Legal & Compliance

Privacy & Data Policy

How we collect, use and protect your personal information

Last reviewed: 2026  ·  Next review due: 2028

Contents

  1. Policy Statement
  2. Scope
  3. Categories of Data
  4. Data Protection Principles
  5. Records of Processing
  6. External Certification
  7. Third-Party Processors
  8. Data Subject Rights
  9. Data Governance
  10. Roles & Responsibilities
  11. Penalties for Non-Compliance
  12. Policy Review
  13. Contact Us

1. Policy Statement

Evesham Specialist Packaging Limited (referred to as ESP throughout this document) needs to collect personal information to effectively carry out our everyday functions and activities and to provide our products and services. Such data is collected from employees, customers, suppliers and clients and includes — but is not limited to — names, addresses, email addresses, dates of birth, IP addresses, identification numbers, and in certain circumstances, sensitive financial or confidential information.

We may also be required to collect and use certain types of personal information to comply with legal or regulatory requirements. In all cases, we are committed to processing personal information in accordance with the General Data Protection Regulation (GDPR), UK data protection laws, and any other relevant data protection legislation — collectively referred to throughout this document as "the data protection laws".

ESP is committed to maintaining the security and confidentiality of all personal and special category data. Every colleague shares responsibility for handling data in accordance with this policy.

2. Scope

This policy ensures compliance with the Data Protection Act (DPA) 2018 and the General Data Protection Regulation (GDPR) (EU) 2016/679, which govern the processing of information about living individuals and the rights those individuals hold in relation to that information. This legislation covers all personal information held in both electronic and manual form.

ESP acts as both a controller and processor of personal data. This policy applies to all parts of ESP and to all personal data held and processed by the organisation, in any system or format.

Adherence to this policy is mandatory for all employees of ESP — whether permanent, fixed term, or temporary — as well as reviewers, third-party representatives, sub-contractors, agency workers, volunteers, interns and agents engaged with ESP in the UK or overseas. Non-compliance may result in disciplinary action.

3. Categories of Data

For the purpose of information categorisation, ESP applies the GDPR definitions of "personal data" and "special category data" as follows:

Personal Data
Special Category Data
Any information relating to an identified or identifiable natural person — including reference to:
  • A name or identification number
  • Location data or an online identifier
  • Factors specific to physical, physiological, genetic, mental, economic, cultural or social identity
Personal data revealing or relating to an identifiable natural person's:
  • Racial or ethnic origin
  • Political opinions or religious beliefs
  • Trade union membership
  • Genetic or biometric data
  • Health, sex life or sexual orientation

ESP ensures that special category data is handled with a particularly high level of care. Processing of such data is kept to the absolute minimum necessary to perform our functions.

4. Data Protection Principles

Article 5(2) of the GDPR requires that ESP and all those who process personal information on our behalf are responsible for — and able to demonstrate — compliance with the following principles. Personal data must be:

In upholding these principles, ESP commits to the following:

5. Records of Processing

Where ESP acts as a data controller or data processor, our internal records of processing activities will contain the following information:

6. External Certification

ISO 27001
Certified by the British Assessment Bureau
International Information Security Standard

ESP is certified to ISO 27001:2017, the international standard for information security management. This certification demonstrates our active, ongoing commitment to managing data security in line with international best practice.

7. Third-Party Processors

ESP uses information audits to identify, categorise and record all personal data processed outside of the organisation. External processing may include — but is not limited to:

We carry out due diligence on all processors prior to forming a business relationship, including reviewing company documents, certifications and references. Service Level Agreements and contracts containing appropriate compliance obligations are in place with all data processors. Processors are required to notify us in writing of any intended changes concerning the addition or replacement of sub-processors before those changes are implemented.

It is the responsibility of the relevant contract manager to ensure that processing activities specified in any contract are monitored, audited and reported on.

8. Data Subject Rights

Under data protection legislation, individuals have the following rights:

Any individual wishing to exercise any of these rights may do so verbally or in writing by contacting the General Manager directly.

9. Data Governance

Employee Personal Data

ESP does not use consent as the legal basis for obtaining or processing employee personal information. Our HR policies ensure that employees are provided with appropriate information about how and why their data is processed.

Privacy Notice

Our Privacy Notice explains what to expect when ESP collects personal information to meet legal, regulatory, statutory and contractual obligations and to provide customers and stakeholders with relevant information. A separate Privacy Notice for Colleagues covers the rights of employees, contractors, and board and committee members specifically.

Data Storage

Records relating to data subjects are stored securely and are only accessible to authorised employees. Information is retained only for as long as it is needed or as required by statute, and disposed of appropriately thereafter.

Data Accuracy

ESP takes reasonable steps to keep personal information up to date by periodically asking data subjects to confirm whether any changes have occurred.

Audits & Monitoring

Regular internal audits are completed independently by our outsourced IT provider. We also maintain compliance monitoring processes to ensure that the measures in place to protect data subjects are adequate, effective and compliant at all times. ESP reports on compliance to the Audit and Risk Committee and, ultimately, to the Board.

Training

ESP is committed to a staff awareness programme ensuring that all employees are trained and supported in their data protection responsibilities. This includes online and virtual induction with end-of-module assessments, policy and procedure training, annual refresher training covering data protection, information security and cyber security, and access to supporting documentation and 1:1 support sessions as required.

10. Roles & Responsibilities

As a Data Controller — and where acting as a joint Controller or Processor — ESP holds company-wide responsibility for complying with data protection legislation, cooperating with the ICO, and responding to any regulatory or court action.

Managing Director

Responsible for ensuring the requirements of data protection laws are met and that the organisation provides sufficient resources for all employees to comply with their data protection duties.

General Manager / Data Protection Officer

Monitors compliance with data protection laws and internal policies. Reviews data protection, retention and records management policies and makes recommendations to the Managing Director. As DPO, also cooperates with the supervisory authority and provides regular reporting on operational and strategic risk.

Facilities & Compliance Manager

Refers to external legal advisers as appropriate, investigates data incidents and reports findings to the Managing Director, advises on data protection impact assessments, and oversees records management and employee training.

All Employees

Every employee is responsible for collecting, storing and processing personal data in accordance with data protection laws and this policy; keeping data secure; using personal data only for contracted duties; and completing mandatory training.

11. Penalties for Non-Compliance

ESP recognises the severity of failing to comply with data protection laws and respects the Information Commissioner's authority to impose fines and penalties where there is a failure to comply or to mitigate known risks.

Type of Breach Maximum Fine
Breaches of basic processing principles, conditions for consent, data subject rights, international transfers, or non-compliance with an ICO order Up to £17.5 million or 4% of total worldwide annual turnover of the preceding financial year — whichever is higher

12. Policy Review

This policy will be reviewed and updated at a minimum every two years, or sooner where necessary to reflect best practice, relevant case law, or changes to data protection legislation.

13. Contact Us

If you have any questions about this policy or wish to exercise your data subject rights, please get in touch:

Address

Evesham Specialist Packaging
Unit 1, Orchard Industrial Estate
Toddington, Cheltenham
GL54 5EB