How we collect, use and protect your personal information
Last reviewed: 2026 · Next review due: 2028
Evesham Specialist Packaging Limited (referred to as ESP throughout this document) needs to collect personal information to effectively carry out our everyday functions and activities and to provide our products and services. Such data is collected from employees, customers, suppliers and clients and includes — but is not limited to — names, addresses, email addresses, dates of birth, IP addresses, identification numbers, and in certain circumstances, sensitive financial or confidential information.
We may also be required to collect and use certain types of personal information to comply with legal or regulatory requirements. In all cases, we are committed to processing personal information in accordance with the General Data Protection Regulation (GDPR), UK data protection laws, and any other relevant data protection legislation — collectively referred to throughout this document as "the data protection laws".
ESP is committed to maintaining the security and confidentiality of all personal and special category data. Every colleague shares responsibility for handling data in accordance with this policy.
This policy ensures compliance with the Data Protection Act (DPA) 2018 and the General Data Protection Regulation (GDPR) (EU) 2016/679, which govern the processing of information about living individuals and the rights those individuals hold in relation to that information. This legislation covers all personal information held in both electronic and manual form.
ESP acts as both a controller and processor of personal data. This policy applies to all parts of ESP and to all personal data held and processed by the organisation, in any system or format.
Adherence to this policy is mandatory for all employees of ESP — whether permanent, fixed term, or temporary — as well as reviewers, third-party representatives, sub-contractors, agency workers, volunteers, interns and agents engaged with ESP in the UK or overseas. Non-compliance may result in disciplinary action.
For the purpose of information categorisation, ESP applies the GDPR definitions of "personal data" and "special category data" as follows:
ESP ensures that special category data is handled with a particularly high level of care. Processing of such data is kept to the absolute minimum necessary to perform our functions.
Article 5(2) of the GDPR requires that ESP and all those who process personal information on our behalf are responsible for — and able to demonstrate — compliance with the following principles. Personal data must be:
In upholding these principles, ESP commits to the following:
Where ESP acts as a data controller or data processor, our internal records of processing activities will contain the following information:
ESP is certified to ISO 27001:2017, the international standard for information security management. This certification demonstrates our active, ongoing commitment to managing data security in line with international best practice.
ESP uses information audits to identify, categorise and record all personal data processed outside of the organisation. External processing may include — but is not limited to:
We carry out due diligence on all processors prior to forming a business relationship, including reviewing company documents, certifications and references. Service Level Agreements and contracts containing appropriate compliance obligations are in place with all data processors. Processors are required to notify us in writing of any intended changes concerning the addition or replacement of sub-processors before those changes are implemented.
It is the responsibility of the relevant contract manager to ensure that processing activities specified in any contract are monitored, audited and reported on.
Under data protection legislation, individuals have the following rights:
Any individual wishing to exercise any of these rights may do so verbally or in writing by contacting the General Manager directly.
ESP does not use consent as the legal basis for obtaining or processing employee personal information. Our HR policies ensure that employees are provided with appropriate information about how and why their data is processed.
Our Privacy Notice explains what to expect when ESP collects personal information to meet legal, regulatory, statutory and contractual obligations and to provide customers and stakeholders with relevant information. A separate Privacy Notice for Colleagues covers the rights of employees, contractors, and board and committee members specifically.
Records relating to data subjects are stored securely and are only accessible to authorised employees. Information is retained only for as long as it is needed or as required by statute, and disposed of appropriately thereafter.
ESP takes reasonable steps to keep personal information up to date by periodically asking data subjects to confirm whether any changes have occurred.
Regular internal audits are completed independently by our outsourced IT provider. We also maintain compliance monitoring processes to ensure that the measures in place to protect data subjects are adequate, effective and compliant at all times. ESP reports on compliance to the Audit and Risk Committee and, ultimately, to the Board.
ESP is committed to a staff awareness programme ensuring that all employees are trained and supported in their data protection responsibilities. This includes online and virtual induction with end-of-module assessments, policy and procedure training, annual refresher training covering data protection, information security and cyber security, and access to supporting documentation and 1:1 support sessions as required.
As a Data Controller — and where acting as a joint Controller or Processor — ESP holds company-wide responsibility for complying with data protection legislation, cooperating with the ICO, and responding to any regulatory or court action.
Responsible for ensuring the requirements of data protection laws are met and that the organisation provides sufficient resources for all employees to comply with their data protection duties.
Monitors compliance with data protection laws and internal policies. Reviews data protection, retention and records management policies and makes recommendations to the Managing Director. As DPO, also cooperates with the supervisory authority and provides regular reporting on operational and strategic risk.
Refers to external legal advisers as appropriate, investigates data incidents and reports findings to the Managing Director, advises on data protection impact assessments, and oversees records management and employee training.
Every employee is responsible for collecting, storing and processing personal data in accordance with data protection laws and this policy; keeping data secure; using personal data only for contracted duties; and completing mandatory training.
ESP recognises the severity of failing to comply with data protection laws and respects the Information Commissioner's authority to impose fines and penalties where there is a failure to comply or to mitigate known risks.
| Type of Breach | Maximum Fine |
|---|---|
| Breaches of basic processing principles, conditions for consent, data subject rights, international transfers, or non-compliance with an ICO order | Up to £17.5 million or 4% of total worldwide annual turnover of the preceding financial year — whichever is higher |
This policy will be reviewed and updated at a minimum every two years, or sooner where necessary to reflect best practice, relevant case law, or changes to data protection legislation.
If you have any questions about this policy or wish to exercise your data subject rights, please get in touch:
Evesham Specialist Packaging
Unit 1, Orchard Industrial Estate
Toddington, Cheltenham
GL54 5EB