Privacy Policy

Updated July 2021

Your privacy is important to us. This privacy notice explains what personal data we collect from you and why, as well as how we use it and keep it secure. If you have any questions about this privacy notice, or if you wish to exercise your rights you can contact our Data Protection Officer (DPO) by email at dpo@wave-utilities.co.uk, by writing to Data Protection Officer, Wave, Priory House, Abbey Road, Pity Me, Durham, DH1 5RR or by calling 03450 704 158.

Who are we?

We are Anglian Water Business (National) Limited trading as Wave incorporated in England and Wales with company number 03017257. We provide our customers with water, wastewater, water efficiency and energy services. Our registered office is Northumbria House, Abbey Road, Pity Me, Durham, DH1 5FJ.

We are registered with the Information Commissioner's Office (ICO) as a Data Controller and our registration number is ZA221133. 

What this Privacy Notice covers

At Wave, we take your privacy very seriously and are committed to putting our customers first by being transparent on how we collect, use and protect personal information.

We will process personal data about our non-household customers who are registered to eligible water and wastewater supply points in the non-household retail water market (as defined in the Water Act 2014, Water Services etc (Scotland) Act 2005 and market codes), and who receive energy services within the energy market. We will also process personal data about prospective water and energy customers, including those accessing and using our website. 

We want you to be confident that your personal information is safe and secure. Except as provided for in this Privacy Notice, we will not share your personal information with third parties for any other purpose, unless we are permitted to do so by law.

This privacy policy explains:

  • what personal information we collect about you;
  • the source of your personal information;
  • what we use your personal data for;
  • the legal grounds for processing your personal information;
  • how and when you can withdraw your consent;
  • when personal information may be transferred outside the UK;
  • your marketing and communication preferences;
  • how we share information with other sources;
  • what you should do if your personal information changes;
  • whether you need to provide your personal information to us;
  • if any monitoring is involved in processing your personal information;
  • about other automated decision making;
  • how long your personal information is retained by us;
  • your rights under data protection laws;
  • your right to object;
  • how to contact us.

We may make changes to this notice from time to time, for example to keep it up to date or to comply with legal requirements or changes in the way we operate our business. We will notify our customers of changes by prominently posting a notice on our website (www.wave-utilities.co.uk). We encourage you to regularly check back and review this notice, so that you will always know what information we collect, how we use it and who we share it with.

What are the legal grounds for processing personal information (including when we share it with others)?

We rely on the following legal bases to use your personal data.

  • Where it is necessary to perform a contract, provide you with a quotation or take steps to enter into a contract needed to provide you with our products or services, such as:
    • assessing an application for a product or service you hold with us, including considering whether to offer you the product, the price or the payment methods available;
    • managing products and services you hold with us, or an application for one;
    • updating your records, tracing your whereabouts to contact you about your account and do this for recovering debt (where appropriate); and
    • all stages and activities relevant to managing the product or service including enquiry, application, administration and management of accounts.
  • To comply with a relevant or legal regulatory obligation (Ofwat, Defra or ICO).
  • Where it is in our legitimate interests to do so such as; customer satisfaction surveys to provide feedback on the customer experience or sharing details with other trading parties in the water market (such as retailers, wholesalers and market operators) using the bilateral hub (where appropriate) in order to maintain services and fulfil market requirements.
  • To comply with our legal obligations; or to establish, exercise or defend legal claims.
  • With your explicit consent we only process special category data relating do data concerning 'health' if you are a vulnerable customer, in which case, data will be shared with the Market Operators (CMA and MOSL).

Marketing

From time-to-time, we may provide you with information where we think these may be of interest to you, for example; services that help improve water efficiency in your business or could lower your utility costs. We may engage with a  third party to provide this service on our behalf. 

Depending on the method of communication for example; (email, SMS, letter or telephone) this processing may be carried out with your consent for specific direct marketing activities or in accordance with our legitimate interests (for our products or services). 

However, if you wish to exercise your right to object to such marketing, please let us know by using the "Contact Us" information at the end of this document. An unsubscribe option will be included in appropriate communications, although you may still receive service emails or SMS related to your account and the services provided to you. 

Please note though, you may still receive non-personalised information about us or our services through your letterbox.

What are marketing preferences and what do they mean?

We may use your supply or business address, phone numbers and email addresses to contact you according to your marketing preferences. You can stop our marketing communications at any time by using the Contact Us information at the end of this document.

How do we share your information with third parties?

We will not share your information with anyone outside of Wave, except:

  • where we have your permission;
  • where required for the provision of products or services;
  • where we are required by law and by law enforcement agencies, judicial bodies, government entities or tax authorities;
  • with regulatory bodies including; Consumer Council for Water (CCWater), Market Operators for Scotland and England (CMA and MOSL), using the secure market bilateral hub (where appropriate) and using dedicated users with password-controlled access via private/public key certificates to ensure its security;
  • with Wholesalers providing the supply of water and/or sewerage services in accordance with the Wholesale Retail Codes and including the secure bilateral hub (where appropriate). We may pass on your contact details so that your wholesaler can contact you, for example, in the event of an emergency or to replace your meter; 
  • with Retailers providing the supply of water and/or sewerage services in accordance with the Wholesale Retail Codes and including the secure bilateral hub (where appropriate);
  • with third parties providing services to us, such as meter reading contractors, IT software and maintenance providers, bill print houses and subcontractors acting on our behalf;
  • Third Party Intermediaries (TPI) where you have provided a letter of authority authorising us to deal with the TPI. We won't share any personal information unless they have your consent to ask us for it.
  • with debt collection agencies;
  • with review sites for the purpose of procuring reviews of our services;
  • with credit reference agencies via secure file transfer protocols; and
  • where permitted by law, it is necessary for our legitimate interest or those of a third party and it is not inconsistent with the purposes listed above.

What if your personal information changes?

You should advise us of any changes to personal information so that we can update our records. This means we can continue to administer services to you. You can do this using your chosen contact method in the Contact Us page of our website. We will then update your records.

Do you have to provide your personal information to us?

We are unable to provide you with our products or services if you do not provide certain information to us, for example your name, business name, addresses information etc.

Do we do any monitoring involving processing of your personal information?

In this section, monitoring means any listening to, recording of, viewing of, intercepting of, or taking and keeping records of calls, email, text messages, social media messages, face-to-face i.e. CCTV and other communications.

We may monitor where permitted by law and we will do this where the law requires it, or to comply with regulatory rules, to prevent or detect crime, in the interests of protecting the security of our communications systems and procedures and for quality control and staff training purposes. This information may be shared for the purposes described above.

What are your rights under data protection laws?

The following is a list of the rights that all individuals have under the data protection laws. They don’t apply in all circumstances. If you wish to use any of them, we will explain at that time if they are engaged or not.

  • The right to be informed about the processing of your personal information.
  • The right to rectification if your personal information is inaccurate and to have incomplete personal information rectified.
  • The right to object to processing of your personal information.
  • The right to restrict processing of your personal information.
  • The right to erasure and have your personal information erased (“the right to be forgotten”).
  • The right to data portability which allows you to move, copy or transfer your personal information.
  • The right of access to your personal information.
  • Rights related to automated decision-making and profiling which has a legal effect or otherwise significantly affects you.

You have the right to request access to your personal information that we hold about you. Please use the Contact Us information at the end of this document.

If you have a complaint or concern about how we use your personal data, please contact us in the first instance and we will attempt to resolve the issue as soon as possible.

You also have the right to complain to the Information Commissioner’s Office (ICO) which enforces data protection laws – visit https://ico.org.uk/ for more information.

Your right to object

You have the right to object to certain purposes for processing data for direct marketing purposes and to data processed for certain reasons based on your legitimate interests.

You can do this by using the Contact Us information at the end of this document to exercise your rights.

Contact us

If you have any questions about this privacy notice, or if you wish to exercise your rights or contact the Data Protection Officer (DPO) you can get in touch by telephone, by email or in writing using the following contact details:

Data Protection Officer
Wave
Priory House
Abbey Road
Pity Me
Durham
DH1 5RR

Telephone: 03450 704 158

Email: dpo@wave-utilities.co.uk

What information do we collect?

Personal information we will process about you may vary based on what service we provide to you. Typically, we need details such as:

  • Personal information including title, full name, job title, address, postcode and how you want to pay your bill, so that we know who you are, where your premises are and what services you need from us.
  • Contact information such as a phone number or email address, so that we can keep in touch with you about our services and your account with us.
  • Bank details so that we can manage your payments for our services.
  • Personal information from other Sources such as' English and Scottish Market Operators (CMA and MOSL), Electoral Roll, Companies House and other publicly available sources. 
  • Special Category of Personal Data – we only hold special category data concerning 'health', if you are a vulnerable customer. We will process this data in accordance with data protection laws; and; we must have an additional lawful basis for this processing. 
  • Records of your contact with us – for example by telephone and via our website.
    • If you contact us by telephone, your call may be digitally recorded to deliver appropriate services. This includes maintaining high quality standards, crime detection and/or prevention and to ensure that our employees comply with legal obligations and our policies and practices. When a call is recorded we will collect; a recording of the conversation; and; your phone number. Telephone call recording will be turned off when a customer’s credit or debit card details are given, in line with Payment Card Industry Data Security Standards (PCI DSS) and data protection legislation.
    • We also monitor email communications and may restrict delivery under certain circumstances. 
    • We comply with the data minimisation principles of data protection laws, and we will not collect any personal data that we do not need to be able to provide services to you. 
    • When visiting our website, you may also be providing us with certain information via our use of website cookies, such as your IP address. For detailed information on cookies, please see our cookie policy. Our website also contains links to other websites. Please note that when you follow one of these links, these websites have their own privacy policies and we do not accept any responsibility or liability for their content, or any personal data provided to them. 
    • Google Tag Manager;
      This website uses Google Tag manager. Google Tag Manager is a solution operated by Google LLC. 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”) that allows marketed website tags to be managed using an interface. The Tag Manager tool itself (which implements the tags) is a cookie- less domain and does not register personal data. The tool causes other tags to be activated which may, for their part, register data under certain circumstances. Google Tag Manager does not access this information. If recording has been deactivated on domain or cookie level, this setting will remain in place for all tracking tags implemented with Google Tag Manager. Google Tag Manager’s policy is available to view; Google Tag Manager Use Policy.
    • Google Analytics;
      We use a tool called “Google Analytics” to collect information about use of this site. Google Analytics collects information such as how often users visit this site, what pages they visit, when they do so, and what other sites they used prior to coming to this site. We use the information we get from Google Analytics only to improve this site. Google Analytics collects only the IP address assigned to you on the date you visit this site, rather than your name or other identifying information. Google’s ability to use and share information collected by Google Analytics about your visits to this site is restricted by the Google Analytics Terms of Use and the Google Privacy Policy.
    • Hotjar;
      We use Hotjar in order to better understand our users’ needs and to optimize this service and experience. Hotjar is a technology service that helps us better understand our users experience (e.g. how much time they spend on which pages, which links they choose to click, what users do and don’t like, etc.) and this enables us to build and maintain our service with user feedback. Hotjar uses cookies and other technologies to collect data on our users’ behaviour and their devices (in particular device's IP address (captured and stored only in anonymized form), device screen size, device type (unique device identifiers), browser information, geographic location (country only), preferred language used to display our website). Hotjar stores this information in a pseudonymized user profile. Neither Hotjar nor we will ever use this information to identify individual users or to match it with further data on an individual user. For further details, please see Hotjar’s privacy policy by clicking on this link; Hotjar Privacy Policy. You can opt-out to the creation of a user profile, Hotjar’s storing of data about your usage of our site and Hotjar’s use of tracking cookies on other websites by following this opt-out link; Hotjar Opt-Out

We only collect information about you that we need to ensure you get the best service from us and we respect your privacy and we minimise the information we collect. 

What do we use your personal data for?

We will only use and share your information where it is necessary for us to lawfully carry out business activities. We use your personal data to:

  • provide you with the services you want from us;
  • administer your account including dealing with any enquiries and complaints; in relation to debt collection agencies; and changes to our systems such as changes to our bank details or notifications related to our retail licences;
  • prevent fraud;
  • keep our records accurate and updated;
  • undertake customer profiling;
  • create statistical information and carry out market analysis (on a non-personal basis);
  • comply with any legal obligation we may have;
  • contact you about services we believe that you may be interested in;
  • contact you about service-related issues including interruptions to supply, water quality issues, planned maintenance that could/will affect supplies and major roadworks that would require closure of key roads or commuter routes;
  • follow guidance and best practice under the change rules of bodies such as CMA and MOSL and to comply with relevant legal and regulatory obligations that we are subject; including The Water Services Regulation Authority (Ofwat), Department for Environment, Food and Rural Affairs (Defra) or The Information Commissioner's Office (ICO) requirements;
  • maintain services and fulfil market requirements by using the market bilateral hub (where appropriate) to raise and receive requests from other trading parties in the water market including retailers, wholesalers and market operators.
  • monitor and keep records of our communications with you and our staff;
  • administer our good governance requirements, such as internal reporting and compliance obligations;
  • customer satisfaction surveys to provide feedback on the customer experience
  • reviews on our services from customers to provide feedback and improve the customer experience; 

  • pass any or all of your personal information to the police or any other law enforcement agency or regulatory body to comply with our legal and regulatory obligations and for the purposes of crime protection or prevention. 
  • carry out checks at Credit Reference and Fraud Prevention Agencies pre-application, at application and periodically after that;
    • Fraud Prevention information - The information which we and others provide to the fraud prevention agencies about you, those who are jointly liable for our services with you and your business, may be supplied by fraud prevention agencies to other organisations and used by them and us to:
      • prevent crime, fraud and money laundering by, for example, checking details provided on applications for credit and credit-related or other facilities;
      • manage credit and credit-related accounts or facilities;
      • check details on applications for jobs or when checked as part of employment;
      • trace whereabouts of individuals and recover debts that are owed; and
      • conduct other checks to prevent or detect fraud.
    • Credit risk analysis – We will provide your personal data to Credit Reference Agencies and they will give us information about you, such as about your financial history. We do this to assess creditworthiness and product suitability, verify your identity, manage your account, trace and recovery debts and prevent criminal activity. We will also continue to exchange information about you with Credit Reference Agencies on an ongoing basis, including about your settled accounts and any debts not fully repaid on time. Credit Reference Agencies will share your information with other organisations. The identities of the Credit Reference Agencies, and the ways in which they use and share personal information, are explained in the CRA Information Notice; CRAIN

How and when you can withdraw your consent

Where we are relying upon your consent to process personal information, you can withdraw this at any time by using the Contact Us information at the end of this document.

You may withdraw your consent to processing of special categories of personal at any time too. However, in this instance, you need to be aware that if you choose to do so then the Market Operators (CMA and MOSL) may be unable to continue to provide certain services to you and us. If you choose to withdraw your consent, we will tell you more about the possible consequences. The withdrawal of your consent in this circumstance shall not affect the lawfulness of the processing based on consent before the withdrawal.

Is personal information transferred outside the UK?

We are based in the UK, but we will process your personal data outside the UK in circumstances where your data is transferred to our contracted suppliers who provide services to us. We ensure that appropriate and suitable safeguards are in place to ensure that any such personal information will be protected as required by applicable data protection laws. Where it is necessary to transfer your personal information outside of the UK, we will only do so where:

  • UK Government has decided that the country, territory or organisation we are sharing your information with will protect your information adequately;
  • the transfer has been authorised by the relevant data protection authority; or
  • we have ensured that appropriate safeguards are in place, for example, we have entered into a contract with the organisation with which we are sharing your information containing approved Standard Contractual Clauses.

What about other automated decision making?

We sometimes make decisions about you using only technology (without human intervention). For instance, we may do this to:

  • decide whether to offer you a product or service, or the price we will offer, or what terms and conditions to offer you or to assess what payment methods we can offer you; and
  • enter in to or perform a relevant contract which is authorised by laws that apply to us or is based on your explicit consent. 

If you wish to get in touch about automated decisions made by us, including to challenge the outcome of a decision, please contact us using the details set out at the end of this notice. We will periodically monitor our automated decision-making systems to ensure that they are working correctly.

How do we protect your personal information?

Wave takes the protection of our customer’s information very seriously. We take appropriate organisational and technical security measures and have rules and procedures in place to ensure that there is no unauthorised access to your personal data. All customer personal data is held in our customer relationship manager (CRM) system which has controlled access and is subject to strong cyber security measures. All access to our system is strictly controlled. We also operate strict physical security at all our sites and all employees receive cyber security and data protection awareness training. 

We carry out due diligence on our suppliers and other third-party organisations with whom we work to ensure they have appropriate organisational and technical measures in place in accordance with the requirements of relevant data protection law. 

How long is your personal information retained by us?

Unless we explain otherwise to you, we will hold your personal information based on the following criteria:

  • for as long as we have reasonable business needs as detailed in this policy, such as managing our relationship with you and managing our operations and always in accordance with our Record Control Procedure; and
  • for retention periods in line with legal, audit, tax, accounting and regulatory requirements or guidance.

What is the source of your personal information?

We collect personal information from the following sources:

  • Information you give to us or that is generated about you when you use our products or services, for example information that allows us to contact you or bill you for our services.
  • Other sources such as Fraud Prevention Agencies, HM Revenue and Customs (HMRC), Credit Risk agencies and other organisations to assist in prevention and detection of crime, police and law enforcement agencies or as part of our debt collection process.
  • From other trading parties in the water market; this may be from other Retailers, Wholesalers or Market Operators i.e. Market Operator Services Limited (MOSL) in England or The Central Market Agency (CMA) in Scotland.

Your rights

The Data Protection Act 2018 and General Data Protection Regulation gives you certain rights towards your personal information. We take all reasonable efforts to ensure we allow you to exercise those rights. Further information on your rights can be found at https://www.ico.org.uk

Access to your personal information

If you want to see more of the information that we have about you, you can make a data subject access request by filling in this form.

Please include as much information as you can to help us handle your request. 

Once you’ve submitted your request, we’ll aim to get back to you as soon as we can, however this may be up to 30 calendar days from the date we receive your request.