Data Protection Complaints
Version: v1.0 — May 2026
Document use: Public complaints procedure for individuals (drivers, portal administrators, app users, marketing recipients and others) to raise data protection concerns with Driver Codes, in accordance with section 164A of the Data Protection Act 2018 (in force 19 June 2026).
Published location: driver.codes/legal/data-protection-complaints-procedure
Applies to: all individuals whose personal data Driver Codes processes, whether as controller or processor. Where Driver Codes processes your personal data on behalf of a business customer, see clause 8 below.
This procedure explains how to raise a data protection concern with Driver Codes, and what we will do about it. It complies with section 164A of the Data Protection Act 2018, inserted by section 103 of the Data (Use and Access) Act 2025, which comes into force on 19 June 2026.
1. Your right to complain
You can complain to us about how we handle your personal data. You can also complain to the Information Commission (formerly the Information Commissioner's Office), the UK data protection regulator, but the Information Commission will normally expect you to have raised your concern with us first.
This procedure covers complaints about:
- how we collect, store, use, share or secure your personal data;
- how we have responded to any request you have made about your data (access, rectification, erasure, restriction, objection or portability);
- how we have handled an earlier enquiry or correspondence about your data;
- a personal data breach that affected you;
- any other concern about our compliance with UK data protection law.
You do not need to use any particular form of words. You do not need to know which law applies. If you are dissatisfied with how we have handled your personal data, that is a complaint and we will handle it under this procedure.
2. How to make a complaint
Our designated channel for data protection complaints is email to privacy@driver.codes.
If you complain to us through another channel — for example, through our support team at hello@driver.codes, through in-app messaging within Driver Codes, by post to our registered address, or in any other way — we will recognise the complaint and route it to the privacy team. You do not need to re-submit it.
You do not need to label the complaint as a "data protection complaint" or refer to this procedure. We will identify it from the substance of what you say.
When you complain, it helps us respond promptly if you tell us:
- your name and a contact channel we can use to reply;
- enough about the concern that we can identify what processing it relates to;
- the outcome you are looking for, where you have one in mind.
If you are making a complaint on behalf of someone else, please tell us their name and the basis on which you are acting (for example, as parent, attorney or solicitor). We may ask for evidence of authority before we share their personal data with you.
3. Acknowledging your complaint
We will acknowledge your complaint within 30 days of receiving it. The acknowledgement will:
- confirm we have received your complaint;
- tell you who is handling it;
- explain what to expect next.
In most cases the acknowledgement will be much quicker than 30 days. The 30-day window is the statutory backstop.
4. Investigating your complaint
The Owner of RSMT Limited has personal responsibility for handling data protection complaints under this procedure, with support from our wider team where needed.
We will investigate without undue delay. The investigation will:
- establish the facts of the processing complained about;
- assess whether the processing complied with UK data protection law and our published policies;
- decide whether any action is needed — for example, correcting data, changing a practice, providing further information to you, notifying the Information Commission, or compensating you for loss.
Where the complaint concerns a personal data breach, we will run the breach investigation and the complaint investigation in parallel rather than waiting for one to finish before starting the other.
We will keep you informed of progress. Where the investigation takes longer than expected, we will tell you why and give you a revised timescale.
5. Outcome
We aim to communicate the outcome of routine complaints within 30 days of receipt. For complex complaints — for example, those needing technical forensic work, cooperation with a third party, or external legal advice — we will tell you that more time is needed and give you a realistic timescale.
The outcome will:
- explain what we have decided, in plain English;
- explain why;
- tell you what (if anything) we will do as a result;
- tell you your right to escalate to the Information Commission if you are not satisfied (see clause 6 below).
If we conclude that we got something wrong, we will say so. If we conclude that we did not, we will explain our reasoning so you can decide whether you want to escalate.
6. Escalation to the Information Commission
If you are not satisfied with our outcome — or if you do not hear from us within the timescales above — you have the right to complain to the Information Commission (formerly the Information Commissioner's Office). Their website is ico.org.uk. Their helpline is 0303 123 1113.
You do not lose any other legal right by using this procedure. In particular, you retain your right to bring a judicial remedy against us under the UK GDPR.
7. Records and learning
We keep a record of every complaint received under this procedure, the investigation, the outcome and any actions taken. We retain those records for six years from the date the complaint is closed, for our own audit purposes and the defence of legal claims.
We review our complaints record periodically to identify patterns and improve our service.
8. Where the complaint relates to a business customer's processing
Some of the personal data we hold about you is processed on behalf of a business customer (for example, your record within an inviting company's workspace in our Driver Checks portal). Where your complaint relates to that processing, the business customer is the controller and you may need to direct your complaint to them.
If you are not sure who to complain to, raise it with us under this procedure. We will assess whether the complaint relates to our processing, to the business customer's processing, or to both, and we will tell you. Where the business customer is the right point of contact, we will tell you who and how to reach them and — if you ask us — forward the complaint to them on your behalf. We will not respond to a complaint about the business customer's processing on their behalf without their authority.
For an overview of controller and processor roles across our services, see our Data Protection & Privacy page.
9. Changes to this procedure
We may update this procedure from time to time. The current version, with its version date, is always at driver.codes/legal/data-protection-complaints-procedure
10. Contact
| Privacy complaints | privacy@driver.codes |
| RSMT Limited | 19A Queens Road, Hale, WA15 9HF |
| Company number | 11744436 |
| Regulator registration | ZA788385 (held with the Information Commission, formerly the Information Commissioner's Office) |
Note on regulator naming: at the version date of this document, the Information Commissioner's Office (ICO) remains the operative legal name of the UK data protection regulator. References in this document to the "Information Commission" anticipate the regulator's reconstitution under Part 6 of the Data (Use and Access) Act 2025. Our registration (ZA788385) is held with the regulator and will transfer to the Information Commission by operation of law on commencement of sections 118 and 119 of that Act.