Privacy Complaint Handling Process

Formal procedures for receiving, investigating, and resolving privacy complaints at Maelstrom AI

Public

Purpose

This document establishes formal procedures for receiving, investigating, and resolving privacy-related complaints from data subjects, designed to support compliance with GDPR Article 57, ISO 27701, and other privacy regulations.

Scope

This process applies to all privacy complaints related to:

  • Personal data processing activities
  • Exercise of privacy rights (access, rectification, erasure, etc.)
  • Data Subject Access Requests (DSAR) delays or refusals
  • Privacy policy concerns and transparency issues
  • Consent management and opt-out mechanisms
  • Third-party data sharing concerns
  • Data security and breach notifications
  • Children’s privacy protections

Privacy Rights Reference

Before filing a complaint, data subjects should understand their privacy rights:

Right to Access (GDPR Art. 15)

You have the right to obtain confirmation of whether we process your personal data and receive a copy of that data. Submit requests via our DSAR process.

Right to Rectification (GDPR Art. 16)

You have the right to correct inaccurate or incomplete personal data we hold about you.

Right to Erasure (GDPR Art. 17)

You have the right to request deletion of your personal data under certain circumstances (e.g., data no longer necessary, consent withdrawn).

Right to Restrict Processing (GDPR Art. 18)

You have the right to request restriction of processing in specific situations (e.g., while accuracy is verified).

Right to Data Portability (GDPR Art. 20)

You have the right to receive your personal data in a structured, commonly used format and transmit it to another controller.

Right to Object (GDPR Art. 21)

You have the right to object to processing based on legitimate interests or for direct marketing purposes.

Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority if you believe your privacy rights have been violated.

Complaint Channels

Primary Channels

Email

privacy@maelstrom.au

Dedicated privacy complaint email monitored by Privacy Officer. Include “PRIVACY COMPLAINT” in subject line for priority routing.

DSAR Requests

privacy@maelstrom.au

Email-based DSAR process. Include “DSAR” in subject line for priority routing and 30-day (GDPR) or 45-day (CCPA) response.

General Support

support@provii.app

General support channel will route privacy complaints to privacy@maelstrom.au within 24 hours.

Postal Mail

Maelstrom AI Pty Ltd ATF Maelstrom AI Holding Trust Attn: Privacy Complaints PO Box 169, St Arnaud VIC 3478, Australia

For formal written complaints (GDPR/UK GDPR compliance).

Escalation to Supervisory Authorities

If your complaint is not resolved satisfactorily, you have the right to lodge a complaint with a supervisory authority:

Information Commissioner’s Office (ICO)

  1. Website. https://ico.org.uk/make-a-complaint/
  2. Phone. 0303 123 1113
  3. Address. Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

When to contact: If you are located in the UK or your complaint relates to UK data processing.

European Data Protection Authorities

Find your local DPA: https://edpb.europa.eu/about-edpb/about-edpb/members_en

Key DPAs:

When to contact: If you are located in the EU/EEA or your complaint relates to EU data processing.

California Attorney General - Privacy Enforcement

  1. Website. https://oag.ca.gov/privacy/ccpa
  2. Privacy Complaint Form. https://oag.ca.gov/contact/consumer-complaint-against-business-or-company
  3. Phone. (916) 210-6276

When to contact: If you are a California resident and your complaint relates to CCPA/CPRA rights.

Other Supervisory Authorities

  1. Australia (OAIC). https://www.oaic.gov.au/privacy/privacy-complaints
  2. Canada (OPC). https://www.priv.gc.ca/en/report-a-concern/
  3. New Zealand (Privacy Commissioner). https://www.privacy.org.nz/your-rights/making-a-complaint/

Contact the data protection authority in your jurisdiction if not listed above.

Complaint Types & Classification

We categorise complaints to ensure appropriate handling and tracking:

Type 1: Privacy Rights Violations

Examples:

  • DSAR request ignored or delayed beyond 30 days
  • Request for erasure denied without valid reason
  • Right to object not honored
  • Data portability request rejected improperly

Typical Resolution: Review legal basis, re-evaluate decision, provide detailed explanation or honor request.

Type 2: Data Processing Concerns

Examples:

  • Unauthorised data sharing with third parties
  • Processing beyond stated purposes
  • Lack of valid legal basis
  • Retention beyond necessary period

Typical Resolution: Investigate processing activity, review ROPA, cease unauthorised processing, update privacy notices.

Type 3: Transparency Issues

Examples:

  • Privacy policy unclear or incomplete
  • Lack of information about data processing
  • Cookie consent issues
  • Missing information about data recipients

Typical Resolution: Update privacy policy, provide clear explanations, implement transparency measures.

Type 4: Security Concerns

Examples:

  • Suspected data breach
  • Inadequate security measures
  • Unauthorised access to personal data
  • Lost or stolen data

Typical Resolution: Escalate to incident response procedure, investigate security measures, notify if breach confirmed. See Incident Response.

Type 5: DSAR Process Issues

Examples:

  • Excessive delays in response
  • Incomplete information provided
  • Unreasonable fees charged
  • Identity verification too burdensome

Typical Resolution: Expedite DSAR processing, provide missing information, waive unreasonable fees, simplify verification.

Type 6: Children’s Privacy

Examples:

  • Age verification concerns
  • Parental consent issues
  • Inappropriate data collection from minors
  • Lack of child-friendly privacy information

Typical Resolution: Review age verification processes, enhance parental controls, update child-friendly notices. See UK Children’s Code compliance.

Handling Procedures

Phase 1: Receipt & Acknowledgment (Day 0-2)

Receive Complaint

Complaint received via any channel (email, web form, postal, support).

Who: Privacy Officer (privacy@maelstrom.au monitor)

Actions:

  • Log complaint in tracking system (see Tracking below)
  • Assign unique complaint ID (format: PC-YYYY-NNN, e.g., PC-2025-001)
  • Determine complaint type and severity
  • Identify complainant and contact information

Acknowledge Receipt

Send acknowledgment to complainant within 48 hours.

Who: Privacy Officer

Actions:

  • Use acknowledgment email template (see Templates below)
  • Confirm receipt and provide complaint ID
  • Set expectations for investigation timeline
  • Provide contact information for follow-up
  • Include information about supervisory authority rights

Target: 48 hours maximum (best effort)

Initial Classification

Classify complaint by type and determine if escalation is immediately required.

Who: Privacy Officer

Immediate Escalation Triggers:

  • Suspected data breach (→ Incident Response)
  • Legal threat or litigation mentioned
  • Multiple similar complaints (pattern)
  • Supervisory authority inquiry
  • Minor’s data involved (< 13 years old)

Phase 2: Investigation (Day 2-14)

Gather Information

Collect all relevant information about the complaint.

Who: Privacy Officer + relevant team members

Information to Gather:

  • ROPA entry for relevant processing activity
  • Privacy policy and notices provided to complainant
  • System logs related to the complaint
  • Previous communications with complainant
  • Legal basis for processing (if disputed)
  • Consent records (if applicable)
  • DSAR history (if relevant)

Assess Validity

Determine if the complaint is valid and what action is required.

Who: Privacy Officer (consult ISMS Owner if needed)

Assessment Questions:

  • Is the complaint factually accurate?
  • Is there a privacy rights violation?
  • What is the legal basis for current processing?
  • Can we reasonably accommodate the request?
  • Are there competing legal obligations (e.g., retention requirements)?
  • Is external legal advice needed?

Determine Resolution

Decide on the appropriate resolution and document the reasoning.

Who: Privacy Officer (escalate to ISMS Owner for complex cases)

Resolution Options:

  • Uphold & Remedy. Complaint is valid → take corrective action
  • Uphold & Explain. Complaint is valid → explain why processing continues (e.g., legal obligation)
  • Partially Uphold. Some concerns valid → address those specific issues
  • Not Upheld. Complaint not valid → provide detailed explanation
  • Requires Legal Review. Complex → engage external legal counsel

Prepare Response

Draft response to complainant.

Who: Privacy Officer

Response Must Include:

  • Clear explanation of findings
  • Reasoning for decision (with legal references if applicable)
  • Actions taken or to be taken
  • Timeline for implementation (if applicable)
  • Right to escalate to supervisory authority
  • Contact information for further questions

Phase 3: Resolution & Communication (Day 14-30)

Implement Corrective Actions

If complaint is upheld, implement required changes.

Who: Responsible team member (assigned by Privacy Officer)

Possible Actions:

  • Process DSAR request
  • Erase or rectify personal data
  • Cease specific processing activity
  • Update privacy policy or notices
  • Implement technical measures (e.g., opt-out mechanism)
  • Update ROPA
  • Provide missing information

Send Resolution Notification

Communicate resolution to complainant within 30 days of receipt.

Who: Privacy Officer

Actions:

  • Use resolution notification template (see Templates)
  • Explain decision and actions taken
  • Provide evidence of compliance (if applicable)
  • Inform about right to lodge supervisory authority complaint
  • Request confirmation of satisfaction

Target: 30 days maximum (aligned with DSAR timeline, best effort)

Request Feedback

Ask complainant if they are satisfied with the resolution.

Who: Privacy Officer

Actions:

  • Send follow-up email 7 days after resolution
  • Ask for confirmation of satisfaction
  • Provide additional assistance if needed
  • Document feedback in complaint record

Phase 4: Closure & Review (Day 30+)

Close Complaint

Close the complaint in tracking system once resolved.

Who: Privacy Officer

Closure Criteria:

  • Resolution implemented and communicated
  • Complainant confirms satisfaction (or 14 days have passed with no response)
  • All documentation complete
  • Lessons learned documented

Post-Incident Review

For significant complaints, conduct a review to prevent recurrence.

Who: Privacy Officer + ISMS Owner

Review Questions:

  • What was the root cause?
  • Could this have been prevented?
  • Do policies or procedures need updating?
  • Are there systemic issues to address?
  • What improvements should we make?

Update Documentation

Update relevant policies, procedures, or systems based on lessons learned.

Who: Privacy Officer

Possible Updates:

  • Privacy policy clarifications
  • DSAR process improvements
  • Training materials for team
  • Technical controls
  • ROPA updates

Response Targets

MilestoneTargetNotes
Acknowledgment48 hoursConfirm receipt and provide complaint ID
Initial Assessment5 business daysClassify and determine investigation approach
Resolution Notification30 calendar daysAligned with GDPR DSAR timeline (Art. 12.3)
Extension Notice30 days (before expiry)If complex, notify of 60-day extension with reasons
Final Response60 days (maximum)Only for highly complex cases with extension

Extensions

We may extend the resolution timeline by an additional 30 days (total 60 days) if:

  • Complaint is highly complex (e.g., involves multiple processing activities)
  • Requires external legal review
  • Involves coordination with third-party processors
  • Large volume of data to review

Extension Procedure:

  1. Notify complainant within initial 30-day period
  2. Explain reasons for extension
  3. Provide new expected resolution date
  4. Offer interim updates every 14 days

Escalation Procedures

Internal Escalation

Level 1: Privacy Officer

Default Handler: All privacy complaints

Handles:

  • Standard privacy rights requests
  • Simple transparency issues
  • Routine DSAR complaints
  • Privacy policy questions

Level 2: ISMS Owner

Escalation Triggers:

  • Cannot resolve within 14 days
  • Legal complexity requires senior review
  • Systemic processing issues identified
  • Multiple related complaints
  • Potential regulatory implications

Authority: Final decision on complex privacy matters

Level 3: External Legal Counsel

Escalation Triggers:

  • Litigation threatened or initiated
  • Supervisory authority investigation
  • Novel legal questions
  • Cross-border data transfer disputes
  • High-risk processing decisions

Authority: Provides legal advice (decisions remain internal)

External Escalation (Supervisory Authority)

If a complaint cannot be resolved within 30 days (or 60 days with extension), we proactively inform the complainant of their right to escalate:

Complainant Rights:

  1. Right to lodge complaint with supervisory authority (GDPR Art. 77)
  2. Right to judicial remedy (GDPR Art. 79)
  3. Right to representation by non-profit organisations (GDPR Art. 80)

Our Obligations:

  • Provide supervisory authority contact information (see Escalation to Supervisory Authorities above)
  • Cooperate fully with supervisory authority investigations
  • Implement any remedial measures ordered by authority
  • Do not retaliate against complainants who escalate

Tracking & Monitoring

Complaint Register

We maintain a privacy complaint register to track all complaints and resolutions.

Required Information:

  • Complaint ID (PC-YYYY-NNN)
  • Date received
  • Complaint type (see Complaint Types)
  • Complainant contact information (stored securely)
  • Description of complaint
  • Investigation findings
  • Resolution and actions taken
  • Date resolved
  • Time to resolution (calendar days)
  • Escalation history
  • Supervisory authority involvement (if any)

Storage: Secure GitHub Issues repository (private) or Jira Service Management

Access: Privacy Officer, ISMS Owner (read/write); external auditors (read-only with redaction)

Retention: 3 years from resolution date (regulatory compliance requirement)

Tracking System Implementation

Repository: Private repo provii-privacy-complaints (restricted access)

Workflow:

  1. Create issue for each complaint with template
  2. Use labels for type and status:
  • type:rights-violation, type:data-processing, etc.
  • status:acknowledged, status:investigating, status:resolved
  1. Use milestones for quarterly reviews
  2. Close issue when resolved

Template:

**Complaint ID**: PC-YYYY-NNN
**Date Received**: YYYY-MM-DD
**Type**: [Select from complaint types]
**Channel**: [Email / Web / Postal / Support]

### Complainant Information
- Name: [Redacted in public view]
- Contact: [Encrypted or reference to secure storage]

### Complaint Details
[Description of complaint]

### Investigation
[Findings and evidence gathered]

### Resolution
[Actions taken and rationale]

### Timeline
- Received: YYYY-MM-DD
- Acknowledged: YYYY-MM-DD
- Resolved: YYYY-MM-DD
- Days to resolution: X

### Lessons Learned
[Process improvements identified]

Project: Privacy Complaints (PRIVCOMP)

Issue Type: Privacy Complaint

Custom Fields:

  • Complaint Type (dropdown)
  • Complaint Channel (dropdown)
  • SLA Timer (auto-calculated)
  • Escalation Level (Privacy Officer / ISMS Owner / Legal)
  • Supervisory Authority Involved (yes/no)
  • Resolution Type (dropdown)

Workflow:

  1. Received → Acknowledged → Investigating → Resolved → Closed
  2. Automatic SLA reminders at 24h, 7d, 28d
  3. Escalation triggers at 14 days if not resolved

Benefits:

  • Better SLA tracking and reporting
  • Integration with support ticketing
  • Advanced analytics and dashboards

Metrics & Reporting

We track and report the following metrics quarterly:

Key Metrics:

  • Volume. Total complaints received
  • Type Distribution. Breakdown by complaint type
  • Resolution Time. Average and median days to resolution
  • SLA Compliance. % resolved within 30 days
  • Escalation Rate. % escalated internally or externally
  • Upheld Rate. % of complaints found valid
  • Repeat Complaints. Complaints about same issue/process

Reporting:

  • Quarterly Report. Submitted to ISMS Owner and Management Review
  • Annual Summary. Included in privacy audit and ISO 27701 review
  • Trend Analysis. Identify systemic issues requiring policy changes

Sample Report Structure:

Q1 2026 Privacy Complaint Report

Total Complaints: 5
├─ Type 1 (Rights Violations): 2 (40%)
├─ Type 2 (Data Processing): 1 (20%)
├─ Type 3 (Transparency): 1 (20%)
└─ Type 5 (DSAR Process): 1 (20%)

Resolution Metrics:
├─ Avg. Resolution Time: 18 days
├─ SLA Compliance: 100% (5/5 within 30 days)
├─ Upheld: 60% (3/5)
└─ Escalated to ISMS Owner: 20% (1/5)

Actions Taken:
├─ Privacy policy updated (PC-2025-003)
├─ DSAR process streamlined (PC-2025-005)
└─ Training conducted on transparency requirements

Recommendations:
- Improve privacy policy clarity on data sharing
- Implement automated DSAR acknowledgment

Templates

Template 1: Acknowledgment Email

<CodeGroup>

Privacy Complaint Acknowledgment - Ref: [COMPLAINT-ID]
Dear [Complainant Name],

Thank you for contacting Maelstrom AI regarding your privacy concern. We take all privacy matters seriously and are committed to addressing your complaint promptly and thoroughly.

**Your Complaint Reference**: [COMPLAINT-ID]
**Date Received**: [DATE]
**Complaint Summary**: [BRIEF SUMMARY]

We are currently reviewing your complaint and will investigate the matter in accordance with our privacy complaint handling procedures. You can expect:

1. **Initial Assessment**: Within 5 business days, we will assess your complaint and confirm our investigation approach.

2. **Resolution Notification**: Within 30 calendar days of receiving your complaint, we will provide you with a detailed response outlining our findings and any actions taken.

3. **Updates**: If your complaint is complex and requires additional time, we will notify you within the initial 30-day period and provide an updated timeline (maximum 60 days total).

**Your Rights**:
- You have the right to lodge a complaint with a supervisory authority if you are not satisfied with our handling of your complaint. See below for contact information.
- You may also seek a judicial remedy if you believe your privacy rights have been violated.

**Contact Information**:
If you have any questions or wish to provide additional information, please reply to this email quoting your complaint reference [COMPLAINT-ID], or contact:

- **Email**: privacy@maelstrom.au
- **Reference**: [COMPLAINT-ID]

**Supervisory Authorities**:
You may contact the relevant supervisory authority at any time:
- **UK (ICO)**: https://ico.org.uk/make-a-complaint/ | 0303 123 1113
- **EU/EEA (Local DPA)**: https://edpb.europa.eu/about-edpb/about-edpb/members_en
- **California (AG)**: https://oag.ca.gov/privacy/ccpa

We appreciate your patience as we work to resolve this matter.

Best regards,

[Privacy Officer Name]
Privacy Officer
Maelstrom AI Pty Ltd ATF Maelstrom AI Holding Trust

Email: privacy@maelstrom.au
Reference: [COMPLAINT-ID]

</CodeGroup>

Template 2: Resolution Notification (Complaint Upheld)

<CodeGroup>

Privacy Complaint Resolution - Ref: [COMPLAINT-ID] - Action Taken
Dear [Complainant Name],

Thank you for bringing your privacy concern to our attention. We have completed our investigation into your complaint (Reference: [COMPLAINT-ID]) and are writing to inform you of our findings and the actions we have taken.

**Complaint Summary**: [BRIEF SUMMARY OF COMPLAINT]

**Our Findings**:
After thorough investigation, we have determined that your complaint is valid. [DETAILED EXPLANATION OF FINDINGS - e.g., "We found that your Data Subject Access Request submitted on [DATE] was not processed within the required 30-day timeframe as mandated by GDPR Article 15."]

**Actions Taken**:
We have taken the following actions to remedy this matter:

1. [ACTION 1 - e.g., "Processed your DSAR request and provided the requested information (attached/sent separately)"]
2. [ACTION 2 - e.g., "Reviewed our DSAR procedures to prevent similar delays in the future"]
3. [ACTION 3 - e.g., "Implemented automated acknowledgment system to improve response times"]

**Timeline**: [If applicable - e.g., "All actions have been completed as of [DATE]" or "The system improvements will be implemented by [DATE]"]

**Additional Information**: [Any relevant context or explanation]

**Your Rights**:
We hope this resolution addresses your concerns. However, if you remain unsatisfied with our response, you have the right to:

1. **Lodge a complaint with a supervisory authority**:
   - **UK (ICO)**: https://ico.org.uk/make-a-complaint/ | 0303 123 1113
   - **EU/EEA (Local DPA)**: https://edpb.europa.eu/about-edpb/about-edpb/members_en
   - **California (AG)**: https://oag.ca.gov/privacy/ccpa

2. **Seek a judicial remedy**: You may also pursue legal action if you believe your privacy rights have been violated.

**Feedback Request**:
We value your feedback. Please let us know if this resolution addresses your concerns by replying to this email. If you have any further questions, we are here to help.

Thank you for helping us improve our privacy practices.

Best regards,

[Privacy Officer Name]
Privacy Officer
Maelstrom AI Pty Ltd ATF Maelstrom AI Holding Trust

Email: privacy@maelstrom.au
Reference: [COMPLAINT-ID]

</CodeGroup>

Template 3: Resolution Notification (Complaint Not Upheld)

<CodeGroup>

Privacy Complaint Resolution - Ref: [COMPLAINT-ID] - Explanation Provided
Dear [Complainant Name],

Thank you for contacting us with your privacy concern. We have completed our investigation into your complaint (Reference: [COMPLAINT-ID]) and are writing to inform you of our findings.

**Complaint Summary**: [BRIEF SUMMARY OF COMPLAINT]

**Our Findings**:
After careful investigation, we have determined that [EXPLANATION - e.g., "our processing of your personal data complies with applicable privacy laws and our stated privacy policy."]

**Detailed Explanation**:
[PROVIDE DETAILED REASONING WITH LEGAL REFERENCES]

For example:
- **Legal Basis**: [e.g., "We process your email address based on our legitimate interest in providing customer support (GDPR Article 6(1)(f)). This interest is not overridden by your rights, as the processing is minimal and you can opt out at any time."]

- **Privacy Policy Transparency**: [e.g., "Our privacy policy (available at provii.app/privacy) clearly states in Section 3.2 that we share limited data with our cloud infrastructure provider (Cloudflare) for service delivery. This was disclosed at the time of data collection."]

- **Retention Period**: [e.g., "We retain transaction logs for 90 days in line with our ISMS structure (aligned to ISO 27001); critical security event logs are retained for up to 365 days. This retention period is stated in our privacy policy Section 5 and is necessary for our legitimate security interests."]

**Why We Cannot Grant Your Request**:
[If applicable - e.g., "We cannot erase your account data at this time because we are legally required to retain it for [REASON - e.g., 'tax compliance purposes for 7 years' or 'to defend against potential legal claims for the statute of limitations period']."]

**Alternative Options**:
[If applicable - e.g., "While we cannot delete your data, we can restrict processing to storage-only mode, meaning it will not be used for any other purpose until the retention period expires."]

**Your Rights**:
We understand you may not agree with this decision. You have the following rights:

1. **Request Further Clarification**: If any part of this explanation is unclear, please contact us for additional information.

2. **Lodge a Complaint with a Supervisory Authority**: You have the right to lodge a complaint with the relevant data protection authority if you believe our processing violates privacy laws:
   - **UK (ICO)**: https://ico.org.uk/make-a-complaint/ | 0303 123 1113
   - **EU/EEA (Local DPA)**: https://edpb.europa.eu/about-edpb/about-edpb/members_en
   - **California (AG)**: https://oag.ca.gov/privacy/ccpa

3. **Seek a Judicial Remedy**: You may also pursue legal action if you believe your privacy rights have been violated.

**Contact Us**:
If you have additional information that may affect this decision or wish to discuss further, please contact us at privacy@maelstrom.au quoting reference [COMPLAINT-ID].

We appreciate your understanding and remain committed to protecting your privacy.

Best regards,

[Privacy Officer Name]
Privacy Officer
Maelstrom AI Pty Ltd ATF Maelstrom AI Holding Trust

Email: privacy@maelstrom.au
Reference: [COMPLAINT-ID]

</CodeGroup>

Template 4: Extension Notification

<CodeGroup>

Privacy Complaint Update - Ref: [COMPLAINT-ID] - Additional Time Required
Dear [Complainant Name],

We are writing to update you on the status of your privacy complaint (Reference: [COMPLAINT-ID]).

**Current Status**: Your complaint is currently under investigation. Due to the complexity of the matter, we require additional time to conduct a thorough review and provide you with a complete response.

**Reason for Extension**: [DETAILED EXPLANATION - e.g., "Your complaint involves multiple data processing activities across different systems, and we need to coordinate with our third-party data processor to gather all relevant information."]

**New Timeline**:
- **Original Response Deadline**: [ORIGINAL DATE - 30 days from receipt]
- **Extended Response Deadline**: [NEW DATE - up to 60 days from receipt]
- **Next Update**: We will provide you with an interim update by [DATE - typically 14 days]

This extension is permitted under GDPR Article 12(3) for complex requests.

**Progress to Date**:
[BRIEF SUMMARY OF INVESTIGATION STEPS TAKEN - e.g., "We have reviewed your DSAR history, examined our data processing records, and identified the systems that require detailed analysis."]

**Your Rights**:
Please be assured that we are working diligently to resolve your complaint. However, if you are dissatisfied with this timeline, you have the right to:

1. **Lodge a complaint with a supervisory authority**:
   - **UK (ICO)**: https://ico.org.uk/make-a-complaint/ | 0303 123 1113
   - **EU/EEA (Local DPA)**: https://edpb.europa.eu/about-edpb/about-edpb/members_en
   - **California (AG)**: https://oag.ca.gov/privacy/ccpa

2. **Contact us for clarification**: If you have questions about this extension, please reach out.

We apologise for the delay and appreciate your patience.

Best regards,

[Privacy Officer Name]
Privacy Officer
Maelstrom AI Pty Ltd ATF Maelstrom AI Holding Trust

Email: privacy@maelstrom.au
Reference: [COMPLAINT-ID]

</CodeGroup>

Template 5: Supervisory Authority Escalation Guide (for Complainant)

This information is included in resolution emails but can also be provided as a standalone guide.

<CodeGroup>

# How to Lodge a Complaint with a Supervisory Authority

If you are not satisfied with Maelstrom AI's handling of your privacy complaint, you have the right to lodge a complaint with a supervisory data protection authority.

## Step 1: Determine the Appropriate Authority

The supervisory authority you should contact depends on your location:

### United Kingdom
- **Authority**: Information Commissioner's Office (ICO)
- **Online Complaint**: https://ico.org.uk/make-a-complaint/
- **Phone**: 0303 123 1113
- **Post**: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

### European Union / EEA
- **Find Your Local DPA**: https://edpb.europa.eu/about-edpb/about-edpb/members_en
- **Common DPAs**:
  - Ireland (DPC): https://dataprotection.ie/
  - Germany (BfDI): https://www.bfdi.bund.de/
  - France (CNIL): https://www.cnil.fr/

### United States (California)
- **Authority**: California Attorney General - Privacy Enforcement
- **Online Complaint**: https://oag.ca.gov/contact/consumer-complaint-against-business-or-company
- **Phone**: (916) 210-6276

### Other Jurisdictions
- **Australia**: Office of the Australian Information Commissioner (OAIC) - https://www.oaic.gov.au/privacy/privacy-complaints
- **Canada**: Office of the Privacy Commissioner of Canada (OPC) - https://www.priv.gc.ca/en/report-a-concern/

## Step 2: Prepare Your Complaint

Most supervisory authorities will ask for:

1. **Your personal information** (name, contact details, address)
2. **The organisation you're complaining about** (Maelstrom AI Pty Ltd ATF Maelstrom AI Holding Trust)
3. **Description of the issue** (what happened, when, what privacy right was violated)
4. **Evidence** (emails, correspondence, screenshots, privacy policy excerpts)
5. **Previous attempts to resolve** (your complaint to Maelstrom AI and our response)
6. **Maelstrom AI's complaint reference number** ([COMPLAINT-ID])

## Step 3: Submit Your Complaint

- **Online**: Most authorities have online complaint forms (fastest method)
- **Phone**: Call the authority's helpline for guidance
- **Post**: Send a written complaint via mail (include all documentation)

## Step 4: Follow Up

- The supervisory authority will acknowledge your complaint and may request additional information
- Investigation timelines vary by authority (typically 3-6 months)
- The authority may mediate between you and Maelstrom AI or conduct a formal investigation
- You will be informed of the outcome and any enforcement actions taken

## Information About Maelstrom AI Pty Ltd ATF Maelstrom AI Holding Trust

**Organisation Details** (provide to supervisory authority):
- **Name**: Maelstrom AI Pty Ltd ATF Maelstrom AI Holding Trust
- **Privacy Contact**: privacy@maelstrom.au
- **Website**: https://provii.app
- **Privacy Policy**: https://provii.app/privacy (when published)
- **Your Complaint Reference**: [COMPLAINT-ID]

## Need Help?

If you have questions about this process, you can:
- Contact the supervisory authority directly (they provide free guidance)
- Seek advice from a consumer rights organisation
- Consult with a privacy lawyer (in some jurisdictions, legal aid may be available)

## Important Notes

- Lodging a complaint with a supervisory authority is **free of charge**
- You do not need a lawyer to file a complaint
- Maelstrom AI will cooperate fully with any supervisory authority investigation
- We will not retaliate against you for exercising your right to complain

</CodeGroup>

Integration with Existing Processes

Relationship to DSAR Process

Privacy complaints are distinct from but related to DSAR processing:

  • DSAR Process. Handles requests for access, erasure, portability, etc. (see Data Retention Policy)
  • Complaint Process. Handles dissatisfaction with DSAR outcomes, delays, or other privacy concerns

Workflow Integration:

  1. DSAR delays beyond 30 days → Automatic complaint notification to Privacy Officer
  2. DSAR refusal → Complainant may lodge complaint if dissatisfied with reasoning
  3. Complaint about DSAR → Follow complaint process, but reference original DSAR ticket

Relationship to Incident Response

Privacy complaints involving security concerns must be escalated to Incident Response:

Escalation Triggers:

  • Suspected data breach
  • Unauthorised access to personal data
  • Security vulnerability affecting personal data
  • Lost or stolen data containing personal information

Process:

  1. Log both as privacy complaint (this process) AND security incident (see Incident Response)
  2. Incident response takes precedence for containment
  3. Privacy complaint process handles communication with complainant
  4. Coordinate breach notification if required (GDPR Art. 33-34)

Relationship to Risk Management

Recurring privacy complaints indicate privacy risks requiring formal risk assessment:

Risk Escalation:

  • 3+ similar complaints in one quarter → Add to Risk Register
  • Systemic processing issue identified → Conduct privacy impact assessment (PIA/DPIA)
  • New privacy risk identified → Update risk treatment plan

Training & Awareness

Team Training

All team members handling personal data receive training on:

  • Privacy Rights. Understanding GDPR/CCPA rights and obligations
  • Complaint Recognition. Identifying privacy complaints vs. general support issues
  • Escalation. When and how to escalate to privacy@maelstrom.au
  • Confidentiality. Protecting complainant information

Training Schedule: Annual privacy training + complaint handling module (see Security Awareness)

Privacy Officer Responsibilities

The Privacy Officer is responsible for:

  • Monitoring privacy@maelstrom.au daily
  • Triaging and investigating all privacy complaints
  • Maintaining the complaint register
  • Preparing quarterly complaint reports
  • Identifying systemic privacy issues
  • Recommending policy and procedure improvements
  • Coordinating with ISMS Owner for complex cases
  • Liaising with supervisory authorities if needed

Compliance & Legal References

This process is designed to meet the requirements of:

GDPR (EU) / UK GDPR

  • Article 12. Transparent information, communication, and modalities for exercising rights
  • Article 15-22. Data subject rights (access, rectification, erasure, etc.)
  • Article 57. Supervisory authority tasks (receiving and investigating complaints)
  • Article 77. Right to lodge complaint with supervisory authority
  • Article 79. Right to effective judicial remedy

ISO 27701:2019

  • Annex A 7.3.9. Complaints handling (PII controller requirements)
  • Annex B 6.3.3. Complaints handling (PII processor requirements)

CCPA / CPRA (California)

  • Section 1798.150. Private right of action for data breaches
  • Section 1798.185. Right to request information about data practices

UK Children’s Code (Age Appropriate Design Code)

  • Standard 15. Complaint handling procedures accessible to children and parents

Other References

  • ISO 27001:2022 Annex A.5.37. Documented operating procedures
  • NIST Privacy Framework. Awareness and Training (CT) functions

Review & Updates

Regular Review Schedule

  1. Quarterly. Review complaint metrics and trends (Privacy Officer)
  2. Annually. Full policy review and update (Privacy Officer + ISMS Owner)
  3. Ad-Hoc. After significant complaints or regulatory changes

Update Triggers

Update this policy when:

  • New privacy regulations enacted
  • Supervisory authority guidance issued
  • Recurring complaint patterns identified
  • DSAR process improvements identified
  • Management review identifies improvements
  • Internal audit findings require changes

Version History

VersionDateAuthorChanges
1.02025-01-08Privacy OfficerInitial privacy complaint process (GAP-M008)

Contact Information

Privacy Complaints: privacy@maelstrom.au

Security Incidents: security@maelstrom.au

General Support: support@provii.app

ISMS Owner: [Contact via internal channels]

External Legal Counsel: [Engaged as needed for complex cases]