Privacy Policy for Complaints
Introduction
At the PMCPA we take your data privacy seriously and are committed to protecting the privacy and security of your personal data.
This privacy policy describes how we process your personal data during and after a complaint has been submitted in accordance with the Data Protection Act 2018 and any other applicable law and regulation (hereinafter collectively referred to as “Data Protection Laws”).
This privacy policy covers all PMCPA employees plus interns, secondees, contractors, consultants, casual and agency workers, and subcontractors that need to have access to any personal data following receipt of a complaint by the PMCPA. This applies to complaints submitted via the form on our website, by email to complaints@pmcpa.org.uk or by post to the Chief Executive of the PMCPA, 2nd Floor Goldings House, Hay’s Galleria, 2 Hay’s Lane, London, SE1 2HB.
It is important that you read and retain this policy, together with any other privacy notice that we may provide on specific occasions when we are processing personal data, so that you are aware of how and why we are using such information and what your rights are.
Please note that data protection refers to the protection of personal data only. This Policy does not apply to protection of confidential business related information and is in addition to the main PMCPA Privacy Policy available here.
‘Personal Data’ means any information identifying an individual or information relating to an individual that can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access.
What personal data do we collect about you?
When you first contact us, we will record the information submitted to use as part of your complaint and any subsequent correspondence. This could include your name, address, location in which any shared folder link was accessed, telephone number, email address and other personal details in a file that we hold on paper or on out IT systems and applications.
Why we collect this information
We will only process your personal information when we have a lawful reason or a legitimate interest for doing so. We are allowed to use your information for the purpose of handling your complaint according to the ABPI Code of Practice. The ABPI Code also protects information obtained for the purposes of processing your complaint. We will treat your data considerately and confidentially. We might need to share some data about your complaint with approved subcontractors in order to handle your complaint according to the ABPI Code in particular in connection with participation on the Code of Practice Panel. Please note our approved subcontractors have executed a confidentiality agreement containing terms that are at least as protective as the terms of this Policy. By making your complaint, you agree we can share information about you and your complaint with our subcontractors.
The PMCPA does not share your personal data to other parties including the respondent company unless it is considered necessary to enable the company to respond to the complaint and then it will only be shared with your prior permission.
If a case reaches the appeal stage, parties can attend the appeal and present their case. All attending parties are in the same room with the Appeal Board. If you choose to attend an appeal your name or an agreed pseudonym will be disclosed to the company and the Appeal Board. Your name would then also be disclosed to the building security/software for attendance at the PMCPA Offices for an appeal for the purposes of in case of emergency such as fire. The Appeal Board hearing will be recorded and kept for internal PMCPA purpose only, for up to 90 days. After this period, the recording will be destroyed.
How long will we keep your information?
We will keep all information about you and your complaint. This data includes:
- Correspondence, Panel minutes and submissions in relation to complaints
- Where applicable PMCPA Audit Reports and associated audit documents
Undertakings and assurances provided by companies will be retained indefinitely.
All documents created during day-to-day working are permanently deleted after nine (9) calendar years of being saved electronically within our document management system. For complaints submitted prior to March 2020 personal data may also be stored in a secure off-site hard copy archive for the same duration as our retention period (nine years).
Emails have a two year retention or if in hard copy (see above) or within our information management system are retained for nine years.
Details of your complaint, your name and contact details will be retained in our Case management system for nine years.
All digital documents prior the end 2018 are retained until the end of 2027, these will then be purged in line with our 9 year retention policy.
Your rights under Data Protection Laws
- Access to Personal Information – You have the right to obtain access to your personal information.
- Change Inaccurate Information – You have the right to ask us to correct inaccurate personal information and to update incomplete personal information.
- Request to Delete Your Information – You have a right to request that we delete your personal information. Please note that if you request us to delete your information insofar as our retention policy allows, this will affect our ability to engage with you.
- Request to Restrict the Processing of Your Information – You have a right to request that we restrict the processing of your personal information. Please note that if you request this it will affect our ability to engage with you.
- Request Your Personal Data in a Portable Format – You may have the right to ask us to provide your personal information in a portable format.
- Object to the Processing of your Personal Information – You have a right to object to the processing of your personal information, in which case we would need to demonstrate compelling and legitimate grounds for the processing. Please note that if you request that we delete your information insofar as our retention policy allows, this will affect our ability to engage with you.
- Withdraw Consent – Where we rely on your permission to process your personal information, you have a right to withdraw your consent at any time. Please note that if you request that we delete data to investigate and resolve your complaint, we may not be obliged to erase this information. This is because the right to erasure does not apply to data which we hold to fulfil the investigation.
- To Complain - You have the right to make a complaint at any time to the Information Commissioner’s Office, the UK regulatory authority responsible for data protection issues
- We will not sell your information or use it for commercial purposes.
If you wish to exercise any of the rights set out above or have any questions in relation to this Privacy policy, please contact: dpo@pmcpa.org.uk
Please note that we may need specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). We may also need to contact you to ask for further information in relation to your request.
We will aim to respond to your request within one (1) month.
Changes to our privacy policy
- We keep our privacy notice under regular review. This notice was last updated in May 2025
Complaints, comments and compliments
- If you wish to make a compliment, comment or complaint about how the PMCPA processes your data, then please contact the Data Protection Officer at dpo@pmcpa.org.uk
- If you are still unhappy with how we have handled your complaint, you may contact the Information Commissioner's Office. The Information Commissioner Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF Phone: 08456 30 60 60
Website: www.ico.org.uk
- If this privacy policy changes in any way, we will place an updated version on our website.
How to contact us
Please get in touch if you have any questions about our privacy policy or information we hold about you. Please email: dpo@pmcpa.org.uk