Data Protection Complaints Policy

Purpose

This procedure sets out how STAR (the Society of Ticket Agents and Retailers) will handle complaints relating to the processing of personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and the Data (Use and Access) Act 2025.

STAR is committed to handling personal data lawfully, fairly and transparently and to responding appropriately when concerns are raised about how personal data has been processed.

Scope

This procedure applies to complaints from any individual who believes that STAR has handled personal data in a way that infringes data protection legislation.

Examples include:

Failure to respond appropriately to a Subject Access Request.
Inaccurate personal data being held or used.
Personal data being disclosed inappropriately.
Concerns regarding data retention.
Concerns following a personal data breach.
Objections to the use of personal data.
Complaints relating to automated decision-making.
Concerns regarding the security of personal data.

This procedure does not replace STAR's general complaints procedure but applies specifically to complaints relating to personal data and privacy rights.

How to Make a Complaint

Individuals may make a data protection complaint by:

Emailing STAR at info@star.org.uk
Writing to STAR at Blake House, 18 Blake Street, York, YO1 8QG.
Using any contact form provided on STAR's website.
Contacting STAR by any other reasonable means.

A complaint does not need to refer specifically to data protection legislation or use any particular wording in order to be treated as a data protection complaint.

Receipt and Logging

Upon receipt of a data protection complaint:

The complaint will be recorded in the Data Protection Complaints Register.
A unique reference number will be assigned.
The complaint will be referred to the Chief Executive, who is responsible for overseeing compliance with this procedure.
Any member of staff receiving a data protection complaint must ensure that it is referred to the Chief Executive as soon as reasonably practicable.

The register will record:

Date received.
Name and contact details of the complainant.
Nature of the complaint.
Actions taken.
Outcome.
Date closed.

Acknowledgement

STAR will acknowledge receipt of the complaint within 30 calendar days of receiving it.

The acknowledgement will:

Confirm receipt of the complaint.
Provide a reference number.
Explain the process STAR will follow.
Identify a contact point for any further enquiries.

Investigation

The Chief Executive will investigate the complaint or appoint another suitable individual to do so where appropriate.

The investigation may include:

Reviewing relevant records and documentation.
Examining STAR's policies, procedures and systems.
Speaking with members of staff or other relevant individuals.
Seeking further information from the complainant where necessary.
Assessing STAR's compliance with applicable data protection legislation.

Investigations will commence promptly and be conducted fairly and objectively.

Progress Updates

Where a complaint cannot be concluded within 30 days of acknowledgement, STAR will provide updates to the complainant at reasonable intervals.

Updates will include:

The current status of the investigation.
Any further information required.
An indication of the anticipated timescale for completion.

Outcome

STAR will provide a written response without undue delay once the investigation has been completed.

The response will:

Summarise the complaint.
Explain the investigation undertaken.
Set out STAR's findings.
Explain any corrective action taken or proposed.
Provide reasons where the complaint is not upheld.

Where appropriate, STAR may apologise, correct personal data, amend procedures, provide further information or take other remedial action.

Escalation and Independent Oversight

Where a complaint:

Concerns the actions of the Chief Executive;
Relates to a significant personal data breach;
Raises concerns about STAR's overall compliance with data protection legislation; or
Could reasonably be expected to expose STAR to significant regulatory or reputational risk,

the Chair of the STAR Council will be informed and will oversee the handling of the complaint or appoint an alternative independent person to do so.

This is intended to ensure that complaints are handled impartially where a conflict of interest may arise.

Information Commissioner's Office

STAR aims to resolve complaints directly wherever possible.

If an individual remains dissatisfied after STAR has responded, they may raise their concerns with the Information Commissioner's Office (ICO).

Information about making a complaint to the ICO can be found on the ICO's website.

Corrective Action

Where an investigation identifies shortcomings, STAR will consider whether corrective action is required, including:

Correcting inaccurate personal data.
Restricting or ceasing processing activities.
Improving procedures or controls.
Providing additional staff training.
Taking disciplinary action where appropriate.
Reporting a personal data breach where required by law.

Record Keeping

STAR will maintain a Data Protection Complaints Register and retain records of complaints, investigations and outcomes for a period of six years from closure unless a longer retention period is required by law.

Records will be used to:

Demonstrate compliance with legal obligations.
Identify recurring issues.
Improve policies, procedures and staff training.

Training and Awareness

STAR will ensure that relevant staff receive appropriate training on data protection, including how to recognise and escalate data protection complaints.

Training will form part of staff induction and periodic refresher training and will be reviewed as necessary to reflect changes in legislation, guidance and organisational procedures.

Reporting

The Chief Executive will report any material data protection complaints under the standing Data Protection item at meetings of the Council.

Review

This procedure will be reviewed annually or sooner if required by changes in legislation, regulatory guidance or STAR's activities.

Last updated: June 2026, Version 1.1

Cookie	Duration	Description
_GRECAPTCHA	5 months 27 days	This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_134446169_1	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.

Cookie	Duration	Description
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.

Cookie	Duration	Description
cp-impression-added-forcp_id_3717b	1 day	This is used to ascertain if a user has visited the site previously and whether to display a modal displaying relevant information based on whether they are a repeat visitor.
cp-impression-added-forcp_id_dc41d	1 day	This is used to ascertain if a user has visited the site previously and whether to display a modal displaying relevant information based on whether they are a repeat visitor.

Search Users