Search Menu Toggle
Close Menu

This Privacy Notice will help you understand how we use your personal data.

We recommend that our customers and stakeholders read this privacy notice in full as it explains who we are, how and why we collect personal data about you, how and why it will be processed by us and our commitment to protecting your personal data. However, you may find the following a helpful brief summary:

What you need to know

We are Affinity Water Ltd. You can find out how to contact our appointed Data Protection Officer.

We will process your personal data where we have a legal basis to do so, in accordance with applicable data protection legislation, primarily the UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003 (together referred to as "Data Protection Legislation").

We predominately process your personal data to help us fulfil our legal obligations, most notably those imposed on us by the Water Industry Act 1991 to supply and charge for water. We may also process your personal data to fulfil our legitimate interests, in the performance of a task carried out in the public interest, where we have your consent to do so, in the performance of a contract between you and Affinity Water, and/or to protect your vital interests. Detailed information can be found in section 6 of our privacy notice.

We will obtain your personal data from a number of sources, including directly from you, but also from other sources such as our regulators, local authorities and fraud prevention agencies. We may also share your personal data with third parties in accordance with this privacy notice and as defined in section 9.

We deploy strict physical and technical security measures to help protect your personal data from unauthorised use and access. If your personal data is transferred outside of the UK we will ensure it is done so in line with the requirements of the Data Protection Legislation.

Your personal data will be retained by Affinity Water for as long as we need it to maintain our relationship with you or to fulfil the purposes stated within this privacy notice. Thereafter we may retain your personal data in line with any applicable limitation periods or where we are legally required to do so.

Your data rights and how you can exercise them are explained in section 13. You have the right to complain to a data protection authority (and in the UK this is the Information Commissioner’s Office ("ICO")) if you are unhappy with how we have handled your personal data. For more information see section 14.

To read our privacy notice in full click on the sections below. Alternatively, you can download our full Privacy Notice. You can also download our Priority Services Privacy Notice and Applicant Privacy Notice.

1. About Affinity Water

Arrow icon

Affinity Water Limited ("Affinity Water", "We", "Our" or "Us") is a company registered in England and Wales under company number 02546950 whose registered office is at Tamblin Way, Hatfield, Hertfordshire AL10 9EZ.

We are registered as a data controller with the ICO and our registration number is Z8926206.

We have a data protection officer ("DPO"). Contact details can be found in section 14 of this privacy notice.

2. About this privacy notice

Arrow icon

This privacy notice applies to the personal data we collect about you through www.affinitywater.co.uk (our “Website”), the My Account portal, by post, by telephone, in person (for example at your doorstep), through our social media platforms, through our app, from third parties and when you otherwise communicate with us.

This privacy notice may change from time to time and, if it does, the up-to-date version will always be available on our Website. We will also tell you about any significant changes to our privacy notice by email or in other communications from us. This privacy notice was last updated on 2 September 2024.

Our Website may, from time to time, contain links to and from the websites of third parties. If you follow a link to any of these websites, please note that these websites have their own privacy policies and we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.

3. Definition of personal data

Arrow icon

Personal data is any information that relates to an identified or identifiable living individual. This means that the individual is directly identifiable from that information or could be indirectly identified from that information in combination with other information.

4. Personal data we collect about you

Arrow icon

This section informs you of what information we collect about you.

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

Identity Data

  • includes first name, surname, username or similar identifier, marital status, title, national insurance number, date of birth, gender, photo or film.

Contact Data

  • includes billing address, delivery address, postcode, email address and telephone numbers.

Financial Data

  • includes bank account and payment card details.

Transaction Data 

  • includes details about payments to and from you.

Technical Data

  • includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this Website.

Profile Data

  • includes your username and password, any preferences communicated to us to enable the personalisation of services, your behavioural history (if relevant, e.g. threatening or abusive behaviour) and your feedback and survey responses.

Website Data

  • includes information about how you use our Website including the full Uniform Resource Locators (URLs) clickstream to, through and from our Website (including date and time), time on page, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks and mouse-overs).

Usage Data

  • how you consume services such as your use of water.

Marketing and Communications Data

  • includes your preferences in receiving marketing from us and our third parties and your communication preferences.

Aggregated Data

  • such as statistical or demographic data for any purpose. Aggregated Data is not considered personal data in law as this data does not directly or indirectly reveal your identity. An example of Aggregated Data would be where we use your Usage Data to calculate the percentage of users accessing a specific Website feature. If the Aggregated Data is combined with other personal data to directly or indirectly identify you, we will treat this combined data as personal data and in accordance with this privacy notice.

Special Category Data

  • will typically include information about your health which you may provide to us as a customer on our Priority Services Register. We may also collect information about your race or ethnicity if you choose to disclose this to us as part of surveys you may partake in.

5. How is your personal data collected

Arrow icon

We use different methods to collect data from and about you including through:

Direct interactions:

We collect personal data about you if you fill in forms on our Website or correspond with us by telephone, email or otherwise. This includes information you provide when you:

  • Register to set up an account with us using the My Account portal on our Website;
  • Provide us with meter readings or report damage to infrastructure (such as a leak);
  • Engage with us through water efficiency promotions;
  • Enter a competition or survey; or
  • Take part in Affinity Water led events or activities; or
  • Report a problem with our Website or give us feedback.

We may also ask you to share your personal data with us if it is necessary for us to provide our services to you – for example, we may ask if you require priority services.

We may process personal data that you manifestly choose to make public, including via social media (e.g. we may collect information from your social media profile(s), to the extent that you choose to make your profile visible). If you send us a private or direct message via social media, the message will be stored outside of the application but in accordance with this privacy notice.

If you use our Website, we may use cookies and other technologies to collect certain information from you including Technical Data and Website Data.

Where we collect information about you we do so on the basis that it is in our legitimate interests to collect and process this data to ensure our Website is functioning properly. In most situations this will be anonymised data and you will not be identifiable. Visitors to our Website will be asked to consent to all non-essential cookies or other tracking technologies.

Please see our Cookies Notice for more information about the cookies we use, the purposes for which we use them and how to manage, block or delete them.

Information we receive from other sources:

We may use your information to ensure that you receive information that is relevant to you or to your circumstances. For example, to ensure you are on the correct tariffs, whether you would be entitled to benefit from a government payment scheme or whether you would benefit from having a water meter. The information we may use to create such a profile may include your water consumption, payment history, demographics or information provided by third parties such as credit reference agencies.

We may also receive information about you from third parties who provide it to us (e.g. the previous occupants or, if you are renting a home, your landlord may provide details to us).

In addition, we work closely with third parties and may receive information about you from them. Examples of these third parties include: our regulators, companies that provide sewerage services in our area of supply, water retailers who supply non-household premises within our area, other water companies, distribution network operators, energy providers, the Benefits Agency for our WaterSure Scheme, housing associations, local authorities and financial aid bodies, sub-contractors in technical and payment services, analytics providers, and credit reference agencies, fraud prevention agencies or the Electoral Roll (for example, where it has not been possible to identify the person responsible for payment of water services charges).

When we receive information from other sources, we rely on them having the appropriate provisions in place telling you how they collect personal data and who they may share it with. We carefully check our sources to ensure that we only receive your information when it is lawful for us to do so.

6. Purposes and legal basis for processing your personal data

Arrow icon

We must have a legal basis for processing your personal data. We predominately process your personal data under the following legal grounds:

  • To comply with our statutory obligations under legislation such as the Water Industry Act 1991 which requires us to supply and charge for the provision of water and maintain our infrastructure and drainage quality;
  • When you have given us consent to do so for the specific purposes which we have told you about;
  • If we enter into a contract with you (please note that we do not have contracts with our household customers for the supply of water);
  • It is necessary in order to fulfil our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests;
  • The law permits or requires it;
  • It is necessary for the performance of a task carried out in the public interest, for example to provide you with priority services (find out more about our Priority Services). When we process your special category data for this purpose we will satisfy the conditions stipulated in the Data Protection Legislation, predominately those concerning processing for a substantial public interest.

We have set out in the following table the ways we commonly use personal data and which of the legal grounds we rely on to do so. We have also identified what our legitimate interests are, where appropriate.

In some cases, we may use more than one legal basis for processing your personal data; this will depend on the specific purpose for which we are using your personal data.

Please contact us if you have any queries about the specific legal basis that we rely on for processing your personal data.

What we use your personal data for (purpose) Type of data Legal basis for processing (including basis of legitimate interest)
To register you as a new customer Identity

Contact
  • Performance of a task in the public interest
  • Necessary for our legitimate interests (to ensure we have accurate and up to date customer records for billing and communications purposes)
To carry out our obligations to provide  you with services:
  • carrying out meter checks and monitoring water usage
  • tracing, collecting and recovering money owed to us
  • running fraud checks if we have reasonable suspicions
  • verifying data you provide to us
  • providing you with information about your service such as water supply issues or bill notifications
  • Customer service improvement through use of call recordings, staff training and analysis of our interactions with you

Identity

Contact

Financial

Transaction

Marketing and Communications

Profile

  • Legal obligation
  • Performance of a task in the public interest
  • Necessary for our legitimate interests (to recover debts due to us, to verify your data, improve our service to you,  and to prevent us facilitating fraud)
To provide priority services to vulnerable persons Identity

Contact

Health
  • Performance of a task in the public interest
  • Substantial Public Interest to safeguard our vulnerable customers. 
Managing payments and charges, paying refunds or compensation for example under the Guaranteed Standards Scheme    

Identity

Contact

Financial

Transaction

  • Necessary to comply with a legal obligation
  • Necessary for our legitimate interests (to pay refunds or compensation owed to you, to manage customer debt and receive payment for services provided))
To respond to your enquiries or to process your requests in relation to your information.    

Identity

Contact    

  • Necessary for our legitimate interests (to ensure we respond to our customers in an effective and timely way)
To maintain a suppression list should you opt-out of receiving certain communications from us or our third parties    

Identity

Contact    

  • Necessary for our legitimate interests (to ensure that we are not at risk of breaching Data Protection Legislation by communicating with you where you have asked us not to)
  • Legal obligation
To provide you with information on water efficiencies and to promote responsible use of water

Identity

Contact

Marketing and Communications    

  • Performance of a task in the public interest
To manage our relationship with you which will include:
  • Notifying you about changes to our Website, services, terms or privacy notice
  • Asking you to leave a review or take a survey
  • Customer profiling of water usage and communications to improve our service to you and to help us efficiently manage our business

Identity

Contact

Profile

Marketing and Communications

Usage

  • Necessary to comply with a legal obligation
  • Necessary for our legitimate interests (to keep our customers informed and to listen to their views, to learn from feedback and communication analysis to improve our service and help protect our most vulnerable customers)
Managing Affinity Water led community and fundraising events

Identity

Contact

Transactional

Marketing Communications

Financial

  • Necessary for our legitimate interests (to ensure the promotion and the safe and efficient management of an Affinity Water event)
  • Necessary for the performance of a contract where one exists between Affinity Water and event participant(s)
To administer and protect our business from fraud, data breaches, cyber-attacks and other malicious activity through training our employees, troubleshooting, reviewing call recordings, data analysis, testing, system maintenance, security audits, support, reporting and hosting of data    

Identity

Contact

Profile

  • Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)
  • Necessary to comply with a legal obligation
To conduct health and safety assessments and record keeping; and compliance with related legal obligations    

Identity

Contact

Profile

Health

  • Necessary for our legitimate interests (in providing a safe and secure environment for our employees and visitors)
  • Necessary for compliance with a legal obligation
  • Substantial Public Interest (specifically for health and insurance purposes)
To use data analytics to improve the Website, our services, customer relationships and experiences    

Identity

Contact

Profile

Usage

Technical

Website
 

  • Consent 

To make suggestions and recommendations to you about goods or services that we feel may interest you    

Identity

Contact

Technical

Usage

Profile

Marketing
Communications

  • Consent 
  • Necessary for our legitimate interests (to develop our services and grow our business)
To help ensure the safety of visitors and employees, and to protect our assets and facilities through use of CCTV     Identity    
  • Necessary for our legitimate interests (to protect our employees, visitors, facilities and assets by preventing, and where necessary, detecting, crime)
To establish, exercise and defend our legal rights    

Identity

Contact

Financial

Transactional

Technical

Profile

Usage

Health

Marketing
Communications

  • Necessary for compliance with a legal obligation
  • Necessary for our legitimate interests (for the purpose of establishing, exercising or defending our legal rights)
  • Necessary for the establishment, exercise or defence of legal claims

7. Communications

Arrow icon

This section explains how we will communicate with you as an Affinity Water customer.

Service communications

As detailed in the table in section 6 above, we may send you service communications such as those which relate to any service we provide to you including communicating with you for administrative purposes, to collect payment, to notify you of a service disruption, and to provide you with customer satisfaction surveys. We can lawfully send these service communications to you as it is within our legitimate interest to do so.

We may also send you information on how you can reduce water usage in your home. This is because we have an obligation under the Water Industry Act 1991 to promote water efficiencies to our customers (a task carried out in the public interest).

Marketing communications

We may occasionally send you marketing communications to inform you of services, promotions or events we think may be of interest to you as an Affinity Water customer. We may also send you marketing material from insurance providers such as HomeServe.

You can change your marketing preferences and unsubscribe at any time by contacting us at mybill@affinitywater.co.uk or 0345 357 2401. You'll still receive other important information, for example service communications, as described above.

8. Who will have access to your personal data

Arrow icon

Personal data will only be handled by our trained employees who have a legitimate business need to access your personal data for the purposes set out in this privacy notice.

9. Who else might we share your personal data with

Arrow icon

Except as explained in this privacy notice, we will not share your personal data without your consent unless required to do so by law.

We may share your personal data with you, and where we have obtained your consent to do so, your associates and your representatives.

We may disclose your personal data to the police, Department for Work and Pensions, HMRC, UK Visas and Immigration, fraud prevention and investigation agencies and any other law enforcement agency to the extent necessary for purposes including preventing, investigating, detecting, and prosecuting criminal offences, or validating a claim.

We may share your personal data with the following third-parties where we are legally required to do so or to assist us with administering the provision of our services to you:

  • Business partners, suppliers and sub-contractors for the performance of any contract we enter into with them to perform services on our behalf, such as:
    • Customer service
    • Processing payment transactions
    • The offering of home water efficiency checks
    • Claims management
    • Sending customer communications
    • Analytical providers for the improvement and optimisation of our Website
    • Collecting debts owed to Affinity Water
    • Responding to service disruptions and emergencies
    • Customer translation services
    • Researching and analysing customer experience and feedback.
  • Our regulators and industry bodies including OFWAT, the Consumer Council for Water, the Drinking Water Inspectorate, MOSL, the Environment Agency and local flood authorities to in order to comply with our regulatory obligations and to help resolve complaints or other issues.
  • Providers of wastewater services, which may include Southern Water, Anglian Water and Thames Water.
  • Other UK water companies, distribution network operators and energy retailers with whom we share information on customers receiving access to our priority services to ensure the ongoing safeguarding of those customers.
  • Housing associations and local authorities with whom we work collaboratively with in the provision of certain services to you such as water saving devices.
  • Charities and local service providers in order to help manage your debt and help you get the support you need.
  • Credit reference agencies, specifically TransUnion, to help us maintain up to date records, prevent fraud and identify customers who are at risk of falling into debt. The information we share with TransUnion on a monthly basis will include your outstanding balance. If you are over one month late in your payment, your credit score may be impacted. You can find out more here by reading our ‘Sharing Data with Credit Reference Agencies’ information notice.
  • Insurance provider Homeserve who have been selected by Affinity Water to provide access to insurance products to our customers in the event of water related issues where the customer is legally responsible for the cost of repair.

Our partners, suppliers and sub-contractors have access to the personal data needed to perform their functions, but may not use it for other purposes.

We may also pass Aggregated Data on the usage of our Website (e.g. we might disclose the numbers of visitors to our Website that come from different geographic areas) to third parties but this will not include information that can be used to identify you personally.

If a business transfer or change of business ownership takes place or is envisaged, we may transfer your personal data to the new owner (or a prospective new owner). If this happens, you will be informed of this transfer.

10. How do we protect your personal data

Arrow icon

We are committed to maintaining the privacy and security of the personal data you provide to us through the deployment of physical, technical and organisational security procedures designed to secure your personal data against accidental loss, destruction or damage and unauthorized access, use, alteration or disclosure.

Our customer data is held on secure systems and servers with access controls in place on a need to access basis. Payment transactions and data transfers are encrypted.

We ensure all our staff are trained in data protection so they understand how they can help keep your personal data safe from unauthorised use and access.

Our sites are highly secured with physical access controls strictly implemented.

Where we have given you (or where you have chosen) a password which enables you to access certain parts of our Website, you are responsible for keeping this password confidential. You should not share this information with anyone.

Unfortunately, the transmission of your personal data via the internet is not completely secure and although we do our best to protect your personal data, we cannot guarantee the security of your personal data transmitted to us over the internet and you acknowledge that any transmission is at your own risk.

11. Transfers of your personal data outside the UK

Arrow icon

Your personal data may be transferred to, and stored at, a destination outside the UK. When we transfer and store your personal data outside of the UK, we will ensure that it is adequately protected by using appropriate safeguards as further detailed below.

Staff operating outside the UK who work for us, or one of our suppliers, may process your personal data. Such staff may be engaged in, among other things, the processing of your payment details and the provision of support services.

Where your personal data is transferred from the UK to a recipient outside the UK to a country not recognised by the UK as providing an adequate level of protection for personal data we will ensure the transfer shall be covered by the following:

  • An International Data Transfer Agreement; and
  • An international data transfer risk assessment of the receiving country; or
  • In accordance with one of the derogations set out in the Data Protection Legislation.

12. How long do we keep your personal data

Arrow icon

We will keep your personal data for no longer than is necessary for the purposes for which it was obtained. The criteria for determining the duration for which we will retain your personal data are as follows:

We will retain your personal data in a form that permits identification only for as long as:

  • we maintain an ongoing relationship with you; or
  • your personal data is necessary in connection with the lawful purposes set out in this privacy notice for which we have a valid legal basis.

Plus, for the duration of:

  • any applicable limitation period under applicable law (i.e. any period during which any person could bring a legal claim against us in connection with your personal data, or to which your personal data may be relevant); or
  • an additional reasonable period following the end of such applicable limitation period.

In addition to the above:

  • if any relevant legal claims are brought, we may continue to process your personal data for such additional periods as are necessary in connection with that claim.

Where your personal data is retained for claim limitation purposes or for a reasonable period thereafter, we will restrict our processing of your personal data to the storage of, and maintaining the security of, those personal data, except to the extent that those personal data needs to be reviewed in connection with any legal claim or obligation under applicable law.

After this period your personal data will be anonymised so that you are no longer identified or identifiable from such information, or securely deleted/destroyed.

Any third parties that we engage will keep your personal data stored on their systems for as long as is necessary to provide the relevant services to you or us. If we end our relationship with any third-party providers, we will make sure that they securely delete or return your personal data to us.

We may retain personal data about you for statistical purposes. Where personal data is retained for statistical purposes, it will always be anonymised, meaning that you will not be identifiable from that data.

13. Your data rights

Arrow icon

The legal rights you have in relation to your personal data are summarised below:

  • Right to be informed - You have the right to be informed about the collection and use of your personal data, as covered by this privacy notice.
  • Right of access – You have the right to access and receive a copy of your personal data, and other supplementary information (subject to a limited number of exemptions). You can make a request here.
  • Right to rectification – You have the right to have inaccurate personal data rectified, and incomplete personal data completed.
  • Right to erasure – You have the right to request erasure of your personal data in certain circumstances.
  • Right to restrict processing – You have the right to request restriction or suppression of your personal data.
  • Right to data portability – Where we are processing your personal data based on your consent or for the performance of a contract you may request that we transfer your personal data to another organisation in a structured, commonly used machine-readable format. This only applies to personal data provided to us by you.
  • Right to object – You have the absolute right to object to processing for direct marketing purposes. The right to request we stop processing your personal data also applies when we process your personal data based on a task carried out in the public interest or for our legitimate interests (or those of a third party). However, in these circumstances we may refuse to comply with your request if we can justify compelling legitimate grounds, or where the processing is for establishment, exercise or defence of legal claims.
  • Rights related to automated decision-making including profiling – You have the right not to be subject to a decision based solely on automated processing (no human intervention), where the decision affects your legal status or rights or where the decision has a similarly significant effect. This type of processing is permitted where the decision is necessary for entry into or performance of a contract with you; is authorised by law; or based on your explicit consent. We can only use your Special Category Data for this type of processing where we have your explicit consent or if is necessary for reasons of substantial public interest.

If we are processing your personal data on the basis of consent you have the right to withdraw your consent at any time. If you decide to withdraw your consent, we will stop processing your personal data for that purpose unless there is another lawful basis we can rely on.

You can exercise your rights free of charge. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up and improve our response to you.

We will comply with your request within one calendar month (from the time Affinity Water receives your request, or upon receipt of any additional information we have requested from you). Occasionally we may require more time to respond to your request if your request is complex. We will notify you within one month to inform you that we require additional time to comply with your request.

In exceptional circumstances where your request is manifestly unfounded or excessive, we may charge you for your request, or refuse to comply with your request. We will always inform you of the reasons for not being able to comply with your request.

For more information on your rights and how to use them, or if you would like to make any of the requests set out above, please contact us using the details provided in section 14.

14. Further information

Arrow icon

If you have any questions or concerns about how we handle your personal data, you can contact us by:

Post: FAO Data Protection Officer

Legal, Risk & Compliance

Affinity Way Ltd

Tamblin Way

Hatfield

Hertfordshire

AL10 9EZ

Email: data.protection@affinitywater.co.uk

If you are unsatisfied with our response to any data protection issues you raise with us or our DPO, you have the right to make a complaint to the ICO. The ICO is the authority in the UK which is tasked with the protection of personal data and privacy and contact details can be found at ico.org.uk/global/contact-us.

Enable Recite