Data Protection Complaints Policy

1. Introduction

Keystone Law (“We”/”us”/“Keystone”/“the firm”) is committed to handling personal data appropriately and to complying with all applicable data protection laws, including the UK GDPR, the Data Protection Act 2018 and the Data (Use and Access) Act 2025 together, “Data Protection Laws”. We are also committed to maintaining the highest standards of confidentiality and professional conduct.

This policy sets out how the firm deals with data protection complaints.

We recognise that individuals, including clients, former clients and third parties, may have the right to raise concerns about the way in which we handle their personal data and data protection enquiries, including data subject access requests. We will consider any such complaint promptly, fairly and in accordance with our legal and professional obligations.

We are committed to learning from complaints where appropriate and to reviewing and improving our data protection practices.

2. Before making a complaint/Seeking a specific document

If a Data Subject is seeking a specific document, information or other identifiable material, rather than wishing to raise a complaint about the way in which we have handled a data protection enquiry, we encourage them to identify that material clearly and explain why they believe it should be provided.

Where such a request has not already been made, asking for the specific document or information sought will often be quicker and more proportionate than making a complaint or submitting a broad data subject access request. We will consider whether we are able to provide the material lawfully, taking into account our legal and professional obligations and any applicable restrictions.

3. Note for data subjects who are not clients or former clients of the firm

Where we process personal data in connection with client work, including legal advice, disputes, investigations, regulatory matters, potential claims or legal proceedings, and where the data subject seeking to make a complaint or exercise rights in relation to that data is not our client or former client, the data will often be protected by one or more of legal professional privilege, litigation privilege, our professional duty of confidentiality to our client or restrictions relating to legal proceedings.

In those circumstances, Data Protection Laws will usually restrict or disapply rights that might otherwise arise, including rights of access, information, rectification, erasure, restriction or objection. We will therefore usually be unable to confirm, disclose, amend, erase, restrict or provide further details about personal data to the extent that doing so would conflict with those obligations or restrictions.

This means that a third party may have a right to complain about the way in which we have handled a data protection enquiry, but that right will not usually give them a right to receive personal data, documents or information held by the firm in connection with client work. We will review any such complaint in accordance with this Policy, but in most cases involving client matter files, confidential client work, legal advice, disputes, investigations, regulatory matters, potential claims or legal proceedings, we are unlikely to be able to accede to the request where the relevant data is protected by legal professional privilege, confidentiality, the rights of others, regulatory obligations, legal proceedings or other applicable restrictions.

4. Purpose

The purpose of this Policy is to provide Data Subjects with an avenue of redress. We recognise that we may not always get things right, so if something has gone wrong, we provide this system for Data Subjects to tell us about their data protection concerns. This Policy sets out our complaints process and helps Colleagues to identify when they need to refer issues about how the firm has handled Personal Data to the Data Protection Manager.

5. Definitions

In this Policy the following terms have the following meanings:

• “Complaint” means any written or oral expression of dissatisfaction conveyed directly to the firm (though we ask that it be made as set out in paragraph 6) concerning the way in which the firm has processed Personal Data, responded to a data subject rights request, or otherwise complied with our obligations under applicable Data Protection Laws.
• “Complainant” means the individual who raises a data protection complaint. This may be the Data Subject to whom the personal data relates, or a person authorised to act on behalf of the Data Subject (for example, a parent, guardian, legal representative or other individual with written authority). We may require reasonable evidence to verify the identity and authority of the Complainant before progressing the Complaint.
• “Colleagues” means employees, directors, agency staff, volunteers, interns, lawyers, partners, consultant solicitors and consultant paralegals working with Keystone.
• “Data Subject” means an identified or identifiable natural person to whom Personal Data relates. When making the Complaint themselves, the Data Subject is also the Complainant as defined.
• “Data Protection Manager” means the individual appointed by the firm with responsibility for overseeing data protection compliance, handling data protection complaints and acting as the primary contact for data protection matters.
• “Data Protection Laws” means the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Data Use and Access Act 2025 and any other applicable legislation relating to the processing of personal data in the UK from time to time in force.
• “Personal Data” has the meaning in Article 4 UK GDPR.

6. Making a complaint

We ask that Complainants make their complaint using our Data Protection Complaints Form, which can be accessed HERE. 

If emailing us, please mark it for the attention of the Data Protection Manager and send it to enquiries@keystonelaw.co.uk.

If writing to us by post, please mark it for the attention of the Data Protection Manager and send it to Keystone Law Limited, 48 Chancery lane, London, WC2A 1JF.

You can complain to us by contacting us in other ways if you wish.

If a complaint is inadequately particularised, then we may request more information and may suggest that it is provided by way of the Data Protection Complaints Form. We may act reasonably in awaiting further information before processing a complaint, may determine that a complaint cannot be processed for lack of information and may process the Complaint as submitted and without requesting further information, at our discretion.

7. Verifying the complainant’s identity

We will take reasonable steps to verify the identity of the person making the Complaint. This may involve requesting further information or documentation from them. If the Complaint is made on behalf of someone else, we may also need to check that the person making the Complaint is properly authorised to do so.

If, having requested additional information, we are not in a position to identify the person making the Complaint and are not satisfied they have proper authority to make the Complaint, the firm may refuse to deal with it.

Once we are satisfied that we can deal with the Complaint, we will issue an acknowledgement and we will aim to do so within fourteen (14) working days.

8. Outcome

We will contact the Complainant at the end of our process and inform them of the outcome. Where possible, we will try to offer a solution to resolve their Complaint.

We usually aim to do this within 30 days of the date of receiving their Complaint. However, we may need to extend this sometimes.

We will tell the Complainant if we need more time to properly process their Complaint and will explain why.

9. Refusing to deal with a complaint or engaging in further correspondence

We may refuse to process a Complaint where:

• After requesting additional information, we still cannot identify the Complainant and/or verify that they are authorised to make the Complaint.
• We need more information in relation to the Complaint itself, and despite our requests it has not been provided within a reasonable time; or
• We are unable to validate a Complaint.
• Where we have investigated and responded to a Complaint, and a Complainant continues to correspond with us in about the same or substantially the same matter, we may decide that it is no longer reasonable or proportionate to continue reviewing or responding to further correspondence about that matter. We may then apply restricted communications measures, which may include blocking or filtering emails, requiring correspondence to be sent only by a specified method, limiting the format or length of permitted correspondence, returning or deleting non-compliant correspondence, or logging correspondence without reading it in full, investigating it or responding further.
• Before applying such a restriction, we will usually have provided a substantive response or final outcome and, where appropriate, a warning that further repetitive correspondence may not be considered. Once a restriction is in place, we will not be required to review further correspondence. We may review or lift the restriction if we consider there is a good reason to do so.
• The absence of any acknowledgement, review or substantive response to further correspondence should not be understood as acceptance of, or agreement with, any allegation or assertion made by the Complainant, nor as a waiver of any rights, remedies, privileges, duties of confidentiality, exemptions or restrictions on which we may rely.

10. Right of complainant to refer to the ICO/seek a judicial remedy

In responding to the Complaint, we will inform the Complainant that should they be unhappy with the outcome of their Complaint, they may complain to the Information Commissioner’s Office or that they may seek to take action in the courts.