Book a free discovery call

← Back to Legal

Data Protection Complaints Notice

Last updated: June 2026

If you’ve ever had a concern about how a business is handling your personal information, you’ll know it can feel like shouting into the void. We’d rather you didn’t have to do that with us. This notice explains your rights, exactly how to raise a complaint with Carolyn Nicholson Virtual Support Services (CNVSS), and what happens once you do. We take it seriously, we won’t go quiet on you, and we’d always rather have the chance to put things right ourselves before anyone needs to involve the Information Commissioner’s Office (ICO).

About this notice

We take the privacy and security of your personal data seriously. If you have a concern about how we have collected, used, shared, stored or deleted your personal information, we want to hear from you. We will do our best to put things right.

Your right to complain directly to us is a statutory right under the Data (Use and Access) Act 2025. You do not need to go to the ICO first. We are your first point of contact, though you are always free to contact the ICO directly if you prefer.

Your rights under UK data protection law

Under UK GDPR, the Data Protection Act 2018 and the Data (Use and Access) Act 2025, you have the right to:

  • Access the personal data we hold about you (a subject access request, or SAR)
  • Ask us to correct information that is wrong or incomplete
  • Ask us to delete your data in certain circumstances
  • Ask us to restrict how we use your data while a complaint is being looked into
  • Receive a copy of your data in a commonly used, portable format
  • Object to us using your data in certain ways
  • Not be subject to a decision made solely by automated means where that decision has a significant effect on you

Who we are and who to contact

Data protection at Carolyn Nicholson Virtual Support Services is the responsibility of:
Responsible person: Carolyn Nicholson
Email: privacy@carolynnicholson.co.uk

We accept complaints however they reach us, whether that’s by email, social media or in person. However your complaint arrives, we will log it and handle it in the same way. You do not need to use a particular form or format to make a complaint.

What counts as a data protection complaint

A data protection complaint is any concern you raise about how we have collected, used, stored, shared or deleted your personal data. This is broad – it covers a wide range of situations, not just formal data breaches.

Examples of the types of concern we can investigate

  • We did not respond to a subject access request within the required time, or the response was incomplete
  • We collected or used your personal data without a valid lawful basis, or for a purpose you were not told about
  • We shared your personal data with someone we should not have
  • We did not action a request to delete, correct or restrict your data when required to
  • We kept your personal data for longer than necessary
  • A data breach or security incident affected your personal data and we did not handle it correctly
  • You continued to receive marketing from us after you had opted out
  • Our privacy notice was unclear, incomplete or did not accurately describe how we use your data

What this process does not cover

  • General dissatisfaction with the quality of our service, contact: info@carolynnicholson.co.uk
  • Billing or payment queries, contact: info@carolynnicholson.co.uk
  • Complaints about a subject access request that was handled correctly and on time
  • Complaints about a third party’s conduct. Please direct these to the relevant professional body or regulator

If you are not sure whether your concern is a data protection matter, please contact us anyway and we will help you direct it to the right place.

How to raise a complaint with us

To help us investigate your concern as quickly as possible, it helps if you can tell us:

  • Your name and contact details
  • A clear description of your concern, i.e., what happened, when, and who was involved
  • Any relevant reference numbers, screenshots or correspondence
  • What outcome you would like

You do not need to provide all of this to make a valid complaint. If you are not sure what to include, just get in touch and we will help you from there.

What happens when we receive your complaint

1. Acknowledgement (within 30 calendar days)

We will send you a written acknowledgement within 30 calendar days of receiving your complaint, including weekends and bank holidays. Day one of that period is the day after we receive it. Our acknowledgement will confirm that we have received your complaint, the name of the person handling it, and what happens next.

2. Investigation

We will investigate your complaint fairly and thoroughly, without undue delay. This may include reviewing records and speaking to relevant team members or suppliers.

3. Keeping you informed

We will not go silent while we are investigating. If we need more information from you, or if anything changes, we will get in touch as soon as possible.

4. Our response

We aim to give you a full response within one calendar month of receiving your complaint. In complex cases, we may extend this by up to a further two months, telling you why within the first month. Our response will explain what we investigated, what we found, what action we have taken (if any), and your right to take your complaint to the ICO.

We will not charge a fee for handling your complaint, unless it is clearly unfounded or excessive – in which case we will explain this to you before proceeding.

Third-party tools and suppliers

Where our processes involve third-party tools, platforms or suppliers, we remain your single point of contact for any data protection complaint. You do not need to contact our suppliers directly, we will liaise with them on your behalf and keep you informed of the outcome.

How we keep records

We keep records of all data protection complaints we receive, the steps we take to investigate them, and the outcomes. Complaint records are held securely and only accessed by those who need to handle the matter. The Information Commissioner’s Office (ICO) may request access to our complaint records as part of its regulatory role, and we are required to provide them.

If you are not satisfied with our response

If you remain unhappy after we have responded, or at any point during our process, you have the right to refer the matter to the Information Commissioner’s Office (ICO), the UK’s independent data protection regulator. You do not have to wait for us to finish before contacting the ICO, and you do not have to raise your concern with us first.

Our ICO registration

Carolyn Nicholson Virtual Support Services is registered with the Information Commissioner’s Office under registration number ZB727111. You can verify this at ico.org.uk/about-the-ico/what-we-do/register-of-fee-payers/.

ICO website: ico.org.uk
Helpline: 0303 123 1113 (Monday to Friday, 9am to 4:30pm)
Live chat: Available at ico.org.uk
Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF