Personal data and handling complaints about us

This page explains how and why we use personal data when investigating a complaint someone has made about us.

Part 6 of the Financial Services Act 2012 requires us to maintain a complaints scheme for the investigation of complaints arising in connection with the exercise of, or failure to exercise, any of our relevant functions. In considering and investigating any complaints we receive, it is often necessary for us to process information about individuals related to the complaint.

The personal data we use

Although we work hard to minimise the personal data that we collect for this purpose, in order to properly undertake our complaints handling work we are often required to collect a wide range of varied information in order to consider and investigate a complaint. The types of personal data that we mainly use as part of our complaint handling work include names, contact details, personal opinions and allegations. Although we do not explicitly ask for any special categories of personal data in our complaints form, it is possible that such information may be included in the details of the complaint by the complainant.

How this personal data is collected

There are several ways in which a person can contact us if they wish to make a complaint:

  • by completing an online complaints form
  • by sending a complaints form or letter to us by post
  • by emailing us at [email protected]
  • by calling our Complaints Helpline

When investigating a complaint we may use personal data already held by the FCA to ensure that we have fully understood and addressed the complaint.

Why we use this personal data

We use this personal data to ensure that any complaints we receive about the way we have carried out, or failed to carry out, our role under the Financial Services Act 2012 are properly and fully investigated and considered. We also use this personal data to help improve the services we offer, fixing any problems and improving the ways in which we carry out our statutory functions.

The lawful basis for us using this personal data

We use this personal data under Article 6(1)(e) of the GDPR (it is necessary for the performance of a task carried out in the public interest) and Section 8(c) of the DPA 2018. We do not usually explicitly ask for any special categories of data from people making complaints to us but, depending on the nature of the complaint and the information the complainant chooses to give us, it is very possible that some special categories of personal data may be included. To the extent that we use any special categories of data as part of our complaints handling work, we do so under Article 9(2)(g) (it is necessary for reasons of substantial public interest) and Section 10(3) of the DPA 2018, in that it meets a condition in Part 2 of Schedule 1 of the DPA 2018 and we have an appropriate policy document covering this processing activity.

When we share personal data as part of our complaints handling work

Where it is appropriate to do so, we routinely share personal data relating to specific complaints with the Office of the Complaints Commissioner (Complaints Commissioner) under express powers contained within the Complaints Scheme in the Financial Services Act 2012. We use a third-party application to allow us to securely transfer any such information to the Complaints Commissioner in this way.

Given our role as a regulator, where necessary we also share personal data with other regulators, public authorities and law enforcement agencies both inside and outside the UK. In some circumstances, where appropriate, we choose to share this information and, in others, we are obliged for legal reasons to share the information.

When this personal data is transferred outside the EU

As mentioned above, given our role as a regulator we do occasionally share personal data with other regulators, public authorities and law enforcement agencies outside the EU. Before we transfer personal data outside the EU, we have robust processes to ensure that appropriate safeguards are put in place to protect any personal data included in such a transfer. If you would like to obtain more details about the safeguards that we have in place with regard to any personal data about you that we may transfer to a particular non-EU country, please contact us.

Learn about your rights

Under the GDPR, individuals have a number of rights relating to their personal data. Read more about your rights and how to exercise them.