Complaint Procedure - Making a Complaint to the CISPE Data Protection Committee

Disclaimer

This complaint procedure applies only to cloud infrastructure services declared under the CISPE Data Protection Code (2016 Version) prior to May 2021. This procedure will replaced by a new procedure that also requires the oversight of the Monitoring Bodies to comply with the latest version of the CISPE Data Protection Code once it is formally approved by the CNIL.

Visit the new CISPE Data Protection Code website

1.1 Introduction

This process is the Complaints Process under section 7.2(b) of the CISPE Data Protection Code of Conduct for Cloud Infrastructure Service Providers (“Code”). This version of the Complaints Process is current as at [V1.1].

Unless they are otherwise defined, capitalised terms used in this Complaints Process will have the meaning given to them in the Code.

1.2 Complaints Committee

The Complaints Process is managed by the Complaints Committee. The Complaints Committee is appointed by the Executive Board. Its key responsibilities are considering complaints about non- compliance of services with the Code Requirements; and taking enforcement action against a non- compliant Code Declarant (defined below) including, where necessary, recommending enforcement action to the Executive Board.

1.3 Eligible complaints

A complaint may be brought under the Complaints Process where it relates to breach of the Code Requirements by a CISP which has declared adherence to the Code Requirements (“Code Declarant”).

A complaint may be made by a Code Declarant, a customer of a Code Declarant, or a competent supervisory authority.

The Complaints Committee recommends trying to resolve complaints directly with the Code Declarant in question prior to resorting to making a complaint under this Complaints Process.

1.4 Making a complaint

A. Submission of complaint

A complaint should be submitted online via [INSERT WEB ADDRESS] (“Portal”). Full details of the behaviour complained about need to be provided, including details of the person making the complaint (“Complainant”); the Code Declarant about whom the complaint is being made (“CISP”); details of the service alleged to be non-compliant; which Code Requirement has been breached; and full supporting materials.

B. Acknowledgement of receipt & notification to CISP

The Complaints Commitee aims to acknowledge receipt of complaints within [2 working days]. Such acknowledgement will be provided via the Portal.

The Complaints Commitee will notify the CISP of the complaint received and aims to do so within [5 working days].

C. Information gathering

The Complaints Commitee will gather information from and ask clarificatory questions to the Complainant and CISP as required. Reasonable cooperation is required from all parties with requests from the Complaints Commitee. The Complaints Commitee will aim to complete this within [30 working days].

If the Complainant fails to comply with a request for supporting information within [10 working days], the complaint will be closed. Having gathered further information, the Complaints Committee may decide not to pursue the complaint any further if it determines the complaint is vexatious, unsubstantiated, the same as a complaint already dealt with under the Complaints Process or otherwise does not warrant investigation.

The Complaints Committee will provide full reasoning for its decision which will be made available to the Complainant and CISP via the Portal.

D. Stage 1: Informal Resolution

As a first step, the Complaints Commitee will attempt to achieve informal resolution of the complaint, for example through facilitating dialogue between the Complainant and CISP. They will aim to complete this within [20 working days].

If informal resolution is successful, the Complaints Commitee may close the matter with, if appropriate, a formal reminder of the CISP’s obligations under the Code and/or an agreed order for the CISP to take remediating measures.

E. Stage 2: Formal Review

If the complaint cannot be concluded at Stage 1, the Complaints Committee will undertake a Formal Review. Both parties may make representations in advance of the Formal Review in accordance withreasonable timelines to be set by the Complaints Committee.

The Complaints Commitee may decide to hold a hearing if it determines this is necessary and proportionate in the circumstances. The Complainant and CISP will be entitled to attend any such hearing. The Complaints Commitee will provide notice of the heading date and the parties are expected to make themselves reasonably available.

The Complaints Commitee will then make a decision on the outcome of the complaint within [30 working days] of instigating Formal Review. Decision-making by the Complaints Commitee is done by majority vote.

F. Sanctions

If in its final decision the Complaints Committee finds that a CISP is non-compliant with the Code Requirements, then the Complaints Committee may: request the CISP to take specific remediating measures within a reasonable timeframe to comply the Code; and in serious/severe or repeated cases of non-compliance, or in case of failure by the CISP to implement the requested remediating measures, recommend to the Executive Board that the CISP’s Declaration of Adherence be suspended or revoked in respect of the non-compliant service and the register of compliant services on the CISPE website will be updated accordingly.

The Complaints Commitee will determine the appropriate sanction in the circumstances and, where necessary due to the severity of the sanction, recommend appropriate enforcement action to the Executive Board.

G. Communication of decision

The Complaints Commitee will record the outcome of the complaint including detailed reasons for the decision and the sanctions imposed, and provide this to the Complainant and CISP via the Portal.

H. Appeals

The Complainant or CISP may bring an appeal if they can substantiate that there is significant new evidence not considered at Formal Review; the Complaints Process was not properly adhered to; or the decision is unreasonable in the circumstances.

To bring an appeal the appealing party must submit an appeal notice within[10workingdays] of the Complaints Committee’s communication of its decision on the original complaint.

The other party will be notified of the submission of an appeal notice by the Complaints Committed within [2 working days].

The Executive Board will decide whether to hear the appeal based on whether there are reasonable grounds for the appeal. Ifitdecidestoheartheappealitwillmakedirectionsforsubmissionsfromtheparties.

Appeals will be reviewed by the Executive Board within [30 working days]; the Executive Board’s decision will be final.

I. Enforcement

If applicable, the Complaints Commitee and, where necessary due to the severity of the sanction, the Executive Board will take enforcement action against the non-compliant CISPbased on the decisions made.

1.5 Overarching principles

All aspects of the Complaints Process will be conducted in the English language.

(a) Impartiality

If the Complaints Committee – or the Executive Board on appeal – includes a representative of the Complainant and/or the CISP, such representatives shall not participate in the Complaints Process for the purposes of the complaint in question and shall not have any involvement in the investigation of such complaint (other than in the capacity of Complainant or CISP as applicable). The Complaints Committee – or the Executive Board on appeal – may also decide acting reasonably if any other member of the Complaints Committee or Executive Board respectively should not be involved in the Complaints Process with respect to a specific complaint due to the circumstances of that complaint.

(b) Proportionality

The Complaints Committee is responsible for ensuring that the Complaints Process is fair and complaints are dealt with proportionately and appropriately. It will only investigate a complaint where there is enough information to indicate a reasonable argument that there has been a breach of the Code Requirements by a CISP. The Complaints Committee retains the discretion to determine to what extent complaints require progressing to Informal Resolution and potentially Formal Review, taking into account whether there is any evidence of wider or more serious risk or harm, or of repeated breaches of the Code Requirements particularly further to previous complaints made via this Complaints Process. It may decide to proceed directly to Formal Review if there have been prior equivalent complaints which were substantiated.

The Complaints Committee may change this determination at any time if through the course of the process the Complaints Committee judges that a complaint under Informal Resolution actually warrants Formal Review, or similarly that a complaint under Formal Review should revert to being managed under the Informal Resolution process.

If it is not possible to adhere to the timeframes in the Complaints Process due to the specific circumstances of the complaint, the Complainant and CISP will be kept appropriately informed by the Complaints Committee of the new timeframes and the reason for the delay.

(c) Transparency of outcomes

The Complaints Committee may close a complaint at any time if it determines that there is insufficient evidence or it is otherwise disproportionate to continue investigation, and will again provide its reasoning for this via the Portal. Any such determination may be appealed on the same grounds as those for a Formal Review decision.

The Complaints Process will be fully transparent to the Complainant and CISP involved. All decisions regarding complaints will be logged in the Portal and accessible by the Complainant and CISP who are parties to the complaint in question.

If a complaint is resolved by Informal Resolution, this may mean that the CISP responds directly to the Complainant. Where this is the case, such response will also be provided to the Complaints Committee and attached to the complaint in the Portal.

Though this Complaints Process will be publicly available, the details of individual complaints as captured in the Portal will not be publicly available. This will be a closed loop and both the Complainant and CISP as parties to the complaint must keep the existence and details of the complaint confidential. Nevertheless, the Complaints Committee may publish aggregated and anonymised complaints trend data. However, once the Complaints Process is concluded for a complaint (i.e. there has been no appeal, or an appeal has been determined), the Complaints Committee may report any finding of non- compliance with the Code, and the sanctions imposed as a result of such non-compliance, to the competent supervisory authorities. Any decision to revoke or suspend a Declaration of Adherence will, by its nature, be publicly available.