How We Deal with Complaints

What happens when someone makes a complaint?

3. Under Art.19 of the DPAJL 2018, any person can make a complaint to the Authority if that person considers that an organisation (known as a Controller/Processor) has contravened (breached) or is likely to contravene (breach) the DPJL 2018 and that contravention (breach) involves or affects (or is likely to involve/affect) the personal data of that person.

4. Complaints generally need to be made in writing, and we encourage individuals to make complaints via our online form. For individuals who cannot use our online form (either because of disability or for some other significant reason) we can offer alternatives to our online form so they can raise any concerns with us. Individuals can be represented by someone else, but we need the individual’s written consent to allow someone else to file a complaint on their behalf. In this note, we will refer to people raising concerns with us as “Complainants”.

5. Our online form asks Complainants several questions about their concerns such as the identity of the Controller/Processor and their relationship with them. We also ask for information about what has happened. Before coming to us to raise a formal complaint we will usually expect a Complainant to have tried to raise/resolve issues with the Controller/Processor directly and we will ask the Complainant to provide evidence of this. This could be copies of any correspondence they have had with the Controller/Processor such as letters or emails, or screenshots of text messages for example.

6. Once we have received a complaint, a caseworker in our Compliance & Enforcement team will be allocated to review the information that has been submitted. They will be your primary point of contact throughout any complaint review/investigation. Art.20 of the DPAJL 2018 sets out that we have eight (8) weeks to decide whether or not we’re going to carry out a formal investigation.

What happens during the first 8 weeks?

7. We will let the Complainant know that we have received their complaint and they will be sent a letter confirming this. We do this so we can make sure that we have correctly understood what the complaint is about and sometimes we will ask the Complainant for further information. We will do this within seven (7) days.

8. We will also write to the Controller/Processor to let them know that a complaint has been made about them and we will do this within 14 days.

9. When we write to the Controller/Processor we will tell them what the complaint is about and ask for their initial views on what we have been told and anything else that we expect them to do. We do this because we need to hear their side of the story about what has happened and to make sure that our process is fair to both parties and we have all the information we need to make the right decision.

10. When we have all the information we need, we review matters and decide whether a formal investigation needs to be carried out. Art.20(2) of the DPAJL 2018 says that we must carry out formal investigations for every complaint received unless we consider that the complaint is:

• Clearly unfounded; or
• Frivolous, vexatious, unnecessarily repetitive or otherwise excessive.

11. These are the words that are set out in the DPJL 2018 and we understand that people don’t always understand what they mean. In short:

1. 'Clearly unfounded' means that based on the information we’ve reviewed, there’s no credible evidence or reasonable basis to believe the alleged issue actually occurred - the facts simply don’t support the claim.

Examples

Someone complained that a bank leaked their personal details online. We reviewed the logs, security reports, and relevant timeframes, and found no access or disclosure event matching the claim. The data was never exposed.

A Complainant accused “BlueTech Ltd” of sending them spam emails without consent. Our checks showed the sender was actually “BlueTech Services,” a completely different company outside our jurisdiction.

Someone claimed their employer shared their medical information without permission. The employer provided system audit trails and HR records showing no such disclosure took place.

A complaint concerns regulatory matters that fall under the Jersey Financial Services Commission (JFSC) rather than data protection law.

The issue raised involves potential criminal activity, such as harassment.

An employee was dismissed from their job, but they think that the whole disciplinary process was flawed and want to challenge it. The matter relates to workplace rights under employment law.

2. 'Frivolous' means that the issues raised are very minor and would not warrant the time and resources necessary for a full investigation.

Examples

Two neighbours are in a dispute and complaining that the other is moving their bins. Both of them have put up CCTV cameras on the outside of the house covering their bins but both think that the cameras are looking beyond their boundary into the other’s property (i.e. they’re not processing for a purely domestic activity anymore). Neither has any evidence of this and there’s been no harm to either party.

3. 'Vexatious' means that the complaint is brought with the intention of causing disruption, inconvenience, or harm rather than genuinely seeking resolution. This may include allegations made maliciously, repeatedly raising issues already addressed, or using inflammatory and abusive language to pressure the regulator into investigating. The underlying motive is often to harass or burden the organisation or individual rather than to resolve a legitimate concern.

Examples

An individual repeatedly files complaints against their former employer, each time making slightly different allegations, despite multiple investigations finding no breach. Their communications include threats to “destroy the company’s reputation” and “take matters to the press” unless management “pays up”. They have told the former employer that if they do “pay up” that they will withdraw their complaint to us. This shows that the primary motive is to harass rather than resolve a genuine data protection issue.

4. 'Unnecessarily repetitive' means that a Complainant has re-raised the same issue that has already been properly considered and concluded, without presenting any new evidence or information.

Examples

A Complainant submits the same complaint three times in six months that their name was misspelled in a marketing email, even though we have already investigated, confirmed the organisation corrected the error, and closed the matter. No new evidence or information is provided with each resubmission.

12. We can also decline to carry out a formal investigation if we’ve already taken other action such as issued a public statement or there are other international matters at play (e.g. we’re not the correct/best jurisdiction to investigate).

13. If the Complainant does not provide us with the information, we need to consider their complaint by the deadline we have asked for it, we will consider the complaint has been abandoned and it will be formally rejected.

What happens if we reject the complaint?

14. If we decide to reject a complaint we need to write to the Complainant and tell them why (Art.20(5) of the DPAJL 2018). We do this by sending the Complainant something we call a “Rejection of Complaint” letter. In that letter we will explain why we have decided not to carry out a full investigation and explain which of the criteria set out Art.20(5) of the DPAJL 2018 we are relying on and why.

15. The Rejection of Complaint letter will be addressed to the Complainant, and it will usually be copied to the Controller/Processor in full. This is so that they also know about and understand our decision. They will have been told about the fact a complaint has been made and it is right that they are told when we decide to reject a complaint, and the reasons for it.

16. If a Complainant is unhappy with our decision not to investigate, they can issue a formal legal appeal to the Royal Court of Jersey. Although we must tell the Complainant of their right of appeal (which we do in our Rejection of Complaint letter), we do not help people bring an appeal or provide any advice about the appeal process – they will need to seek their own legal advice. (Legal Aid may be available in certain circumstances and more information can be found here. Citizens Advice Jersey may also be able to assist.)

17. If the Complainant appeals, they will need to explain to the Royal Court why they think that our decision was “unreasonable in all the circumstances of the case” (i.e. it’s not enough that someone doesn’t like our decision; it needs to be unreasonable). They have 28 days from the day they receive our Rejection of Complaint letter to bring an appeal. If no appeal is brought, our file will be closed and archived.

What happens when we decide to carry out a formal investigation?

18. If we decide that we are going to carry out a formal investigation, we will write to both parties letting them know of our decision and the reason for it. We call this our “Notice of Investigation” letter. It will also set out what our next steps are and what the parties need to do (if anything) to assist us with our investigation.

19. During our investigation, we may ask the Controller/Processor for more information about what has happened. We deal with lots of different types of issues including things like failure to respond to subject access requests (including being asked to check why information has been withheld), failure to erase data; failure to correct inaccurate information and understanding why information might have been disclosed and deciding whether that should have been done. Many cases will have similarities, but we will usually ask for information about a Controller/Processor’s decision-making process regarding the issue that has been complained about. If we’re dealing with a subject access complaint, we will usually ask the Controller/Processor to provide information about how you responded to the request and for copies of any information that has been withheld, together with an explanation about any exemptions that have been applied.

20. In all cases we expect Controllers/Processors to be able to explain to us and justify the decisions they have made, and it is often useful to include things like:

• Information about the context of the complaint and the matters being complained about including any relevant background and context.
• Copies of documents that back up anything said in any written submission.
• Any advice that helped a Controller/Processor make the relevant decision (although legal advice does not need to be provided).

21. Formal investigations can take many months to investigate properly but the law says that at least once every 12 weeks we must provide both parties with a formal update if the investigation has not completed. We will usually be in touch with both parties far more frequently than this, but when we write formally we will give as much as we can about where we are in the process.

22. We expect everyone involved in an investigation to give us the information we have asked for, by the deadline we impose. If our initial deadline is missed, we will usually send one (1) reminder and a give a new deadline to provide that information to us. For Controllers/Processors, if we still don’t receive the information that we need by the end of that deadline we will consider more formal ways of obtaining the information such as issuing a formal Information Notice. For Complainants we may consider that the Complainant is abandoned.

What happens once we’ve made a decision about the complaint?

23. Once we have received and reviewed all the information and our investigation part of the process is complete, we must decide whether or not the Controller/Processor has contravened the law. We have a process we need to follow which is set out at Art.28 of the DPAJL 2018 and we have to send our initial views and findings to the Controller/Processor first. We set out our initial findings in a document called a “Proposed Determination”. We do not have to give a copy of the Proposed Determination to the Complainant and will not do so.

24. In our Proposed Determination we set out what the complaint is about, the evidence we have seen and our findings including whether we consider there has been any breach of the DPJL 2018 by the Controller/Processor. If we think that the law has been breached, we will also set out what sanctions (penalties) we want to issue. We have a range of sanctions available to us including:

• Issuing words of advice
• Issuing a formal Reprimand
• Making Orders (i.e. telling a Controller/Processor what they need to do to put things right)
• Issuing an Administrative Fine.

We can’t order a Controller/Processor to pay any compensation to a Complainant or make an apology, even if we find that there has been a breach in the law.

For more information, please see our note on what we can/cannot do here and in our Regulatory Action and Enforcement Policy.

25. Once the Controller/Processor has received the Proposed Determination, they have 28 days to provide us with either written/oral comments on our initial findings if they want to. If they do, these are known as “Representations”. Representations are the Controller/Processor’s chance to tell us if they think we got things wrong, why they disagree with the Orders we want to make, and/or let us know if they will need more time to comply with those Orders. We also ask the Controller/Processor to tell us if there is any information contained within the Proposed Determination they think should not be seen by the Complainant (this is because our Final Determination goes to both parties).

26. We must consider any Representations we receive before making a final decision (Art.28(3) of the DPAJL 2018) which we set out in a document called a “Final Determination”.

27. The Final Determination will be addressed to the Controller/Processor involved but it will be copied to the Complainant. This is because the law says that we must provide a copy of this document to both parties (Art.23(2) of the DPAJL 2018). There may be information that the Complainant should not see and if this is the case we will redact the relevant information before we send it out.

28. Both parties then have a right to appeal our Final Determination to the Royal Court of Jersey. For Controller/Processors, this right arises under Art.32 of the DPAJL 2018 and for Complainants it arises under Art.31 of the DPAJL 2018. The test for appeal is the same for both parties though, which is that our decision was “unreasonable in all the circumstances of the case”. Any appeal must be brought within 28 days of the Final Determination being issued to both parties (i.e. 28 days from the day we send it out).

29. If no appeal is lodged by either party, we will close our case file and it will be archived.

30. Please note that we cannot enter into correspondence with either party after our Final Determination has been issued and will not do so. This is because once we have made our decision, that is the formal end of our process and the only way to challenge them is to the Royal Court – we cannot look at things again internally (that includes the Authority members, including our Chairman).

What happens if there are Orders that need to be complied with or an Administrative Fine to be paid?

31. If we have issued a Controller/Processor with Orders, they will usually be given time to comply with them (unless urgent) and we will usually include a requirement that we are provided with evidence to show that the orders have been complied with to our satisfaction.

32. If we have issued an Administrative Fine, the Controller/Processor will usually be given a date by which payment must be made. If payment is not made, then we can recover this as a civil debt through the Petty Debts or Royal Court. We will bring proceedings if monies are not paid to us and this may include asking the Court for an arrest on wages or distraint of goods and we will provide the order to the Viscount’s Department for enforcement.

33. Information about what needs to be done, and by when, will be included in the Final Determination.

See Section 3 for FAQs on 'How we deal with Complaints'

FAQs on 'How we deal with Complaints'

Q: Are formal complaints a person’s only option to raise concerns about the behaviour of a Controller/Processor?

A: No; we have a number of ways people can raise concerns with us. Some people may not want to pursue a full, formal, complaint and we operate an Amicable Resolution (AmRes) process. More about that process can be found here. We do also allow people to raise issues with us confidentially and without giving us their contact details. We call this our “Tell us in Confidence” process and more information about that can be found here. We always encourage people to raise their concerns with the Controller/Processor before coming to us and before taking any formal regulatory action we will usually require that they do this first and provide us with proof that they have done so. We strongly encourage parties to try and resolve any dispute between themselves as this will often provide a better outcome for all parties.

Q. Can we deal with complaints about Controllers/Processors outside Jersey?

A: There are some circumstances where we can deal with Controllers/Processors that do not have a physical presence in Jersey, but this depends on whether they are considered to be “established”. Art.4(2) of the DPJL 2018 says that the law applies to Controllers/Processors not established in Jersey if:

• They process personal data of individuals in Jersey; and
• The processing activity relates to:
• Offering goods or services to individuals in Jersey,
• Or monitoring their behaviour. However, sometimes it may be better for a regulator in another country to deal with the complaint (because the Controller/Processor is physically present in their country for example) so we can (and do) refer complaints to our colleagues. If we think that another regulator is better placed to assist, we will tell you and may liaise with the other regulator on your behalf. We use co-operation methods to ensure that any complaints are dealt with in the most appropriate and effective way.

Q. Do you have to tell a Controller/Processer that I have made a complaint?

A: Yes. This is because we will need to involve the Controller/Processor in any investigation, and this will usually include them being asked to explain what has happened and give us their side of the story. They will not be able to do this (and we will not be able to investigate properly) if they do not know who has submitted the Complaint or what has been said about them. Our process needs to be fair to both parties.

Q. What do you expect from me once I’ve made a complaint?

1. We need you to give us full details of your complaint and we need you to provide us with all evidence you have (e.g. documents, emails, photographs etc). This is so that we can have a complete understanding of what your complaint is about and what has happened and so that we can make a decision based on all the evidence available. When we ask for information, you must provide it to us and in accordance with any deadlines we set. If you do not do so (and have no reason for missing the deadlines) then we will consider that you have abandoned your complaint and it will be formally rejected. We also expect that our Caseworkers will be treated with respect and we will not tolerate the use of abusive language. Our Casework team are impartial and here to do a job; please treat them with respect.

Q. What does the Authority expect from Controllers/Processors during this process?

1. We understand that being involved in a formal investigation can be stressful and time-consuming, but we expect all those engaging with our office to:

1. Be courteous to our staff
2. Provide information in the form we request it
3. Provide information in a timely manner and in accordance with any deadlines we set. We aim to be a proportionate, reasonable and approachable regulator but we will take appropriate legal action if our requests and/or orders are not complied with and any poor conduct may be referred to in our decisions and could be made public.

Q: What happens if a Controller/Processor refuses to provide the Authority with information they have requested?

A: We expect that everyone engaging with our enforcement processes will do so properly and when we ask for information to be provided to us which we need for our investigation, we expect Controllers/Processors to comply with those requirements. We will ask for information informally at first and a deadline will be provided to give us the information we have asked for. If that deadline is missed, we will send one (1) reminder and may issue a revised deadline. If we still do not receive the information we have asked for, we will then issue a formal Information Notice. An Information Notice is a legal document where we formally set out the information we are asking for and why we need it. Recipients usually have 28 days to respond to that notice, but we can impose a shorter deadline in certain circumstances. If we do not receive the information we have asked for, we can issue legal proceedings before the Royal Court.

Q: Does the Authority help Complainants or Controllers/Processors with formal appeals under Art.21 or Art.22 of the DPAJL 2018?

A: Once we have issued any formal decisions we do not generally engage in any follow up correspondence about our decision/findings. This is because once we have made our decision it would not be appropriate for us to have any further discussions on the matter. We cannot change our decision. Anyone wishing to formally appeal one of our decisions to the Royal Court of Jersey will need to seek appropriate independent legal advice. We do not give legal advice, and we do not issue appeals for anyone or help with the appeal process. For an appeal to succeed it needs to be shown that our appeal was “unreasonable” and this means that it needs to be illogical (make no sense on the evidence) or irrational. There needs to be a serious flaw in our decision-making process not just that someone doesn’t like the outcome.

Q: What happens with the information that I send to you? Will it be made public? Do you publish all your decisions?

A: We have general duties of confidentiality, but all parties must bear in mind that anything they write to us/tell us about has the potential to be published in our formal decisions which are received by both parties. We do not publish our Final Determinations but, sometimes, we may consider that the case is of particular seriousness that we need to issue a formal public statement. We do not issue public statements for every matter we deal with - only those where “because of the gravity of the matter or other exceptional circumstances, it would be in the public interest to do so”.
When we decide to do that, the statements will be published on our website and sent to the local media. A public statement will usually name the Controller/Processor (but not the Complainant) and give brief information about what the complaint was about, our findings, and details of any sanctions. We also use the opportunity to educate our Island community and include a “Lessons Learned” section.

Q. What happens if a Controller/Processor changes their views during the course of the investigation?

1. Even after we are involved and have accepted the case for investigation, Controllers/Processors can discuss the case with the Complainant – particularly if this is likely to lead to the parties resolving the case informally. If the case is resolved without our involvement, please let us know as soon as possible.

The parties may also achieve an informal resolution as a result of our involvement, either because a Controller/Processor subsequently discloses some or all of the requested information for example, or the Complainant accepts that their complaint will not likely be upheld.

If a Controller/Processor thinks that it could resolve the case (for example by full or partial disclosure of the information, or by otherwise amending an earlier response to the information request) then we expect that to be done. Please inform the Caseworker at the earliest opportunity and send them a copy of any relevant correspondence.

If the Complainant then chooses to withdraw their complaint, we will close the case without it being necessary for us to issue a formal determination. The Complainant may, however, still ask for us to make a formal finding, even if the issues resolve part-way through an investigation. In these cases we must usually continue with our process and make a formal finding about what has happened (although we may consider whether it remains appropriate to do so or whether such may be halted).

Q. What happens if a Complainant doesn’t want to continue with their complaint?

1. A Complainant can withdraw their complaint at any time. We just need to know as soon as possible and we need this in writing. Whilst that may bring any formal investigation into the complaint to an end, we do have the ability to carry out other enforcement activity if significant matters come to light during out investigation that suggest there are significant issues on the part of the Controller/Processor that we need to deal with.