DLP — Direct Law & Personnel
Protecting your privacy

DLP Privacy Notice for Clients and Client Employees

Last Updated: 30 June 2026

1. Introduction and Scope

DLP (“we”, “us”, “our”) provides expert Employment Law and HR consultancy services to businesses and organisations (our “Clients”). This Privacy Notice explains how we collect, use, store, and share personal information about individuals in the context of our professional B2B services.

This notice applies to:

  • Client Contacts: Individuals at our client organisations with whom we interact for service delivery, administration, and business management.
  • Client Employees: Individuals employed by our Clients, whose personal data we process on behalf of our Client to deliver our contracted services (e.g., HR advice, payroll, tribunal representation).

In this B2B context, our Clients are typically the primary Data Controllers, and we act as a Data Processor for much of the client employee data we handle. We also act as a Data Controller for our direct Client Contacts and for the management of our business relationship with the Client. This notice outlines our practices in both capacities.

2. Information We Collect

The types of personal data we process vary depending on our role and the specific service.

For Client Contacts (B2B Relationship Data), we may process:

  • Contact & Identity Data: Name, job title, business email address, business phone number, company address.
  • Professional & Interaction Data: Records of our communications, meeting notes, service preferences, feedback, and correspondence related to our consultancy.
  • Financial & Administrative Data: Billing address, payment details, and records of services purchased.

For Client Employees (HR & Employment Data), we may process on behalf of our Client:

  • Personal & Contact Details: Name, home address, personal email, phone number, date of birth, and national identifier (e.g., National Insurance number).
  • Employment & Work History: Job title, role, grade, start date, length of service, salary, working hours, performance reviews, disciplinary and grievance records, and training history.
  • Recruitment Data: CVs, application forms, interview notes, assessment results, and references.
  • Absence & Medical Information: Sickness absence records, reasons for absence, occupational health reports, and information about disabilities or health conditions (where relevant for reasonable adjustments or legal compliance).
  • Payroll & Financial Data: Bank account details, tax codes, student loan deductions, pension information, and other payroll-relevant data.
  • Special Category Data: In certain circumstances (e.g., for equal opportunities monitoring or reasonable adjustments), we may process data revealing racial or ethnic origin, religious beliefs, or health information.
  • CCTV: Images captured by CCTV at our premises, which are retained for a limited period (typically 24 hours) for security purposes.

3. How and Why We Use Personal Data

We process personal data for clear, legitimate business purposes:

  • To Deliver Our Services: To provide expert HR and employment law advice, develop policies, manage payroll, handle employee relations cases, and represent Clients in legal proceedings (e.g., employment tribunals).
  • For Business Administration: To manage our client relationship, send invoices, process payments, and handle general communications.
  • For Legal Compliance: To comply with our legal and regulatory obligations, including those related to employment law, health and safety, and anti-money laundering.
  • To Defend Legal Claims: To establish, exercise, or defend legal claims on behalf of our Clients or ourselves.
  • For Service Improvement: (Based on legitimate interest) To analyse service usage, gather feedback, and improve our consultancy offerings.

4. Our Lawful Bases for Processing

We process personal data under the following lawful bases, as defined in the UK GDPR:

  • Contractual Necessity: Processing is necessary for the performance of our contract with the Client, or to take steps at the Client’s request before entering into a contract.
  • Legal Obligation: Processing is necessary for compliance with a legal obligation to which we are subject (e.g., tax, employment, or health and safety law).
  • Legitimate Interests: Processing is necessary for our legitimate business interests (e.g., managing our business, preventing fraud, and improving our services), provided such interests are not overridden by your data protection rights.
  • Explicit Consent: In limited cases, where we require your specific consent for processing (e.g., for obtaining a medical report from your GP). You have the right to withdraw this consent at any time.
  • Vital Interests: In rare, exceptional circumstances where processing is necessary to protect someone’s life.

For Special Category Data, our additional lawful bases are typically:

  • Employment Law Obligations: Carrying out obligations and exercising specific rights in the field of employment law.
  • Legal Claims: Establishing, exercising, or defending legal claims.
  • Explicit Consent: Where we have obtained your specific, unambiguous consent.

5. Data Sharing and Disclosure

We share personal data with trusted third parties only as necessary to deliver our services and manage our business.

We may share data with:

  • Legal and Professional Advisers: Barristers, solicitors, and other legal bodies to support legal proceedings or obtain specialist advice.
  • Insurance Providers: Our professional indemnity insurers and brokers (often on an anonymised basis).
  • Medical Professionals: With your explicit consent, to obtain reports for occupational health purposes.
  • Third-Party Service Providers: IT support, cloud storage providers, payroll software providers, and other subcontractors who process data on our behalf (under strict contractual agreements).
  • Regulatory Authorities: If required by law or to comply with a regulatory investigation (e.g., HMRC, Information Commissioner’s Office).
  • Our Client (the Employer): We regularly share client employee data with our Client as part of our service delivery and advisory role. When we act as a Processor, we do so under our Client’s instructions.

We do not sell or rent personal data to third parties for marketing purposes.

6. International Data Transfers

We primarily store and process personal data within the United Kingdom. If we need to transfer data to a country outside the UK, we will ensure appropriate safeguards are in place, such as using contracts based on the UK’s International Data Transfer Agreement (IDTA) or ensuring the recipient country has an adequacy decision.

7. Data Security

We take the security of your data seriously. We have implemented appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, alteration, or destruction. These measures include access controls, secure IT infrastructure, staff training, and a strict approval process for any external data sharing.

8. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements.

  • For Client Employee Data (when acting as Processor): We retain data in line with our Client’s instructions and our Data Retention Policy. Typically, this is for a period of six years following the end of the employment relationship for core HR files, or shorter periods for specific records (e.g., 3 years for medical/salary info; 6 months for unsuccessful job applications).
  • For Client Contact and Business Data: We retain this information for the duration of our active business relationship and for a reasonable period thereafter (usually up to 7 years) to manage any post-relationship queries, for audit purposes, or as required by law.

When we act in an advisory capacity only, we will return client employee data to our Client and securely delete our copies after the completion of the advice, unless we have a legal basis to retain it.

9. Your Data Protection Rights

Under UK data protection law, individuals have the following rights, subject to certain conditions and exemptions:

  • Right of Access: You can request a copy of the personal data we hold about you.
  • Right to Rectification: You can ask us to correct inaccurate or incomplete data.
  • Right to Erasure: You can ask us to delete your personal data in certain circumstances.
  • Right to Restriction: You can ask us to restrict the processing of your data in specific situations.
  • Right to Object: You have the right to object to processing based on our legitimate interests or for direct marketing.
  • Right to Data Portability: You can request a copy of your data in a structured, machine-readable format in certain cases.
  • Right to Withdraw Consent: Where we rely on your consent, you have the right to withdraw it at any time.

To exercise any of these rights, please contact us using the details provided below. We will respond to your request within one month.

10. Contact Us

For any questions, concerns, or to exercise your data protection rights, please contact our Data Protection Officer:

Levi Liebling
Email: levi@dlp.org.uk
Phone: 0330 400 4454

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):

Website: https://ico.org.uk/concerns/
Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

Schedule 1: Types of Data Processed (Illustrative)

Please note this list is not exhaustive.

  • Identity Data: Name, title, date of birth, gender, marital status, national insurance number, passport/visa details.
  • Contact Data: Home address, work address, email addresses, telephone numbers.
  • Employment Data: Job title, role, grade, employment history, start/end dates, salary, benefits, working hours, location.
  • Recruitment Data: CV, application, interview notes, assessments, references.
  • Performance & Conduct Data: Performance reviews, appraisals, disciplinary/grievance records, warnings.
  • Absence Data: Sickness records, reasons for absence, maternity/paternity leave.
  • Health Data: Medical conditions, disabilities, adjustments, occupational health reports.
  • Payroll Data: Bank details, tax codes, HMRC notices, pension information.
  • CCTV & Security Data: Images from building CCTV and security access logs.
  • Audio/Video Data: Recordings from interviews (with consent).

Also see DLP Cookie Notice.