Close
MEMBER LOGIN
ACADEMY LOGIN
CART
SEARCH
Besa_website_banner_branded

Data Complaints Procedure

Under 164A(1) of the Data Protection Act 2018 (DPA 2018), Individuals have the right to make complaints about any infringement of the legislation, not just an infringement of their rights. They can complain about the organisations handling of their own data, or general processing and handling of personal data.

This document sets out how Building Engineering Services Association (BESA) receives, assesses, investigates, and resolves complaints relating to the handling of personal data. It ensures that concerns raised by data subjects are addressed promptly, fairly, and in accordance with applicable data protection laws in the United Kingdom.

This process applies to all complaints concerning the collection, use, disclosure, storage, security, accuracy, retention, or other processing of personal data by BESA including processing undertaken by third parties on our behalf. It covers complaints submitted by data subjects, their authorised representatives, customers, employees, candidates, users, suppliers’ personnel, or any other individual whose personal data we process.

All employees/staff have responsibility for passing on Data complaints to their line manager, or GDPR Owner. Complaints should be emailed to dpo@thebesa.com.

Procedure:

1. Intake:

 Complaints are received by at least one of the following channels:  

  • Email: dpo@thebesa.com
  •  Telephone: 01768 860 400 (with follow-up written confirmation where possible)  

2. Required Information:

    • Full name and contact details of the complainant and, if applicable, their authorised representative and a form of Identification (where required*).*Acceptable ID include one of any of the following: passport, driving licence (full or provisional) an HM Armed forces photographic ID, birth certificate. If you are unable to produce any of these forms of ID, please do let us know as soon as possible, so that we can discuss an alternative.
  •  Description of the concern, including dates, services involved, and any supporting evidence.
  •  Relationship to BESA (e.g., customer, employee, supplier staff).
  •  Preferred method of contact and any accessibility needs.

3. Accessibility:

 We will provide reasonable adjustments, alternative formats, translation or interpretation support upon request. Representatives must provide evidence of authority.

4. Record:

The complaint will be recorded in our complaints register and a reference number will be assigned.

5. Written acknowledgement:

 Acknowledgement of the complaint will be sent out within 30 days confirming receipt, the reference number, expected next steps, and any request for further information, including but not limited to a request for Identification of the complainant and/or any representative where applicable.  

6. Investigate:

Each function of the business will have an assigned appropriate lead, and in the instance of a data complaint, that lead will be considered the GDPR owner.  The GDPR owner will gather facts, reviews systems and correspondence, and consults IT/Security and Legal as required*.

*If upon receipt of facts, we determine that there is a need for urgent handling: Suspected personal data breach, security risk or repeated unwanted marketing is prioritised. Marketing suppression requests are actioned as soon as reasonably practicable and no later than 30 days. Suspected breaches are escalated immediately to IT/Security and the Data management team /GDPR owner for assessment against notification duties. A separate Data breach Procedure exists and will be applied and followed in concurrence with the complaint, in order to contain the risk and manage next steps and remedial action, including notification to the Information commissioner’s office (ICO) where applicable.

7. Respond:

We provide a written outcome within 30 days of valid receipt, with reasons and actions taken. Where permitted, we may extend by a reasonable period and will explain why before the original deadline.

8. Close:

We record the resolution, any remedies provided and lessons learned. The case is then closed. 

9.  Escalation and internal review:

If you are dissatisfied with the outcome, you may request an internal review within 10 days of our response by contacting dpo@thebesa.com and quoting your reference. A reviewer independent of the original handler, overseen by the Privacy Lead/DPO, will reassess the decision and respond within 30 working days. You also have the right to complain to Information Commissioner’s Office by clicking here.

10. Outcomes and remedies:

Possible outcomes include an explanation, apology, correction or deletion of data where appropriate, restriction of processing, update to preferences or suppression from marketing, access to data, security or process improvements, staff training, and, where applicable, notification to affected individuals or the regulator.  

11. Recordkeeping:

We keep a record of all complaints, decisions, correspondence, evidence, actions taken and timelines. Records are retained for 7 years from closure, unless law requires a longer or shorter period. Access is limited to those who need it for their role. 

 12. Confidentiality and non-retaliation:

We handle complaints confidentially and use information only for managing the complaint and meeting our legal obligations. We do not retaliate against anyone who raises a complaint in good faith. If a complaint is made by an employee, this policy operates alongside Whistleblowing Policy and Grievance Procedure.

13. Contact:

For questions about this process, contact the Privacy Lead/DPO at dpo@thebesa.com or write to us at: 

FAO the DPO,  

The Building Engineering Service Association,  

Old Mansion House 

Eamont Bridge 

Penrith 

Cumbria

CA10 2BX