1. Introduction

1.1 Purpose
This procedure sets out how Connected Places Catapult (CPC) receives, manages and resolves complaints relating to the handling of personal data.
It supports CPC’s Data Protection Policy and ensures that complaints are:

• handled consistently, fairly and transparently
• investigated in a proportionate and timely manner
• resolved in line with UK GDPR and Data Protection Act 2018 requirements
• used to inform continuous improvement in CPC’s data protection practices

1.2 Definitions

Data Protection  Complaint	A concern raised by an individual regarding how their personal data has been handled.
Data Subject	An identified or identifiable individual whose personal data is processed.

1.3 Scope

This procedure applies to all data protection complaints received by CPC, including those raised by:

• employees
• customers and partners
• suppliers
• members of the public
• any individual whose personal data CPC processes

A data protection complaint is any expression of dissatisfaction relating to CPC’s handling of personal data.

This includes concerns about:

• collection or use of personal data
• data subject rights handling (e.g. DSARs)
• data accuracy
• data sharing or disclosure
• data retention
• data security or incidents
• fairness or transparency of processing

2. Procedure

2.1 How to make a complaint

Individuals may raise a complaint via any of the following channels:

• Email: dataprotection@cp.catapult.org.uk
• Website: Connected Places Catapult – The UK’s innovation accelerator for cities, transport & place leadership.
• Post: Data Protection, Connected Places Catapult, Unity Place, 200 Grafton Gate, Milton Keynes,1UP

Complaints may also be received through any CPC staff member. All staff must escalate such complaints promptly in line with this procedure.

Individuals are not required to use formal language or cite legal provisions.

Reasonable adjustments will be made where required to support accessibility.

2.2 Acknowledgement

CPC will acknowledge receipt of the complaint within 10 working days.

The acknowledgement will:

• confirm that the matter is being treated as a data protection complaint
• provide a reference number
• outline next steps and indicative timelines
• request further information where required

2.3 Assessment and Investigation

Responsibility for handling complaints sits with the Risk & Compliance / Privacy function, supported by Legal where necessary.

Investigations will be proportionate and risk-based, and may include:

• review of correspondence and internal records
• review of relevant systems and access logs
• engagement with relevant business units
• consultation with IT and Information Security
• engagement with third-party processors where applicable

CPC will assess:

• compliance with data protection legislation
• whether policies and procedures have been followed
• root causes and contributing factors

2.4 Timeframes

CPC will provide a response without undue delay, and typically within:

• 1 calendar month of receipt

Where a complaint is complex or requires external input:

• timescales may be extended where necessary
• the individual will be informed of the reason and kept updated

2.5 Outcome and Response

CPC will provide a written response setting out:

• the scope of the complaint
• findings and decision
• any actions taken or planned
• rationale where the complaint is not upheld
• available escalation routes

2.6 Remedies and Corrective Actions

Where appropriate, CPC may take actions such as:

• correcting inaccurate data
• deleting or restricting processing of personal data
• providing further information or clarification
• enhancing technical or organisational controls
• providing additional staff guidance or training
• updating policies or procedures

Corrective actions will be proportionate to risk and impact.

2.7 Escalation – Internal Review

If the complainant remains dissatisfied, they may request an internal review within 20 working days of the response.

The review will:

• be conducted by an individual not previously involved (where practicable)
• reassess the handling and outcome of the complaint
• provide a final internal response without undue delay

2.8 Escalation – Information Commissioner’s Office

Individuals have the right to raise concerns with the Information Commissioner’s Office (ICO) if they are dissatisfied with CPC’s response.

Details are available via:
https://ico.org.uk/make-a-complaint/   

2.9 Non-Retaliation

CPC will not treat any individual unfairly or adversely for raising a data protection complaint.

2.10 Record Keeping and Assurance

CPC will maintain records of all data protection complaints to:

• demonstrate compliance with legal obligations
• support audit and assurance activity
• identify trends and systemic risks
• inform continuous improvement

Insights from complaints may be reported to CPC’s:

• Senior Leadership Team (SLT)
• Audit & Risk Committee (ARC), where appropriate