Who processes your personal data

Your personal data may be processed by any of the following parties:

  • A company within the Castle Water group of companies which as at the date of this notice includes
    • Castle Water Limited (company number C475583)
    • Castle Water (Southern) Limited (company number 09933767)
    • Castle Water (South East) Limited (company number 03037009)
    • Castle Water (Scotland) Limited (company number SC448118)
  • Market Operator Services Limited, (company number 09276929) whose registered office is at White Building, 1-4 Cumberland Place, Southampton, England, SO15 2NP ("MOSL”). MOSL is owned by all the water companies, both wholesalers and retailers, who trade in the competitive market;
  • Third Party data processors, these being other organisations that process data on behalf of the Castle Water group or any of the other parties, or with whom data is shared, as outlined in this privacy notice.

Scope of this Notice

This notice applies to the treatment of any information that could be used to identify an individual and which is collected by the Castle Water group, via direct interactions with you and through use of market information maintained MOSL.

The protection of personal data is very important to us, and we understand our responsibilities to handle personal data with care, to keep it secure and to comply with legal requirements.

This notice is not intended to override the terms of any contract that any customer may have with a Castle Water group company (or any rights they might have available under applicable data protection laws).

What personal information do we collect?

We collect information about you when you sign up for quotes, when you become our customer or when you make contact with us including any complaints.

The personal data we process for the provision of services, including, as applicable, for managing customer accounts including:

  • contact and communication details, including full names, email address, address, telephone number, job title, the organisation/business that a person works for, log-in details, records of any communications whether written or spoken; and
  • billing information, including billing address, and information relating to credit ratings or credit scores; and
  • account details and supply point details, including customer classifications including unique identifiers, meter information or Market consumption data.

We comply with the data minimisation principles of data protection laws and we will not collect any personal data that we do not need in order to provide services and related matters.

In respect of customers, we do not typically collect any special categories of personal data, such as details relating to health, in the general course of providing services to customers, unless essential and only when we have an appropriate legal basis to do so. Occasionally, we may hold information indicating that for example, due to health needs, a customer is a priority for reconnection if there is an interruption to the water supply.

How do we use your information?

We have to establish a lawful basis to use personal data, so we will make sure that we only use personal data for the purposes set out above, where we are satisfied that:

  • our use of personal data is necessary to perform a contract with that individual or take steps to enter into a contract with that individual;
  • our use of personal data is necessary to support 'Legitimate Interests' that we are responsible for the provision of water and sewerage services and the general operation of the non-household water market, are required under the market codes and our licence to undertake, including the billing and administration of these.
  • our use of your personal data is necessary to comply with a relevant legal or regulatory obligation that we are subject to (e.g. to comply with Ofwat, Defra or the Information Commissioner’s Office (“ICO”) requirements);

We control and process your data to fulfil contractual obligations, but also for wider reasons such as water and energy efficiency. We also use your data to ensure the prevention of fraud and dishonesty, and for the carrying out of analytics across our datasets.

Before collecting and/or using any special categories of personal data we will establish an additional lawful basis to those set out above which will allow us to use that information. This additional exemption will typically be:

  • for the establishment, exercise or defence by us or third parties of legal claims; or
  • where there is a specific exemption provided under Data Protection Legislation, such as substantial public interest;

Employees and other workers

We collect and maintain personal and sensitive information about employees, contractors and other workers we employ, as well as job applicants and former employees. This information includes name, contact details, gender, proof of identity, proof of qualifications, bank details, nationality, criminal records check, references, health questionnaire, next of kin.

As an employer, we use your data to fulfil our statutory obligations, such as paying salaries, tax, national insurance, health & safety in the workplace, which may also involve sharing information with third parties such as but not limited to: insurers, professional advisors, recruitment agencies, HMRC, DWP, pension and life assurance companies, and other relevant parties.

Information provided to us during the job application process will be retained by us as part of your employee file for the duration of your employment plus 6 years following the end of your employment. This includes your criminal records declaration, fitness to work, accidents at work, records of any security checks, references and eligibility to work in the UK.

If you are unsuccessful at any stage of the process, the information you have provided until that point will be destroyed and deleted from our records after 6 months. We do not collect more information than we need to fulfil our stated purposes and will not retain it for longer than is necessary. Some employee information may be processed by our payroll provider based in India.

Consent

We will not usually rely on consent as a lawful basis, however, where we do rely on consent as a lawful basis for processing personal data, you may withdraw their consent to such processing at any time. We will also make you aware that if you choose to do so, we may be unable to continue to provide certain services to you.

If you choose to withdraw your consent, we will tell you more about the possible consequences. The withdrawal of their consent in this circumstance shall not affect the lawfulness of the processing based on consent before the withdrawal.

Withdrawal of consent will not necessarily result in processing being stopped where consent was not the lawful basis for the processing.

Who Is Your Personal Data Shared With?

We will share personal data with third parties, to help manage our business and deliver services, as outlined below:

  • service providers who help manage our IT and back-office systems;
  • other water retailers, wholesalers and MOSL;
  • our regulators, including Ofwat, as well as law enforcement agencies in the United Kingdom and EU where applicable,
  • solicitors and other professional services firms (including our auditors);
  • service providers who enable us to communicate important information regarding the services across the non-household water retail market;
  • third parties, such as brokers, for the purposes of their provision of services to customers;
  • the Consumer Council for Water (CCWater);
  • Third-party data processors, such as consultancies, technology companies, and other data providers who can provide analytics and data enrichment across our datasets; and
  • other third parties, where authorised by law, such for the prevention of fraud, or with law enforcement or taxation authorities;
  • debt collection agencies;

We will supply your personal information to credit reference agencies (CRAs) and they will give us information about you, such as your financial history. We do this to assess creditworthiness and product suitability, check your identity, manage your account, trace and recover debts and prevent criminal activity. We will also continue to exchange information about you with CRAs on an ongoing basis, including your settled accounts and any debts not fully repaid on time. CRAs will share your information with other organisations. The identities of the CRAs, and the ways in which they use and share personal information, are explained in more detail at Experian.

Where is your personal data stored?

All the personal data we process is processed by our staff, and/or by selected third-party service providers, such as for the provision of IT services. As such it will be stored on our systems and in some cases at our premises, including those of our third-party service/data providers. Personal data may be stored using cloud-based services.

We take all reasonable steps to ensure that personal data is processed securely. Where data is shared with third parties a data processing or data-sharing agreement will be agreed upon between us and the third party.  We will not share personal data outside the EEA unless (a) it is a transfer to a country or organisation which is recognised by Data Protection Legislation as providing an adequate level of legal protection for your information, or (b) we have put in place appropriate contractual arrangements with the organisation with whom we are sharing your information on terms recognised under Data Protection Legislation as offering an adequate level of protection for your information. In those cases, you will have the right to ask us for more information about the safeguards we have put in place as mentioned above (e.g. to request a copy where the safeguard is documented, which may be redacted to ensure confidentiality).

How long do we keep it?

We will retain Personal Data in line with our data retention policy, and for no longer, than is necessary for the purposes listed in this notice  In some circumstances we may retain personal data for longer periods of time where we are required to do so to meet legal, regulatory, tax or accounting requirements, in particular:

  • where it forms part of an audit trail on system use; and
  • so that we have an accurate record of your dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a possibility of legal action relating to your personal data or dealings.

However, in each case, this shall not exceed a period of six years from the date of the last correspondence with you. Where your personal data is no longer required, we will ensure it is securely deleted in a way that means it will no longer be used by the business.

Your rights explained

Individuals have a number of rights in relation to their Personal Data. These are defined in more detail as follows:

Access

You can ask us to:

  • confirm whether we are processing your personal data;
  • give you a copy of that data;
  • provide you with other information about your personal data such as what data we hold, the purposes for which we use it, who we disclose it to, whether we transfer it abroad and how we protect it, how long we keep it for, what rights you have, how you can make a complaint, where we got your data from and whether we have carried out automated decision making or profiling, to the extent that information has not already been provided to you in this notice

Rectification

You can ask us to rectify inaccurate personal data. We may seek to verify the accuracy of the data before rectifying it.

Erasure / Right to be Forgotten

You can ask us to erase your personal data, but only where:

  • it is no longer needed for the purposes for which it was collected; or
  • you have withdrawn your consent (where the data processing was based on consent); or
  • it follows a successful right to object; or
  • it has been processed unlawfully; or
  • it is not necessary to comply with a legal obligation to which we are subject to.

We are not required to comply with your request to erase your personal data if the processing of your personal data is necessary:

  • for compliance with a legal obligation; or
  • for the establishment, exercise, or defence of legal claims.

Restriction

You can ask us to restrict (i.e. keep but not use) your personal data, but only where:

  • its accuracy is contested, to allow us to verify its accuracy; or
  • the processing is unlawful, but you do not want it erased; or
  • it is no longer needed for the purposes for which it was collected, but we still need it to establish, exercise or defend legal claims; or
  • you have exercised the right to object, and verification of overriding grounds is pending.

We can continue to use your personal data following a request for restriction, where:

  • we have your consent; or
  • establish, exercise or defend legal claims; or
  • to protect the rights of another natural or legal person

Objection

You can object to any processing of your personal data which has our 'legitimate interests' as its legal basis if you believe your fundamental rights and freedoms outweigh our legitimate interests. Once you have objected, we have an opportunity to demonstrate that we have compelling grounds to process it which override your rights, however, this does not apply as far as the objections refers to the use of personal data for direct marketing purposes.

Identity.

We take the confidentiality of all records containing personal data seriously and reserve the right to ask you for proof of your identity if you make a request;

Fees

We will not ask for a fee to exercise any of your rights in relation to your personal data, unless your request for access to information is unfounded, repetitive, or excessive, in which case we will charge a reasonable amount in the circumstances;

Timescales.

We aim to respond to any valid requests as soon as possible after receipt and within one calendar month. If we need longer to respond to your request, we will notify you of this within a month of your request, explaining the reasons for the delay. We will not extend the timeframe for our response for any more than an additional two months. We might ask you if you can help by telling us what exactly you want to receive or are concerned about. This will help us to action your request more quickly;

Exemptions.

Local laws, including in the United Kingdom, provide for additional exemptions, in particular to the right of access, whereby personal data can be withheld from you in certain circumstances, for example, where it is subject to legal privilege.

You have a right at any time to stop us from contacting you for marketing purposes. If you no longer wish to be contacted by us for marketing purposes, please let us know by email dpo@castlewater.co.uk.

You also have the right to ask for a copy of the information we hold about you via a Subject Access Request (SAR). Please see our SAR policy.

You also have the right to ask us to delete or correct any information we hold about you that is incorrect; to restrict the processing of your personal data; to object to the processing of your data. We will consider and evaluate all such requests received. Such requests should be made to: dpo@castlewater.co.uk

For information relating to Cookies please see our Cookies policy.

Links to other websites

This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.

Changes to this privacy notice

We keep our privacy notice under regular review and in accordance with current legislation and guidance. We will notify any changes to this notice by posting on our website. This privacy notice was last updated on 23 September 2021.

Contacting us

If there are any questions regarding this privacy policy, please contact our Data Protection Team at: dpo@castlewater.co.uk 

Read further about your information rights from the Information Commissioner’s Office.