Skip to content
Your personal data may be processed by any of the following parties:
This notice applies to the treatment of any information that could be used to identify an individual and which is collected by the Castle Water group, via direct interactions with you and through use of market information maintained MOSL.
The protection of personal data is very important to us, and we understand our responsibilities to handle personal data with care, to keep it secure and to comply with legal requirements.
This notice is not intended to override the terms of any contract that any customer may have with a Castle Water group company (or any rights they might have available under applicable data protection laws).
We collect information about you when you sign up for quotes, when you become our customer or when you make contact with us including any complaints.
The personal data we process for the provision of services, including, as applicable, for managing customer accounts including:
We comply with the data minimisation principles of data protection laws and we will not collect any personal data that we do not need in order to provide services and related matters.
In respect of customers, we do not typically collect any special categories of personal data, such as details relating to health, in the general course of providing services to customers, unless essential and only when we have an appropriate legal basis to do so. Occasionally, we may hold information indicating that for example, due to health needs, a customer is a priority for reconnection if there is an interruption to the water supply.
We have to establish a lawful basis to use personal data, so we will make sure that we only use personal data for the purposes set out above, where we are satisfied that:
We control and process your data to fulfil contractual obligations, but also for wider reasons such as water and energy efficiency. We also use your data to ensure the prevention of fraud and dishonesty, and for the carrying out of analytics across our datasets.
Before collecting and/or using any special categories of personal data we will establish an additional lawful basis to those set out above which will allow us to use that information. This additional exemption will typically be:
We collect and maintain personal and sensitive information about employees, contractors and other workers we employ, as well as job applicants and former employees. This information includes name, contact details, gender, proof of identity, proof of qualifications, bank details, nationality, criminal records check, references, health questionnaire, next of kin.
As an employer, we use your data to fulfil our statutory obligations, such as paying salaries, tax, national insurance, health & safety in the workplace, which may also involve sharing information with third parties such as but not limited to: insurers, professional advisors, recruitment agencies, HMRC, DWP, pension and life assurance companies, and other relevant parties.
Information provided to us during the job application process will be retained by us as part of your employee file for the duration of your employment plus 6 years following the end of your employment. This includes your criminal records declaration, fitness to work, accidents at work, records of any security checks, references and eligibility to work in the UK.
If you are unsuccessful at any stage of the process, the information you have provided until that point will be destroyed and deleted from our records after 6 months. We do not collect more information than we need to fulfil our stated purposes and will not retain it for longer than is necessary. Some employee information may be processed by our payroll provider based in India.
We will not usually rely on consent as a lawful basis, however, where we do rely on consent as a lawful basis for processing personal data, you may withdraw their consent to such processing at any time. We will also make you aware that if you choose to do so, we may be unable to continue to provide certain services to you.
If you choose to withdraw your consent, we will tell you more about the possible consequences. The withdrawal of their consent in this circumstance shall not affect the lawfulness of the processing based on consent before the withdrawal.
Withdrawal of consent will not necessarily result in processing being stopped where consent was not the lawful basis for the processing.
We will share personal data with third parties, to help manage our business and deliver services, as outlined below:
We will supply your personal information to credit reference agencies (CRAs) and they will give us information about you, such as your financial history. We do this to assess creditworthiness and product suitability, check your identity, manage your account, trace and recover debts and prevent criminal activity. We will also continue to exchange information about you with CRAs on an ongoing basis, including your settled accounts and any debts not fully repaid on time. CRAs will share your information with other organisations. The identities of the CRAs, and the ways in which they use and share personal information, are explained in more detail at Experian.
Where is your personal data stored?
All the personal data we process is processed by our staff, and/or by selected third-party service providers, such as for the provision of IT services. As such it will be stored on our systems and in some cases at our premises, including those of our third-party service/data providers. Personal data may be stored using cloud-based services.
We take all reasonable steps to ensure that personal data is processed securely. Where data is shared with third parties a data processing or data-sharing agreement will be agreed upon between us and the third party. We will not share personal data outside the EEA unless (a) it is a transfer to a country or organisation which is recognised by Data Protection Legislation as providing an adequate level of legal protection for your information, or (b) we have put in place appropriate contractual arrangements with the organisation with whom we are sharing your information on terms recognised under Data Protection Legislation as offering an adequate level of protection for your information. In those cases, you will have the right to ask us for more information about the safeguards we have put in place as mentioned above (e.g. to request a copy where the safeguard is documented, which may be redacted to ensure confidentiality).
We will retain Personal Data in line with our data retention policy, and for no longer, than is necessary for the purposes listed in this notice In some circumstances we may retain personal data for longer periods of time where we are required to do so to meet legal, regulatory, tax or accounting requirements, in particular:
However, in each case, this shall not exceed a period of six years from the date of the last correspondence with you. Where your personal data is no longer required, we will ensure it is securely deleted in a way that means it will no longer be used by the business.
Individuals have a number of rights in relation to their Personal Data. These are defined in more detail as follows:
You can ask us to:
You can ask us to rectify inaccurate personal data. We may seek to verify the accuracy of the data before rectifying it.
You can ask us to erase your personal data, but only where:
We are not required to comply with your request to erase your personal data if the processing of your personal data is necessary:
You can ask us to restrict (i.e. keep but not use) your personal data, but only where:
We can continue to use your personal data following a request for restriction, where:
You can object to any processing of your personal data which has our ‘legitimate interests’ as its legal basis if you believe your fundamental rights and freedoms outweigh our legitimate interests. Once you have objected, we have an opportunity to demonstrate that we have compelling grounds to process it which override your rights, however, this does not apply as far as the objections refers to the use of personal data for direct marketing purposes.
We take the confidentiality of all records containing personal data seriously and reserve the right to ask you for proof of your identity if you make a request;
We will not ask for a fee to exercise any of your rights in relation to your personal data, unless your request for access to information is unfounded, repetitive, or excessive, in which case we will charge a reasonable amount in the circumstances;
We aim to respond to any valid requests as soon as possible after receipt and within one calendar month. If we need longer to respond to your request, we will notify you of this within a month of your request, explaining the reasons for the delay. We will not extend the timeframe for our response for any more than an additional two months. We might ask you if you can help by telling us what exactly you want to receive or are concerned about. This will help us to action your request more quickly;
Local laws, including in the United Kingdom, provide for additional exemptions, in particular to the right of access, whereby personal data can be withheld from you in certain circumstances, for example, where it is subject to legal privilege.
You have a right at any time to stop us from contacting you for marketing purposes. If you no longer wish to be contacted by us for marketing purposes, please let us know by email dpo@castlewater.co.uk.
You also have the right to ask for a copy of the information we hold about you via a Subject Access Request (SAR). Please see our SAR policy.
You also have the right to ask us to delete or correct any information we hold about you that is incorrect; to restrict the processing of your personal data; to object to the processing of your data. We will consider and evaluate all such requests received. Such requests should be made to: dpo@castlewater.co.uk
For information relating to Cookies please see our Cookies policy.
This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.
We keep our privacy notice under regular review and in accordance with current legislation and guidance. We will notify any changes to this notice by posting on our website. This privacy notice was last updated on 23 September 2021.
If there are any questions regarding this privacy policy, please contact our Data Protection Team at: dpo@castlewater.co.uk
Read further about your information rights from the Information Commissioner’s Office.