At ESP Solicitors Ltd, we are committed to keeping your personal and business information safe. This is our privacy notice, in which we tell you honestly how we use and look after your personal data. This privacy notice tells you what to expect us to do with your personal information if you choose to share it with us: this could be if you use our services or products or use our website. We will tell you what information we collect about you; how we use this data; with whom we share it; and how we store it and keep it safe. 

Please use the Glossary to understand the meaning of the terms used in this privacy notice. 

We may update our privacy notice from time to time. We will communicate significant updates to you via email if we have your email address. You can also check this page for recent updates. If you would like a pdf version of this privacy notice, email [email protected]  

We last updated this privacy notice in October 2025. 

Who we are 

We are ESP Solicitors Limited (ESP Solicitors). We are a specialist employment law firm offering a full range of employment-related legal services. 

ESP Solicitors is proud to be part of the WorkNest family, a family of specialist companies in Axiom GRC, dedicated to helping businesses thrive by providing expert support across key operational areas. As part of Axiom GRC, we bring together the most gifted practitioners in people management, health, safety and wellbeing, employment law, professional training, and business technology. We are proud to offer a broader range of services to help protect and nurture organisations of every size. 

ESP Solicitors Ltd is a company registered in England and Wales with company number 0514550 and whose registered office is at 20 Grosvenor Place, London, England, SW1X 7HN. 

ESP Solicitors is the data controller of personal information we collect. ESP Solicitors is registered with the Information Commissioner’s Office as a data controller under reference Z8729580. 

ESP Solicitors is also the data controller of information processed by ESP Safeguard Ltd. ESP Safeguard Ltd is a company registered in England and Wales with company number 07832239 and whose registered office is at 20 Grosvenor Place, London, England, SW1X 7HN. This privacy notice also applies to data processed by ESP Safeguard Ltd. 

We have appointed a Data Protection Officer. For any queries, concerns, or complaints you may have about how ESP Solicitors collects, uses or stores your personal information a data controller, you can contact our Data Protection Officer, Bryony Hayter at [email protected]  

Or you can write to: 

Bryony Hayter 
Data Protection Officer 
ESP Solicitors 
68 Milton Park 
Abingdon 
Oxfordshire 
OX14 4RX 

Your legal rights 

As a data subject, under UK data protection law you have the right to: 

• Access: ask for copies of all information we have about you 

• Rectification: ask us to correct personal information you think is wrong. You also have the right to ask us to complete information you think is incomplete 

• Erasure: ask us to delete your personal information 

• Restriction of processing: ask us to limit the processing of your personal information 

• Objection to processing: say no to the processing of your personal information 

• Data portability: ask that we transfer the personal information you gave us to another organisation, or to you 

• Withdraw consent: if ESP Solicitors has asked your consent to use your data for a particular reason, you have the right to take back that consent so that ESP Solicitors cannot use your data like that in the future. However if you choose to withdraw your consent this will not change anything that ESP Solicitors has used your data for in the past with your consent. 

You can choose to use any of these rights for free by contacting us at [email protected], or writing to us at our address (see ‘Who we are’) with your request. 

ESP Solicitors has one calendar month to respond to you from the time we receive your request. ESP Solicitors does not have to agree to carry out your request, but if we do not agree we have to tell you why. 

Keeping your information safe 

It is your choice to share your personal information with us and you do so at your own risk. We take information security seriously at ESP Solicitors. We work hard to make sure that your personal information is looked after securely, and that we only process data in the ways that we say we do in this privacy notice. We put in place ways to protect personal data against unauthorised access, alteration, or disclosure. 

We make sure that your personal information is only seen by people who need to access it to do their job. We check who has access to all personal information regularly. 

Our staff complete data protection and cyber security training so that they know how best to look after your personal information. 

However, even though we are very careful we can never 100% guarantee the security of any information you give to us. If you are not happy or have concerns about how we look after your personal information, please contact our Data Protection Officer at [email protected]. 

Legal basis for using your information 

Under UK data protection law we must have what is known as a legal basis for collecting and using your information. There are six legal bases, sometimes known as lawful bases: 

• Consent: your permission. 

• Performance of a contract: when we deliver the services you have requested. 

• Legitimate interests: see the next section of our privacy notice. 

• Vital interest: to save a life. 

• Legal requirement: when we comply with UK law. 

• Public interest: when data processing is beneficial for public good.

   

For business clients 

What information do we collect? 

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). 

We may collect, use, store and transfer different kinds of personal data about you, which we have grouped together as follows: 

• Identity data includes first name, last name, username or similar identifier, title, date of birth and gender. 

• Contact data includes billing address, email address and telephone numbers.  

• Company information: company name, postcode, number of employees. 

• Financial data includes bank account and/or payment details. 

• Transaction data includes details of services we have provided to you. 

• Engagement data: webinars you have attended, interactions with emails. 

• Technical data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website. 

• Profile data includes your username and password, downloads made by you, your interests, preferences, feedback and survey responses. 

• Usage data includes information about how you use our website and services. 

• Marketing and communications data includes your preferences in receiving marketing from us and your communication preferences. 

We also collect, use and share aggregated data such as statistical or demographic data for any purpose. Aggregated data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your usage data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice. 

Sometimes, we will ask you to provide special category data to us if necessary so that we can provide the best service to you. We will take particular care to process special category data securely and will process it in keeping with the contract in place between us. 

How do we collect information, and why do we have it? 

We use different methods to collect data from and about you including through: 

• Direct interactions. You may give us your identity, contact and financial data by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you: 

• Communicate with us about, or enter into a contract for, our services; 

• Create an account on our website; 

• Subscribe to our service or publications; 

• Download any resource available on our website; 

• Request marketing to be sent to you;  

• Seek advice as part of contracted services; or 

• Give us some feedback. 

• Automated technologies or interactions. As you interact with our website, we collect technical data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies. Please see our cookie notice for further details. 

• Third parties or publicly available sources. We receive personal data about you from various third parties and public sources as set out below: 

• Technical data from analytics providers, such as Google, based inside and outside the EU; 

• Contact, financial and transaction data from providers of technical, payment and delivery services based inside the EU; 

• Identity and contact data from publicly available sources such as Companies House and the Electoral Register based inside the EU. 

• Identity and contact data from publishers of business information.

   

How do we use personal information? 

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances: 

• Where we need to perform the contract we are about to enter into or have entered into with you. 

• Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. 

• Where we need to comply with a legal or regulatory obligation. 

• Where you provide your consent to us. 

We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so.  

Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please email [email protected] if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below. 

Opting out 

You can ask us or third parties to stop sending you marketing messages at any time by contacting [email protected] Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of any use you make of ESP Solicitors’ services, which we will continue to process pursuant to the contractual obligations between us. 

Do we process children’s information? 

ESP Solicitors may collect children’s information where a child is concerned in a legal case on which we are advising in the course of carrying out services for our client. ESP Solicitors is committed to protecting children’s personal data. All information relating to a child’s welfare is handled in strict accordance with data protection legislation, including the UK GDPR and the Data Protection Act 2018. 

Key measures include: 

• Lawful and limited collection: information is only collected where necessary to fulfil safeguarding obligations or respond to incidents, and always with a clear lawful basis. 

• Secure storage and access controls: records are stored securely, with access restricted to authorised personnel involved in safeguarding or incident management. 

• Confidentiality and sharing protocols: information is shared only when essential for safeguarding purposes, and in line with statutory guidance and multi-agency protocols. 

• Retention and disposal: data is retained only for as long as necessary and disposed of securely in accordance with the company’s data retention policy. 

• Training and awareness: Staff handling children’s information receive regular training on safeguarding, confidentiality, and data protection responsibilities. 

These safeguards ensure that children’s rights and welfare are prioritised while ESP Solicitors to meet its legal and ethical duties. 

What if you fail to provide personal data? 

Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel a product or service you have with us but we will notify you if this is the case at the time. 

How long do we keep your information? 

We will only keep your personal information for as long as we need it to deliver services to you, and for as long as UK legislation tells us we must keep it. 

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. 

In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you. 

Do we share your information? 

ESP Solicitors will never sell, rent or lease your personal information, or insights generated from your information. 

We will sometimes share your information within the Axiom GRC group. These companies are also all backed by Inflexion and provide different, and complementary, aspects of the services that ESP Solicitors as a whole provides to its clients. 

We will sometimes share your information with trusted external third parties, including: 

• Service providers, acting as processors, who provide IT and system administration services such as email management platforms, online surveys and client relationship management systems. 

• Professional advisers, acting as processors, including lawyers, bankers, auditors and insurers based within the United Kingdom who provide consultancy, banking, legal, insurance and accounting services. 

• HM Revenue & Customs, regulators and other authorities in the United Kingdom who require reporting of processing activities in certain circumstances. 

These organisations will not use or process your information for any purpose other than what we have asked them to do. 

In some exceptional circumstances, we may need to share your personal information to protect you or someone else. We will share as little information as is needed, and we will share it in a way that keeps it safe. 

Here are the reasons we may need to share your personal information:  

• We are told to by law. We may need to give personal information to the police, legal advisors, professional regulators, or safeguarding agencies. 

• You are at risk of serious harm, neglect, death or threat to personal safety. 

• You tell us that someone else is at risk of serious harm, neglect, death or threat to personal safety. 

• We believe a crime is happening or may happen if nothing is done to stop it. This includes financial fraud.

   

Do we send your information outside of the UK? 

Where possible, we keep your personal information inside the UK. However, we share your information with companies that work for us as processors that process and store information outside of the UK and Europe. 

When this is the case, we make sure that we have a lawful method of transferring your data, and that your personal information is safe and that the organisation that works for us is obeying UK data protection law, even if it is based outside the UK. 

For more information, contact our Data Protection Officer at [email protected]. 

For individuals whose personal data is processed in the course of client services 

How do we use your data? 

If you are an employee or former employee of our client, we may process your personal data in the course of providing contracted services to our client. We will use your personal data to provide legal services and advice to our clients, as an authorised and regulated provider of legal services. We may use your personal data to: 

• Gather, review, draft and disclose correspondence, evidence and other documents 

• Form an opinion, position or defence. 

The legal basis we use for processing your data is often performance of a contract. If you are a witness or providing evidence, then we or our client may also seek your consent. 

We may also have a legal obligation to process or share your personal data with legal authorities or our regulator the Solicitors Regulation Authority (SRA). 

What data do we process? 

• Name and contact details (e.g. address, phone number, email address) 

• Employment history (e.g. job titles, dates of employment, roles and responsibilities) 

• Workplace performance data (e.g. appraisals, disciplinary records) 

• Contractual information (e.g. terms of employment, changes of contract, pay, benefits) 

• Correspondence and HR records (e.g. emails, grievance, or disciplinary letters) 

The following are special categories of data: 

• Health, including disability 

• Sexual orientation 

• Sex life 

• Racial or ethnic origin 

• Trade union membership 

• Political affiliation 

• Religious or philosophical beliefs 

Do we share your data? 

We may share your data with the following individuals or organisations: 

• ESP solicitors or paralegals acting on instructions from clients. 

• Data Protection Officer for ESP Solicitors for the purpose of acting on subject requests or investigating complaints. 

• Compliance Officer for Legal Practice for the purpose of investigating complaints. 

• Our client. 

• Witnesses for the purpose of employment tribunal hearings. 

• Counsel instructed by ESP Solicitors to represent our client. 

• Employment Tribunals. 

• The Employment Appeal Tribunal. 

• The Solicitors Regulation Authority. 

• Providers of technical applications and software. 

In some exceptional circumstances, we may need to share your personal information to protect you or someone else. 

Here are the reasons we may need to share your personal information under these circumstances:  

• We are told to by law. We may need to give personal information to the police, legal advisors, professional regulators, or safeguarding agencies.  

• You are at risk of serious harm, neglect, death or threat to personal safety.  

• You tell us that someone else is at risk of serious harm, neglect, death or threat to personal safety.  

• We believe a crime is happening or may happen if nothing is done to stop it. This includes money laundering and financial fraud.

   

How long do we keep your data? 

The later of:  

• The duration of the contract with the client; or 

• For seven years after the last act about which there has been a complaint and/or from any threat or the conclusion of legal proceedings.

   

Do we send your data outside of the UK?

Where possible, we keep your personal information inside the UK. However, we share your information with companies that work for us as processors that process and store information outside of the UK and Europe.  

When this is the case, we make sure that we have a lawful method of transferring your data, and that your personal information is safe and that the organisation that works for us is obeying UK data protection law, even if it is based outside the UK. 

Complaints 

For any queries, concerns, or complaints you may have about how ESP Solicitors collect, use or store your personal information, you can contact our Data Protection Officer at [email protected]. 

Or you can write to: 

Data Protection Officer 

ESP Solicitors 

68 Milton Park 

Abingdon 

Oxfordshire 

OX14 4RX 

If we cannot resolve the issue, you can also make a complaint to the Information Commissioner’s Office (ICO: the UK supervisory authority for data protection): 

Information Commissioner’s Office 
Wycliffe House 
Water Lane 
Wilmslow 
Cheshire 
SK9 5AF 

ICO helpline number: 0303 123 1113 

ICO website: ico.org.uk 

Glossary 

Anonymise: to change data so that it cannot be linked to an individual person. 

Cookie: a small file of information – like a username or password – that are stored on your device and identify the user. Cookies are used to work out what to show you, improving your web experience. 

Consent: permission, usually only valid when you have been told exactly what you are consenting to. One of the ways that processing data can be justified under data protection law. 

Contractual performance: the data processing needed to carry out an agreement with an individual. One of the ways that processing data can be justified under data protection law. 

Data Controller: an organisation (or person) that makes decisions about how and why data is processed. 

Data minimisation: collecting the smallest amount of personal data that you need. 

Data Processor(s): an organisation (or a person) that carries out the instructions of the Data Controller and processes data on behalf of the Data Controller. 

Data Protection Officer: a person who is an expert in data protection and looks after the interests of the data subject. 

Data subject: the individual whose personal data is being processed. 

Encrypted: encryption allows information to be hidden so that it cannot be read without special knowledge (such as a password). This is done with a secret code or cypher. The hidden information is said to be encrypted. 

Generative artificial intelligence (also generative AI or GenAI): is artificial intelligence capable of generating text, images, or other media, using generative models. Generative AI models learn the patterns and structure of their input training data and then generate new data that has similar characteristics. 

Information Commissioner’s Office (ICO): the UK’s independent body set up to uphold information rights. The ICO has the power to investigate organisations which do not obey Data Protection laws. 

Joint Controllers: two or more Data Controllers who together decide how and why data is processed. 

Legal/lawful basis/bases: six reasons recognised by UK GDPR for processing personal information. 

Legitimate interests: a strong reason (or reasons) for a Data Controller to process data for no other reason than that it is beneficial to the Data Controller if it does not have an adverse effect on the data subject. This is one of the ways that processing data can be justified under GDPR law, although whenever a Data Controller relies on it, they should have a written decision called a Legitimate Interest Assessment. 

Personal information: any information about a real, living individual. For example, name, telephone number, address, health conditions, or qualifications. Information about organisations, such as annual turnover, is not personal information. Information about individuals working at organisations – for example, a business email address, or a job title – is personal information. 

Privacy notice: a publicly displayed explanation of how organisations process data. 

Purpose limitation: one of the principles of GDPR – personal data should only be used for the reasons it was collected. 

Public interest: beneficial for the public. One of the ways that processing data can be justified under GDPR law. 

Retention schedule: a table of how long organisations should store data. 

UK GDPR: UK General Data Protection Regulation. This is a law designed to protect personal data stored on computers, or in an organised paper filing system. This law is the UK version of a law that is applied across many European countries.