01242 620 080

  sales@1esp.co.uk

  @EspEvesham

  Linked-In

Evesham Specialist Packaging - Data Protection Policy

Policy Statement

Evesham Specialist Packaging Limited (or ESP in future references) needs to collect personal information to effectively carry out our everyday functions and activities and to provide our products and services. Such data is collected from employees, customers, suppliers and clients and includes (but is not limited to), name, address, email address, date of birth, IP address, identification numbers, private and confidential information, sensitive information and bank/credit card details.

In addition, we may be required to collect and use certain types of personal information to comply with the requirements of the law and/or regulations, however we are committed to processing all personal information in accordance with the General Data Protection Regulation (GDPR), UK data protection laws and any other relevant data protection laws and codes of conduct (collectively referred to as "the data protection laws").

ESP is committed to ensuring and maintaining the security and confidentiality of personal and/or special category data and all colleagues are responsible for handling data in accordance with this policy.

Scope

The purpose of this policy is to ensure compliance with the Data Protection Act (DPA) 2018 and General Data Protection Regulation (GDPR) (EU) 2016/679 which govern any processing of information about living individuals and the rights those individuals have relating to this information. This legislation covers all personal information held in both electronic form and manual form.

ESP is both a controller and processor of personal data. This policy applies to all parts of ESP and to all personal data held and processed by the organisation. This includes data held in any system or format, whether electronic or hard copy.

Adherence to this policy is mandatory for all employees of ESP whether permanent, fixed term or temporary, reviewers, any third-party representatives or sub-contractors, agency workers, volunteers, interns and agents engaged with ESP in the UK or overseas. Non-compliance could lead to disciplinary action.

Categories of data

For this purpose, information categorisation, ESP applies the GDPR definitions of "personal data" and "special category data", as follows:

“Personal data”“Special Category data”
Any information relating to an identified or identifiable natural person
An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as:
  • a name
  • an identification number
  • location data
  • an online identifier, or
  • to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Personal data revealing or relating to an identifiable natural person's:
  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person
  • data concerning health, or
  • data concerning a natural person's sex life or sexual orientation.

ESP ensures that personal data falling within the GDPR's "special categories" is handled with a particularly high level of care, due to the assumption that this type of information could be used in a negative or discriminatory way and is of a sensitive, personal nature to the persons it relates to. The processing of special category data by ESP is kept to the minimum necessary to enable us to perform our functions.

Data protection principles

Article 5 (2) of the GDPR requires that ESP, its employees and others who process or use any personal information shall be responsible for, and be able to demonstrate, compliance with the data protection principles.

The data protection principles state that personal data should be:

ESP's policy is that the processing of all personal data should be safe, secure, ethical and transparent and we have procedures in place to enable data subjects to exercise their rights

Records of processing where ESP is a Data Controller or Data

Processor

Where we act either in the capacity as a data controller or in the capacity as a data processor (or a representative), our internal records of the categories of processing activities carried out will contain the following information:

External certification

ESP is certified by the British Assessment Bureau to ISO 27001:2017, the international standard on how to manage information security, demonstrating that we are committed to and actively managing our data security provisions in line with international best practice.

Third-party processors

ESP utilises external processors for certain processing activities. We use information audits to identify, categorise and record all personal data that is processed outside of ESP, so that the information, processing activity, processor and legal basis are all recorded, reviewed and easily accessible. Such external processing may include (but is not limited to):

We have due diligence procedures and measures in place and review, assess and background check all processors prior to forming a business relationship. In the course of these checks, we may obtain company documents, certifications and references to ensure that the processor is adequate, appropriate and effective for the task we are employing them for.

We ensure that Service Level Agreements (SLAs) and contracts containing appropriate compliance obligations are in place with all data processors via the contract approval process. Processors are notified that they must not engage another processor without our prior specific authorisation and any intended changes concerning the addition or replacement of existing processors must be done in writing, in advance of any such changes being implemented.

It is the responsibility of the contract manager to ensure that each of the processing activities specified in the contract are monitored, audited and reported on.

Data Subject Rights

The rights given to data subjects under Data Protection legislation are:

Under Data Protection Regulation legislation, data subjects have the right of access to their personal data held by QAA.

Any individual who wishes to exercise this right can do so verbally or in writing by contacting the General Manager.

Data Governance

Employee personal data

We do not use consent as a legal basis for obtaining or processing employee personal information. Our HR policies have been updated to ensure that employees are provided with the appropriate information about how we process their data and why.

Privacy Notice

ESP's Privacy Notice tells you what to expect when ESP collects personal information to meet our legal, regulatory, statutory and contractual obligations and to provide members, customers and stakeholders with information, either about our products and services or about matters of public interest.

There is a separate Privacy Notice - Our Colleagues which informs ESP employees, reviewers, contractors, board and committee members of their rights under the data protection laws and how to exercise these rights and details the personal information we collect and process about them.

Data storage

Information and records relating to data subjects will be stored securely and will only be accessible to authorised employees. Information will be stored for only as long as it is needed or in accordance with the required statute and will be disposed of appropriately.

Data accuracy

ESP takes reasonable steps to ensure that this information is kept up to date by asking data subjects whether there have been any changes.

Audits & monitoring

Regular internal audits are completed independently by our outsourced IT provider. We also have compliance monitoring processes with a view to ensuring that the measures and controls in place to protect data subjects and their information are adequate, effective and compliant at all times. ESP is accountable to the Audit and Risk Committee, and ultimately to the Board, in respect of compliance with this policy.

Training

ESP is committed to a staff awareness programme ensuring that new and existing employees are trained, assessed and supported in a variety of ways to discharge their data protection responsibilities in a variety of ways, including Online and virtual induction including a test at the end of each module

Penalties for non-compliance

ESP understands its obligations and responsibilities under the data protection laws and recognises the severity of breaching any of these. We respect the Information Commissioner's authority to impose and enforce fines and penalties where there is a failure to comply with regulations, a failure to mitigate the risks where possible and operate in a knowingly non-compliant manner.

Employees should note the severity of such penalties and their proportionate nature in accordance with the breach, including the following:

Type of BreachMaximum Fine
Breaches of the basic principles for processing, conditions for consent, the data subjects' rights, the transfers of personal data to a recipient in a third country or an international organisation, specific processing situations or non-compliance with an order by the Information Commissioner Administrative fines up to £17.5 million or 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher

Roles and responsibilities

As a Data Controller (or when acting as a joint Data Controller or a Data Processor), ESP has a company responsibility for the following

Roles and responsibilities are defined as follows:

Managing Director

ESP is a Data Controller, and the Managing Director is responsible for ensuring that the requirements of "data protection laws" are met and the organisation provides sufficient resources to enable the company and all employees to comply with their data protection duties.

General Manager

The General Manager monitors compliance with "data protection laws" and with internal policies relating to data protection auditing. The General Manager also reviews data protection, retention and records, management policies and makes recommendations for the Managing Director.

Data Protection Officer (DPO)

ESP's DPO is the General manager who is responsible for:

Facilities & Compliance Manager

Employees

It is the responsibility of all employees to:

Policy Review

This policy will be updated as a minimum on a two-yearly basis or as necessary to reflect best practice, relevant case law, and to ensure compliance with any changes or amendments to Data Protection legislation.

This document is also available for download as a PDF File