Complaints Procedure – Personal Data

Have a Query?

Have a Query?

This procedure explains how individuals can make a complaint about the way 39 Essex Chambers has handled their personal data, what information we may need to investigate the complaint, and when they can expect a response.

We are committed to handling personal data lawfully, fairly, securely and transparently. This procedure provides a clear route for individuals to raise data protection complaints with us.

We are required to have a data protection complaints procedure as set out in the Data (Use and Access) Act 2025, which amended the UK GDPR and the Data Protection Act 2018. This requirement came into force on 19 June 2026.

This procedure should be used where an individual has a Data Protection Complaint (DPC) and believes that we may have infringed UK data protection legislation in the way we have collected, used, stored, shared, retained, protected, or otherwise handled their personal data, or the personal data of someone they are authorised to act for.

  • How we responded to a request made under the Data Protection Act 2018, including requests for access, rectification, erasure, restriction, objection, portability, or other applicable data protection rights.
  • Concerns about the security measures used to protect personal data, including concerns arising from an actual or suspected data breach.
  • How we collected, used, shared, stored, retained, or deleted personal data.
  • Concerns about the accuracy of personal data that we hold.
  • Any other matter relating to our compliance with UK data protection

Time limits

We will only consider a DPC received within six months of the matter complained about. Complaints received outside this period will only be considered in exceptional circumstances, for example where the complainant became aware of the matter more than six months after it occurred.

How to Make a Data Protection Complaint (DPC)

A DPC can be made by email to our Chief Executive at lindsay.scott@39essex.com or by letter to the Chief Executive, 39 Essex Chambers, 81 Chancery Lane, London WC2A 1DD.

Please provide as much detail as possible so that we can understand and investigate the complaint. This should include your name and contact details, a description of the issue, relevant dates, copies of correspondence, reference numbers, the personal data involved, and the outcome sought.

Supporting information required to investigate a complaint

We may need to ask someone who has made a complaint for proof of identity before we can proceed. If proof of identity is required, we will ask for it at the earliest opportunity.

A DPC may be made by someone acting on behalf of another person, such as a family member, solicitor, representative, advocate, or relevant not-for-profit organisation. In these cases, we will check that the person making the complaint is authorised to act on the other person’s behalf. This may require evidence such as:

  • an appropriate power of attorney; or
  • a signed letter of authority from the person they are acting on behalf

In the absence of appropriate evidence, we will not investigate the complaint.

We will aim to acknowledge receipt of a DPC received within 5 working days.

We will then aim to investigate the DPC and provide an outcome within one calendar month. However, complex complaints may take longer to resolve. If additional time is needed, we will tell the complainant.

When necessary, we will request additional information or clarification to ensure our substantive response is complete.

We will keep the person who has made the complaint updated on the progress of the investigation where we can.

We will provide the complainant with the outcome of the DPC without undue delay once the investigation is complete. The response will explain, where appropriate, what we investigated, our findings, whether we uphold the complaint in whole or in part, any action we will take, and any further steps available to the complainant.

Where a DPC is upheld, possible actions may include correcting inaccurate data, completing or revisiting a data protection request, improving security measures, changing internal processes, providing further explanation, offering an apology, updating records, or taking other appropriate remedial action.

If the complainant remains dissatisfied after receiving our response, or believes we have not handled the original DPC appropriately, they may raise the matter with the Information Commissioner’s Office, the UK regulator for data protection and information rights:

Information Commissioner’s Office
Wycliffe House Water Lane Wilmslow, Cheshire SK9 5AF

Website: https://ico.org.uk/make-a-complaint/
Telephone: +44 (0) 303 123 1113.

I store your data in electronic form in a secure IT system protected by up-to-date security including firewall, secure access and anti-virus protection. The data is stored by 39 Essex Chambers on its own servers or on servers operated by highly reputable IT system providers with database centres in the UK.

The computer hardware I use, including desktop and laptops, is whole disc encrypted and, in the event of loss, data on iPads and iPhones is deleted remotely by the IT department. When replaced, the hard disc of computer equipment I use is securely destroyed.

When email data is to be permanently deleted this is done by instruction to an email archive facility.

When informed that a matter is closed or instructions are terminated for any other reason, hard copy papers are returned to my Instructing Solicitors or confidentially destroyed.

39 Essex Chambers regularly reviews its information policy, including data security.

This procedure will be reviewed periodically and updated where required to reflect changes in data protection law, regulatory guidance, organisational structure, or operational practice.

Sign up to Our Thinking

Sign up now to receive our latest newsletters, legal insights and information on upcoming events.