are committed to handling data protection complaints in line with our legal obligations and in an accessible, fair, transparent and timely manner. We will handle complaints confidentially and only share information where appropriate to investigate and resolve the complaint, as required or authorised by law or otherwise in accordance with our privacy notice. We will aim to avoid conflicts of interest. 

3. Roles and responsibilities

Our Data Protection Team is responsible for co-ordinating how we handle data protection complaints. They will involve relevant business departments as required which may include, customer services, HR, IT, security, legal or other teams as needed. 

All staff are responsible for recognising complaints and referring them to the Data Protection Team promptly as well as for providing supporting information and responding to requests from the Data Protection Team when asked.

The Data Protection Team is responsible for ensuring staff are aware of and trained sufficiently to identify and escalate data protection complaints. 

4. Transparency

Within this policy, we will provide information about how to submit a data protection complaint. We will make this obvious and easily accessible to individuals, including in our privacy notices or via our website. Using plain and clear language, this policy will also address:

  • Our data protection complaints process.
  • How individuals can make a data protection complaint.
  • The available complaint channels.
  • The information we require to investigate a complaint such as any supporting documentation your contact details, details relating to your interactions with Taylor Wimpey, property or reservation related details.
  • What we do with that information and why for example, investigations, establishing the facts, complaint resolution.
  • How we handle complaints which might be sensitive in nature.
  • What individuals can expect from the process.
  • When individuals can expect to hear from us, including status update communications such as acknowledgements, progress updates and outcomes.
  • Any reasonable support we provide to help individuals make complaints such as alternative formats or language options.
5. Non-data protection complaints

Some complaints will include both data protection and non-data protection issues; we will handle the data protection aspects under this Policy. Non-data protection issues will be shared with and addressed by the relevant Taylor Wimpey business department, this may include customer services, HR, sales and marketing, or any other department deemed relevant. 

6. Complaint channels

People may submit a data protection complaint to us using any of the following options: 
To expedite the complaint, we will encourage people to use our established complaint channels. They may still choose to submit a complaint through any of our "contact us" channels. We will accept and route these complaints appropriately. 

Where a complaint is made through social media or another insecure public channel, we will ask the complainant to continue the complaint through a more secure method to protect their data where possible. 

7. Requesting additional information

Some complaints may be easy to resolve; others may require further investigation. Where reasonably necessary to investigate a complaint, we may ask the complainant for additional information, including information to verify their identity or to clarify the scope of the complaint. We will only request information that is reasonable and proportionate in the circumstances and will not request more information than we require to identify the complainant or their representative. 

Where a complaint is made on behalf of another individual, we may require evidence such as a power of attorney or signed letter of authority indicating that their representative is authorised to act on their behalf. We cannot progress complaints unless adequate proof of authority is provided. Where this is the case, we will explain it to the person who submitted the complaint.

8. Complaints to or about processors or partners

Where a complaint received by us relates to the processing of personal information by our service providers, we will ask these providers to provide us with details and information relevant to the complaint without undue delay and in accordance with any agreed and specified terms within our contract with the service provider.

Where a service provider receives a complaint about the processing of our personal data whether by them or us, they should forward this to us without undue delay. Service providers are under no obligation to handle complaints on our behalf unless this has been agreed between us and the relevant service provider(s) under a binding contract. Where applicable, we will ask service providers to handle such complaints in line with our policies and procedures.

9. Record keeping

We will keep appropriate records about each data protection complaint in our complaints register. Records include:
  • The date of receipt.
  • The acknowledgement.
  • Any relevant correspondence, conversations and documents.
  • The outcome of the complaint, including escalation, and any actions taken in response.
  • Whether the complaint was or was not upheld.
These records will be used to demonstrate compliance, for audit and monitoring purposes, training, to support consistent handling and to identify recurring issues, trends or areas for organisational improvements or remediation. 

We will not retain personal data relating to complaints for longer than is necessary and will handle such records in accordance with our record retention schedule and data protection policies.

10. Acknowledgement and timeframes

We will aim to provide an acknowledgment to your complaint within thirty days of receipt. 

To the extent possible within the acknowledgement, or within follow up correspondence we will aim to:
  • Request any further information including for clarification or identification purposes.
  • Provide an indication as to the timeframe required to resolve your complaint.
  • For ongoing investigations, we will communicate this to individuals with an indication of our initial, anticipated timescales for resolving the complaint. We will endeavour to keep the complainant informed of our progress, including, where appropriate, the next steps, any further information required, and any expected timeframe for the next update, or outcome.
In any event we will endeavour to provide a response letter indicating the outcome of your complaint without undue delay. 

11. Investigations

We will take reasonable and proportionate steps necessary to investigate complaints fairly and in a timely manner. It may take us longer to investigate and resolve complaints which are complex, serious or which relate to multiple data protection issues. 

12. Outcomes and escalation

We will communicate the outcome of the complaint to the complainant without undue delay, explaining our findings, whether the complaint is upheld (in whole or in part), any action taken or proposed, and, where no action is taken, the reasons for that decision. 

We have processes in place for reviewing and escalating complaints where the complainant is unsatisfied with our complaint handling as we progress the complaint or the outcome. 

If the complainant objects to our handling of their complaint or disputes the outcome or any aspect of our response and notifies us, we will escalate the matter to the Taylor Wimpey Group Legal department. They will review the matter and respond to the individual with their decision on our complaint handling, whether to accept the original finding or to substitute a new finding or alternatively escalate the complaint for review by external legal counsel. 

Where reasonably practicable, any internal review will be carried out by a person who was not primarily responsible for the original response. 

The Data Protection Team will respond to the individual within 2 working days of the referral to the Group Legal department, to notify the complainant that their complaint is being internally peer reviewed. If the complaint is upheld, the Data Protection Team will ensure that necessary steps are taken as a result, such as correction, deletion, apology, security remediation, or process changes. 

Once the matter has been escalated to the Group Legal department and a decision issued, this decision is final. No further action will be taken, and the complainant will be informed of this. 

If the complainant is dissatisfied with the outcome of the complaint, we will inform them that they have the right to lodge a complaint with the ICO and, where appropriate, provide them with details of how to do this. They also have the right to complain to the ICO at any time and to lodge a claim before a competent court, irrespective of whether they have lodged a complaint with us using our complaints process. 

13. Monitoring

In addition to the annual review of this Policy, we will routinely monitor our data protection complaint handling process to ensure we can maintain performance levels in line with our legal obligations, our own performance targets and to demonstrate our compliance.