“(At which point you can apply for a Subject Access Request under the Data Protection Act to see how the decision was made.)” Really not sure that’ll get you very far. An internal policy won’t (I hope!) have any personal details it it so a subject access request wouldn’t reveal the policy. It would only reveal how the decision was made if that information was recorded against one of your records which would seem unlikely to go much further than “advised was against policy”. Good news with GDPR is that the subject access request will be free though so worth giving it a go!