Data privacy complaints policy
Purpose and overview
Chartered Accountants Ireland (“the Institute”) is committed to protecting the privacy and personal data of all individuals whose information the Institute processes. The Institute take all concerns about data privacy seriously and encourages anyone who believes their personal data has been mishandled to raise a complaint. This policy (published on our website) outlines:
- How a data subject can submit a data privacy complaint
- How the Institute will investigate the data subject’s concerns
- The steps the Institute will take to resolve any issues in line with Institute obligations under data protection laws and regulations.
If you have any queries or wish to submit a complaint, please contact:
our Data Privacy Manager at privacy@charteredaccountants.ie
The Institute acts as the Data Controller. The Institute’s registered address is Chartered Accountants House, 47-49 Pearse Street, Dublin 2, D02 YN40.
Definitions
| Reference |
Definition |
| Complaint |
Complaint is any expression of dissatisfaction regarding the processing of personal data. |
| Complainant |
Complainant is the individual (data subject) making the complaint. |
| Data |
Data is information, which is stored electronically on a computer or in certain paper-based filing systems. |
| Data Controllers |
Data Controllers are the people or organisations who determine the purposes for which, and the manner in which any personal data is processed. They are responsible for establishing practices and policies in line with relevant laws and regulations. The Institute is the data controller of all personal data used in our business for our own commercial purposes. |
| Data Processors |
Data Processors include any person or organisation that processes personal data on our behalf and on our instructions. Employees of data controllers are excluded from this definition, but it could include suppliers which handle personal data on the Institute’s behalf. |
| Data Protection Commission (DPC) |
DPC is the independent supervisory authority in Ireland responsible for upholding the fundamental right of individuals to have their personal data protected. The DPC enforces compliance with the General Data Protection Regulation (GDPR) and the Irish Data Protection Act 2018, investigates complaints, and can impose fines or corrective measures for breaches. |
| Data subjects |
Data subjects include all living individuals about whom we hold personal data. All data subjects have legal rights in relation to their personal information. |
| Information Commissioner’s Office (ICO) |
ICO is the UK’s independent authority set up to uphold information rights and enforce data protection laws, including the UK GDPR and the Data Protection Act 2018. The ICO handles complaints, provides guidance, and can impose fines for non-compliance with data protection regulations. |
| Personal Data |
Personal data is data relating to a living individual who can be identified from the data in conjunction with other information that is in or is likely to come into the Institute’s possession. Examples of Personal Data include name, address, date of birth, telephone number, email address, membership number, and so on. |
Scope
This policy applies to:
- All staff, contractors, and third parties who process personal data on behalf of the Institute.
- Complaints relating to the handling of personal data under:
- General Data Protection Regulation (GDPR)
- Irish Data Protection Act 2018
- UK Data Protection Act 2018 (including the UK GDPR and the Data Use and Access Act (“DUAA”) 2025).
For Northern Ireland (NI) and the UK, the DUAA introduced a requirement that data subjects must first raise their complaint with the data controller (i.e. the Institute) before escalating it to the Information Commissioner’s Office.
Policy statement
The Institute is committed to protecting the privacy rights of individuals and ensuring that all personal data is processed lawfully, fairly, and transparently. The Institute takes all complaints about data privacy seriously and aims to resolve them promptly, fairly, and in accordance with applicable laws.
Complaints handling procedure
Step 1: Complaint is received
The complainant can complete the complaint form to lodge their complaint, or submit a complaint by letter or email to privacy@charteredaccountants.ie.
Once the complaint is received, the Institute will acknowledge the complaint in writing within five working days, confirming receipt and outlining the next steps and expected timelines.
Step 2: Acknowledge receipt
Once the complaint is received, the Institute will acknowledge the complaint in writing within five working days, confirming receipt and outlining the next steps and expected timelines.
Please see more information in relation to categories of personal data in scope, purposes and legal bases of processing in Step 3 below.
Step 3: Record the complaint in the internal Data Privacy Complaint register
The complaint will be logged in the Institute’s internal data privacy complaint register including:
- Complaint reference number
- Date of the complaint
- Complainant’s details
- Description of the complaint
- Outcome of the complaint.
The register will be updated throughout the complaint process.
Step 4: Investigate the complaint
- The Institute will gather all relevant information and facts.
- If necessary, the Institute will request further details from the complainant.
- Assess the complaint thoroughly, fairly, and impartially.
Step 5: Provide updates
If the investigation takes time, the Institute will provide regular updates to the complainant on progress.
Step 6: Respond to the complaint
- Communicate the outcome clearly, explaining any actions taken or decisions made.
- Aim to conclude the investigation and provide a final response within 30 days of receiving the complaint. If more time is needed, inform the complainant of the reasons for the delay and provide an updated timeline.
- Advise the complainant of their right to escalate the complaint to the relevant supervisory authority (DPC in Ireland and the ICO in the UK and NI) if unsatisfied and provide contact details as per section 7.
Step 7: Review and learn
After resolving the complaint, review the process to identify any improvements or changes needed to prevent recurrence.
Confidentiality and data protection
All complaints will be handled confidentially. Personal data processed during the complaints process will be managed in accordance with the relevant data protection laws and regulations outlined under 'Scope'.
Escalation
If the complainant is dissatisfied with the outcome, the complainant may escalate the complaint to the relevant supervisory authority, details are below:
Republic of Ireland:
Data Protection Commission,
6 Pembroke Row,
Dublin 2,
D02 X963
Website: dataprotection.ie
UK and Northern Ireland:
Information Commissioner’s Office,
10th Floor Causeway Tower,
9 James Street South,
Belfast,
BT2 8DN
Website: ico.org.uk
Policy review
This policy will be reviewed annually or following significant changes in legislation or organisational practice.
LOADING...