Making a Complaint to the CISPE Data Protection Committee
This process is the Complaints Process under section 7.2(b) of the CISPE Data Protection Code of Conduct for Cloud Infrastructure Service Providers (“Code”). This version of the Complaints Process is current as at [V1.1].
Unless they are otherwise defined, capitalised terms used in this Complaints Process will have the meaning given to them in the Code.
1.2 Complaints Committee
The Complaints Process is managed by the Complaints Committee. The Complaints Committee is appointed by the Executive Board. Its key responsibilities are considering complaints about non- compliance of services with the Code Requirements; and taking enforcement action against a non- compliant Code Declarant (defined below) including, where necessary, recommending enforcement action to the Executive Board.
1.3 Eligible complaints
A complaint may be brought under the Complaints Process where it relates to breach of the Code Requirements by a CISP which has declared adherence to the Code Requirements (“Code Declarant”).
A complaint may be made by a Code Declarant, a customer of a Code Declarant, or a competent supervisory authority.
The Complaints Committee recommends trying to resolve complaints directly with the Code Declarant in question prior to resorting to making a complaint under this Complaints Process.
1.4 Making a complaint
A. Submission of complaint
B. Acknowledgement of receipt & notification to CISP
The Complaints Commitee will notify the CISP of the complaint received and aims to do so within [5 working days].
C. Information gathering
If the Complainant fails to comply with a request for supporting information within [10 working days], the complaint will be closed. Having gathered further information, the Complaints Committee may decide not to pursue the complaint any further if it determines the complaint is vexatious, unsubstantiated, the same as a complaint already dealt with under the Complaints Process or otherwise does not warrant investigation.
The Complaints Committee will provide full reasoning for its decision which will be made available to the Complainant and CISP via the Portal.
D. Stage 1: Informal Resolution
If informal resolution is successful, the Complaints Commitee may close the matter with, if appropriate, a formal reminder of the CISP’s obligations under the Code and/or an agreed order for the CISP to take remediating measures.
E. Stage 2: Formal Review
The Complaints Commitee may decide to hold a hearing if it determines this is necessary and proportionate in the circumstances. The Complainant and CISP will be entitled to attend any such hearing. The Complaints Commitee will provide notice of the heading date and the parties are expected to make themselves reasonably available.
The Complaints Commitee will then make a decision on the outcome of the complaint within [30 working days] of instigating Formal Review. Decision-making by the Complaints Commitee is done by majority vote.
The Complaints Commitee will determine the appropriate sanction in the circumstances and, where necessary due to the severity of the sanction, recommend appropriate enforcement action to the Executive Board.
G. Communication of decision
To bring an appeal the appealing party must submit an appeal notice within[10workingdays] of the Complaints Committee’s communication of its decision on the original complaint.
The other party will be notified of the submission of an appeal notice by the Complaints Committed within [2 working days].
The Executive Board will decide whether to hear the appeal based on whether there are reasonable grounds for the appeal. Ifitdecidestoheartheappealitwillmakedirectionsforsubmissionsfromtheparties.
Appeals will be reviewed by the Executive Board within [30 working days]; the Executive Board’s decision will be final.
1.5 Overarching principles
All aspects of the Complaints Process will be conducted in the English language.
The Complaints Committee may change this determination at any time if through the course of the process the Complaints Committee judges that a complaint under Informal Resolution actually warrants Formal Review, or similarly that a complaint under Formal Review should revert to being managed under the Informal Resolution process.
If it is not possible to adhere to the timeframes in the Complaints Process due to the specific circumstances of the complaint, the Complainant and CISP will be kept appropriately informed by the Complaints Committee of the new timeframes and the reason for the delay.
(c) Transparency of outcomes
The Complaints Process will be fully transparent to the Complainant and CISP involved. All decisions regarding complaints will be logged in the Portal and accessible by the Complainant and CISP who are parties to the complaint in question.
If a complaint is resolved by Informal Resolution, this may mean that the CISP responds directly to the Complainant. Where this is the case, such response will also be provided to the Complaints Committee and attached to the complaint in the Portal.
Though this Complaints Process will be publicly available, the details of individual complaints as captured in the Portal will not be publicly available. This will be a closed loop and both the Complainant and CISP as parties to the complaint must keep the existence and details of the complaint confidential. Nevertheless, the Complaints Committee may publish aggregated and anonymised complaints trend data. However, once the Complaints Process is concluded for a complaint (i.e. there has been no appeal, or an appeal has been determined), the Complaints Committee may report any finding of non- compliance with the Code, and the sanctions imposed as a result of such non-compliance, to the competent supervisory authorities. Any decision to revoke or suspend a Declaration of Adherence will, by its nature, be publicly available.