The purpose of this Privacy Notice is to make it easier for you to understand how we use and protect your personal data. Personal data is any data that can identify you either on its own or used with other data.
This Privacy Notice will help you understand your privacy rights, how and why we need to process your personal data, and how you can get in touch with us if you need to. Processing personal data involves any activity to do with that data, for example collection, storage, editing and deletion.
We’ve presented this information in different sections so you can access the information you need more easily. You’ll find our general privacy information under the headings below, with separate PDFs and links to cover the different types of individuals whose data we use.
We take your personal data privacy very seriously and we're committed to protecting your personal data by complying with the relevant privacy legislation. We encourage you to read each section thoroughly.
If we make any significant changes impacting your privacy, we'll make this clear on our website. Please remember to check from time to time.
Who are we and what is our role?
We’re Thames Water, the largest water and wastewater services provider in the UK. We are officially known as Thames Water Utilities Ltd (‘TWUL’) and we’re wholly owned by Kemble Water Holdings Limited.
We’re a "controller" of your personal data. This is a legal term – it means that we make decisions about how and why we process your personal data, and, because of this, we’re responsible for making sure it’s used in accordance with data protection laws.
We engage a number of external third-party companies that process your personal data on our behalf. These companies are referred to as ‘processors’. When we use processors, they’ll use your personal data on our behalf and only for the services and limited purpose that we instruct them to use it. When we use processors, we remain responsible, as a controller, for compliance with all data protection legislation.
Why do we process your personal data?
We’re required by law to always have a permitted reason or justification (called a “lawful basis” or “legal basis”) for processing your personal data.
Depending on the processing activity, we may use one or more of the following lawful bases for processing your data:
- Consent: where you’ve given your consent for the processing
- Contract: where processing is necessary for the performance of a contract.
- Legal obligation: where processing is needed to comply with our legal obligations.
- Vital interests: where processing is needed in order to protect your vital interests or those of another person.
- Public task: where processing is needed for us to perform a task in the public interest of for our official functions
- Legitimate interests: where processing is needed for our legitimate interests or those of a third party unless on balance, these are outweighed by the need to protect your individual rights
As a water undertaker, we have legal obligations to supply water, maintain water quality, promote water efficiency, maintain adequate drainage and raise charges in line with rules set by our regulators. These obligations include compliance with legislation such as the Water Industry Act 1991, tax laws, and consumer protection laws, as well as the need to provide information to law enforcement agencies or other authorities when we’re required to do so.
In order to comply with our legal obligations, we have a public task to keep reliable, accurate and up-to-date records of our customers’ and other stakeholders’ personal data, as well as any interactions with them related to these regulated services. We have a legitimate interest in processing information required to help us become more effective and efficient.
Where we’re delivering a contractual service to you outside our legal obligations or taking steps at your request prior to entering into a contract with you, we process your personal data on the legal basis of a contract.
We sometimes need to process sensitive (special category) data, such as medical details, when we’re carrying out public tasks that have a substantial public interest. We also process sensitive data for other tasks with the explicit consent of the customer or stakeholder.
What types of data do we process and what do we do with it?
We process the following types of data:
- Personal Data – Information that can be used to identify an individual, either directly on its own or in combination with other information such as a name, an identification number, location data, an online identifier.
- Special Categories of Personal Data – Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. Criminal conviction related data (about allegations, offences or sentencing) is also treated in a similar way.
- Pseudonymised – Personal data that has been processed in such a way that it can no longer be attributed to a specific person without the use of additional information. Such additional information must be kept carefully separate from personal data.
- Anonymised – Data in a form that does not identify individuals. Personal data, once it is anonymised, is no longer personal data.
- Aggregated – Statistical data about several individuals that has been combined to show general trends or values without identifying individuals within the data.
The personal data we collect and how we process it depends on our relationship with you – ie whether you’re:
- a household or non-household customer
- developing a site or property
- carrying out a property search
- a job applicant
- a visitor (to our website, offices, sites or events) or impacted by one of our vehicles
- one of our contractors or suppliers
Please read our appendices to find out more about the data we process for each of these categories.
Our Employee Privacy Notice can be accessed by our employees via our internal intranet.
Automated processing by means of robotics
We may use robotic process automation (RPA) to automate processes traditionally carried out by a human. These provide improvements in data accuracy, processing time and our process governance, as the robot will only follow a defined and agreed process. The type of work typically carried out by RPA is high-volume repeatable processes, which are logical, non-cognitive and usually part of a larger processing activity.
How do we collect your personal data?
In most cases, we’ll collect this information directly from you, for example:
- when you register with us and set up an account to receive our services
- when you contact us through our websites, by telephone (including interactive voice response), post, e-mail or any other means
- when you have a meter installed
- when you complete surveys we use for research purposes (although you are not obliged to respond to them)
- when you enter a competition or promotion
- when you make payments to us, through this website or otherwise
- when you use our services
We may collect this information from other sources, for example:
- when we receive your personal data from third parties, such as credit reference agencies or fraud prevention organisations and landlords, managing agents and previous occupiers
- when we collect publicly available information about you
How do we keep your personal data safe?
We take appropriate technical and organisational measures to prevent
- unauthorised or unlawful processing of personal data; and
- accidental or unlawful loss, alteration or destruction of, or unauthorised, disclosure of or access or damage to, personal data.
Your personal data is held in secure systems with controlled access and subject to cyber security measures, whether we’re processing it in our offices or sites or working from home. We also apply strict physical security at all our sites and offices.
We only choose third party service providers in line with company protocol, procedures and checks, and when we use them, we disclose only the personal information that is necessary to deliver the service provided.
All our employees must complete annual data protection training.
How long do we keep your information?
In line with our Retention Policy and Schedules, we take all reasonable steps to retain your information for only as long as is necessary for the provision of our services. For example, we keep telephone recordings of customer calls for up to 18 months, depending on the type of call. We adhere to the appropriate national standards and guidelines regarding data retention, eg for financial data. When we delete your personal data, we do so securely.
With whom do we share your data - and where does it go?
We only share information with third parties if we have a fair and lawful basis to do so, such as when:
- You’ve given us permission
- It’s in our legitimate business interests to do so
- We need to do so to discharge legal obligations and/or public functions
- We need to act to protect children and/or vulnerable adults
- A formal court order has been served upon us
- We are lawfully required to report certain information to the appropriate authorities, eg to prevent fraud or a serious crime
- It’s needed for emergency planning reasons, such as for protecting the health and safety of others
We use third party organisations to help us provide our services to you and with whom we share data. We have contracts in place with these third parties. This means that they can’t do anything with your personal information unless we’ve instructed them to do it. They won’t share your personal information with any other organisation unless they are instructed by us to do so. They will hold it securely and retain it for the period we instruct.
Some of the third parties with whom we share your data are based outside of the United Kingdom and, in some cases, outside the European Economic Area. In these cases, your data is protected by the special safeguarding measures set out by the data protection legislation i.e.
- our contracts with these third parties incorporate the standard contractual clauses adopted by the European Commission and UK authorities for this purpose; or,
- for [some] transfers to the U.S.A., the UK/EU-U.S. Privacy Shield; or
- the transfer is protected by the recipient’s binding corporate rule arrangements; or
- the recipient is in a country whose data protection laws are deemed by UK/EU authorities to provide adequate safeguard for transferred personal data without the need for additional safeguarding measures to be put in place.
We have published a list of the third parties with whom we share information.
What are your data privacy rights?
You have certain legal rights in relation to any personal data about you which we hold. These rights are summarised below.
|Individual rights||What this means|
|Informed||You can ask for details of how we process your personal data, as covered by this Privacy Notice.|
|Access||You can ask for a copy of the information that we hold about you.
If possible, you should specify the type of information you’d like to see to ensure that our disclosure is meeting your expectations.
We must be able to verify your identity. Your request may not impact the rights and freedoms of other people, e.g. privacy and confidentiality rights of other customers or staff. Other exemptions may apply dependent on the information and context.
|Rectification||You can ask that your personal data be corrected or updated if you believe it is inaccurate or incomplete.
Please always check first whether there are any available self-help tools to correct the personal data we process about you.
This right only applies to your own personal data. When exercising this right, please be as specific as possible.
|Erasure||You may, in certain circumstances be entitled to ask to have your personal data erased (also known as the “right to be forgotten”).
We may not be in a position to erase your personal data, if for example, we need it to (i) comply with a legal obligation, or (ii) exercise or defend legal claims.
|Restriction||You can ask us to stop using your data. However, in some circumstances this right may not apply, for example, where we have a legal obligation to use the data.|
|Portability||This only applies to personal data you have given us. You have the right to ask that we send the information you gave us to you or to another organisation. We must provide the information in a structured, commonly used and machine-readable format.
The right only applies if we are processing the personal data based on your consent or we are under, or in talks about entering into, a contract with you, and where the processing is automated ie not paper records.
|Objection||You can request that your personal data is not processed for specific purposes such as profiling. This right applies where our processing of your personal data is necessary for us to perform a task in the public interest or for our official functions or for our legitimate interests. You can also object to our processing of your personal data for direct marketing purposes.|
|Rights related to automated decision-making including profiling||You have the right not to be subject to a decision based solely on automated processing of your personal data (ie no human intervention), including profiling, where the decision affects your legal status or rights or where the decision has a similarly significant effect, eg affecting your financial circumstances or employment opportunities.|
Where our processing of your personal data is based on your consent, you have the right to withdraw your consent at any time. If you do decide to withdraw your consent, we’ll stop processing your personal data for that purpose, unless there is another lawful basis we can rely on – in which case, we’ll let you know. Your withdrawal of your consent won’t impact any of our processing up to that point.
The applicability of some of these rights depends on the legal basis of processing of the data concerned. Some of these rights only apply in specific circumstances and we may not need to fully comply with your request in all cases.
You may exercise any of these rights free of charge, by contacting us. We may need to check your identity and may need to ask for more information – it’ll help us to help you if you're as specific in your request as possible.
We’ll comply with your request within one calendar month (from the time we receive your request, or any additional information we asked for) unless:
- It's a complex request – in such cases, we’ll respond within the month to inform you of the appropriate response period that will apply to your request (which may be a period of up to three months); or
- in exceptional circumstances, we would not be able to carry out your request. In these cases, we'll inform you of the reason within the one month period.
Contact and escalation details
Contact by email
For any query related to our use of your personal data, please contact us at email@example.com.
For any request to exercise your data privacy rights related to accessing, rectifying, or erasing your data, please contact us at firstname.lastname@example.org.
If you’d like to opt out of receiving any marketing material from us, please call us on 0800 980 8800.
Contact by post
Data Protection Officer
Thames Water Utilities Limited
How to escalate a complaint
You have the right to lodge a complaint with the Information Commissioner’s Office regarding our use of your data or regarding our data protection practices.
Please email us first so we have a chance to address your concerns. Should you be unhappy with our response, please escalate your complaint to our appointed Data Protection Officer.
If we fail to resolve your issue, you can report any complaint to the Information Commissioner’s Office.