The purpose of this Privacy Notice is to make it easier for you to understand how we use and protect your personal data. Personal data is any data that can identify you either on its own or used with other data.
This Privacy Notice will help you understand your privacy rights, how and why we need to process your personal data, and how you can get in touch with us if you need to. Processing personal data involves any activity to do with that data, for example collection, storage, editing and deletion.
We’ve presented this information in different sections so you can access the information you need more easily. You’ll find our general privacy information under the headings below, with separate PDFs and links to cover the different types of individuals whose data we use.
We take your personal data privacy very seriously and we're committed to protecting your personal data by complying with the relevant privacy legislation. We encourage you to read each section thoroughly.
If we make any significant changes impacting your privacy, we'll make this clear on our website. Please remember to check from time to time.
We’re Thames Water, the largest water and wastewater services provider in the UK. We are officially known as Thames Water Utilities Ltd (‘TWUL’) and we’re wholly owned by Kemble Water Holdings Limited.
We’re a "controller" of your personal data. This is a legal term – it means that we make decisions about how and why we process your personal data, and, because of this, we’re responsible for making sure it’s used in accordance with data protection laws.
We engage a number of external third-party companies that process your personal data on our behalf. These companies are referred to as ‘processors’. When we use processors, they’ll use your personal data on our behalf and only for the services and limited purpose that we instruct them to use it. When we use processors, we remain responsible, as a controller, for compliance with all data protection legislation.
We’re required by law to always have a permitted reason or justification (called a “lawful basis” or “legal basis”) for processing your personal data.
Depending on the processing activity, we may use one or more of the following lawful bases for processing your data:
As a water undertaker, we have legal obligations to supply water, maintain water quality, promote water efficiency, maintain adequate drainage and raise charges in line with rules set by our regulators. These obligations include compliance with legislation such as the Water Industry Act 1991, tax laws, and consumer protection laws, as well as the need to provide information to law enforcement agencies or other authorities when we’re required to do so.
In order to comply with our legal obligations, we have a public task to keep reliable, accurate and up-to-date records of our customers’ and other stakeholders’ personal data, as well as any interactions with them related to these regulated services. We have a legitimate interest in processing information required to help us become more effective and efficient.
Where we’re delivering a contractual service to you outside our legal obligations or taking steps at your request prior to entering into a contract with you, we process your personal data on the legal basis of a contract.
We sometimes need to process sensitive (special category) data, such as medical details, when we’re carrying out public tasks that have a substantial public interest. We also process sensitive data for other tasks with the explicit consent of the customer or stakeholder.
We process the following types of data:
The personal data we collect and how we process it depends on our relationship with you – ie whether you’re:
Please read our appendices to find out more about the data we process for each of these categories.
Our Employee Privacy Notice can be accessed by our employees via our internal intranet.
We may use robotic process automation (RPA) to automate processes traditionally carried out by a human. These provide improvements in data accuracy, processing time and our process governance, as the robot will only follow a defined and agreed process. The type of work typically carried out by RPA is high-volume repeatable processes, which are logical, non-cognitive and usually part of a larger processing activity.
In most cases, we’ll collect this information directly from you, for example:
We may collect this information from other sources, for example:
We take appropriate technical and organisational measures to prevent
Your personal data is held in secure systems with controlled access and subject to cyber security measures, whether we’re processing it in our offices or sites or working from home. We also apply strict physical security at all our sites and offices.
We only choose third party service providers in line with company protocol, procedures and checks, and when we use them, we disclose only the personal information that is necessary to deliver the service provided.
All our employees must complete annual data protection training.
In line with our Retention Policy and Schedules, we take all reasonable steps to retain your information for only as long as is necessary for the provision of our services. For example, we keep telephone recordings of customer calls for up to 18 months, depending on the type of call. We adhere to the appropriate national standards and guidelines regarding data retention, eg for financial data. When we delete your personal data, we do so securely.
We only share information with third parties if we have a fair and lawful basis to do so, such as when:
We use third party organisations to help us provide our services to you and with whom we share data. We have contracts in place with these third parties. This means that they can’t do anything with your personal information unless we’ve instructed them to do it. They won’t share your personal information with any other organisation unless they are instructed by us to do so. They will hold it securely and retain it for the period we instruct.
Some of the third parties with whom we share your data are based outside of the United Kingdom and, in some cases, outside the European Economic Area. In these cases, your data is protected by the special safeguarding measures set out by the data protection legislation i.e.
We have published a list of the third parties with whom we share information.
You have certain legal rights in relation to any personal data about you which we hold. These rights are summarised below.
|Individual rights||What this means|
|Informed||You can ask for details of how we process your personal data, as covered by this Privacy Notice.|
|Access||You can ask for a copy of the information that we hold about you.
If possible, you should specify the type of information you’d like to see to ensure that our disclosure is meeting your expectations.
We must be able to verify your identity. Your request may not impact the rights and freedoms of other people, e.g. privacy and confidentiality rights of other customers or staff. Other exemptions may apply dependent on the information and context.
|Rectification||You can ask that your personal data be corrected or updated if you believe it is inaccurate or incomplete.
Please always check first whether there are any available self-help tools to correct the personal data we process about you.
This right only applies to your own personal data. When exercising this right, please be as specific as possible.
|Erasure||You may, in certain circumstances be entitled to ask to have your personal data erased (also known as the “right to be forgotten”).
We may not be in a position to erase your personal data, if for example, we need it to (i) comply with a legal obligation, or (ii) exercise or defend legal claims.
|Restriction||You can ask us to stop using your data. However, in some circumstances this right may not apply, for example, where we have a legal obligation to use the data.|
|Portability||This only applies to personal data you have given us. You have the right to ask that we send the information you gave us to you or to another organisation. We must provide the information in a structured, commonly used and machine-readable format.
The right only applies if we are processing the personal data based on your consent or we are under, or in talks about entering into, a contract with you, and where the processing is automated ie not paper records.
|Objection||You can request that your personal data is not processed for specific purposes such as profiling. This right applies where our processing of your personal data is necessary for us to perform a task in the public interest or for our official functions or for our legitimate interests. You can also object to our processing of your personal data for direct marketing purposes.|
|Rights related to automated decision-making including profiling||You have the right not to be subject to a decision based solely on automated processing of your personal data (ie no human intervention), including profiling, where the decision affects your legal status or rights or where the decision has a similarly significant effect, eg affecting your financial circumstances or employment opportunities.|
Where our processing of your personal data is based on your consent, you have the right to withdraw your consent at any time. If you do decide to withdraw your consent, we’ll stop processing your personal data for that purpose, unless there is another lawful basis we can rely on – in which case, we’ll let you know. Your withdrawal of your consent won’t impact any of our processing up to that point.
The applicability of some of these rights depends on the legal basis of processing of the data concerned. Some of these rights only apply in specific circumstances and we may not need to fully comply with your request in all cases.
You may exercise any of these rights free of charge, by contacting us. We may need to check your identity and may need to ask for more information – it’ll help us to help you if you're as specific in your request as possible.
We’ll comply with your request within one calendar month (from the time we receive your request, or any additional information we asked for) unless:
For any query related to our use of your personal data, please contact us at email@example.com.
For any request to exercise your data privacy rights, such as access, rectification, or erasure, please contact us at firstname.lastname@example.org.
Data Protection Officer
Thames Water Utilities Limited
You have the right to lodge a complaint with the Information Commissioner’s Office regarding our use of your data or regarding our data protection practices.
Please email us first so we have a chance to address your concerns. Should you be unhappy with our response, please escalate your complaint to our appointed Data Protection Officer.
If we fail to resolve your issue, you can report any complaint to the Information Commissioner’s Office.