Privacy Statement

CCW is committed to protecting the security and privacy of your personal data. CCW is a data controller under the terms of the General Data Protection Regulation (GDPR) which came into effect on 25 May 2018. We are registered with the Information Commissioner’s Office (ICO) with the registration number Z9387556.

This privacy notice explains what personal information we collect, how we use it and your rights in respect of your personal data.

Who is CCW?

We are the independent watchdog that represents the interests of water consumers in England and Wales. We have a committee in England, Wales and a team of Consumer Advocates that represent your area. Our contact details are:

23 Stephenson Street
B2 4BH

0300 034 2222 (for Birmingham)
0300 034 3333 (for Cardiff)

Information do we process?

We process personal information in a number of ways to enable us to carry out our following duties:

  • consideration and investigation of customer complaints;
  • provision of advice and information;
  • responding to information requests;
  • maintenance of our own accounts and records;
  • supporting and managing our Board Members, Consumer Advocates and employees;
  • sending communications to stakeholders about the work we do;
  • recruitment;
  • commissioning of research;
  • internal support functions (suppliers etc.).

Types of data we collect

We process information relevant to the above reasons/purposes which include:

  • Name;
  • Address;
  • Telephone number (including mobile number);
  • Email address;
  • IP address;
  • Details of enquiries, complaints, incidents and grievances;
  • Responses to customer satisfaction surveys (via our research provider ORS);
  • Freedom of Information and subject access requests;
  • Subscriptions to our e-newsletters, social media sites, or requests for our publications;
  • Personnel files of employees, Board members and Consumer Advocates including pay details data relating to current and former employees;
  • Images of individuals for our publications;
  • Information from our suppliers.

The legal basis for processing your information

CCW processes personal information under the following legal bases:

  • Article 6(1)(a), Consent – the data subject has given consent to the processing (consent has to be specific, informed, freely given and unambiguous). Where you have given your consent to the processing you should be informed that you have the right to withdraw consent at any time.
  • Article 6(1)(b), Contract – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
  • Article 6(1)(c), Legal obligation – CCW processes personal data for compliance with a legal obligation to which we are subject.
  • Article 6(1)(e), Public task – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  • The processing of special category data is only permitted when certain further conditions in Article 9 of the GDPR are met. In most circumstances CCW’s legal basis for processing special category personal data is covered by:-
    • Article 9(2)(a) – the data subject has given explicit consent to the processing of those personal data.
    • Article 9(2)(b) – processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject.
    • Article 9(2)(g) – processing is necessary for reasons of substantial public interest … which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject.
    • Article 9(2)(h) – processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health and social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional.

Customer complaints against their water company

We share customer information with their water company in order to assist them in reaching resolution. We process this information as a public duty. We store personal information securely on our complaint management system which is accessible only to the relevant employees within our organisation. Telephone calls are recorded for training purposes and are stored for one week. We hold customer information on our complaint management system for six years after we close the complaint. Information on our IT security is included later in this document. For more information, on how long we keep personal data please access our retention schedule:-

Some complaints may fall under the jurisdiction of another organisation such as the Water Services Regulation Authority (Ofwat), the Drinking Water Inspectorate (DWI) or the Environment Agency (EA). In these circumstances we will not share your personal information without your consent.

Similarly, in the event that customers who we have assisted with their complaint remain dissatisfied with the outcome or the way we have dealt with it and approach WATRS or the Parliamentary and Health Service Ombudsman, we will not share any personal information without the consent of the data subject.

As a consumer body, it is important we deliver a good service to customers. In order to ensure we deliver an effective service, we use a market research company to survey customers we have assisted with their complaint to gauge feedback. We may share customer contact details with a market research company after we close a customer complaint. Our lawful basis for processing this information is necessary for the performance of a task carried out in the public interest.

We do not advise customers to send sensitive information to us in relation to their complaint unless absolutely necessary. Sensitive information includes racial or ethnic origin, political beliefs, religious beliefs, trade union membership, physical or mental health conditions, sexual life or commission / alleged commission of any offence or proceedings for any offence committed or alleged to have been committed. Our lawful basis for our processing sensitive information is set out in Article 9(2)(g) of the GDPR 2018 – processing is necessary for reasons of substantial public interest. For example a customer’s personal circumstances may be relevant to the complaint against their water/sewerage company and/or how CCW can best interact with the customer.


We keep a record of individuals who request advice or information from us about water or wastewater issues. The lawful basis for processing is that it is necessary for the performance of a task carried out in the public interest. The information is stored securely on our system and is held for one year after closure.

Mailing Lists

We keep stakeholders up-to-date about our customer research reports that we conduct, our annual reviews, Forward Work Programme, stakeholder events and our newsletters.

The success of our email campaigns is measured by looking at the analytics of open rates, click-through rates and the subscriber list growth for our newsletter. For our communications through our stakeholder database, CCW’s lawful basis for processing information is necessary for the performance of a task carried out in the public interest particularly helping stakeholders to engage with CCW’s work.

Individuals can sign up to our newsletters through our website. We process this information with consent of the data subject.

For communications we use a free version of MailChimp that allows up to 2,000 subscribers. We have multiple lists according to each campaign we send which varies in size.

For more information, please see MailChimp’s privacy notice. You can unsubscribe at any time by clicking the unsubscribe link at the bottom of any of our emails.


We use market research companies for all research we commission. Our lawful basis of process is for the performance of a task carried out in the public interest . From some areas of our research we have a hub of contacts which we research on a regular basis. We do this on the lawful basis of consent.


All information provided to us during the recruitment process will only be used to progress applications, or fulfil legal / regulatory requirements. We hold the information securely whether it is held electronically or physically. We use your contact details for the recruitment process and other information to assess suitability.

We use a third party organisation for background screening of successful applicants. We share the applicant, name, address and email address. This is held by the processor for six months.

Our lawful reason for processing is it is necessary to take steps prior to entering into a contract – Article 6(b) GDPR. This information is stored for 2 years after the recruitment campaign.

For existing employees, Board members and Consumer Advocates we process the following information:

  • Contact details;
  • Pay details;
  • Annual leave;
  • Sick leave;
  • Qualifications;
  • Training;
  • Performance;
  • Ethnicity;
  • Disability details;
  • Employment history.

We process this information under the lawful basis because it is necessary for the performance of a contract. Sensitive information is processed under Section 9(2)(b) – employment. We keep personnel files for six years post-employment.

Supplier information

Personal data of suppliers whether they are an individual or an individual on behalf of an organisation is lawfully processed by CCW under the performance of a contract. The information includes name, contact details and payment details. We hold this information for six years plus the current year.

Feedback on our website and water meter calculator

We ask customers to include their postcode when inputting information relating to their assessed water consumption the water meter calculator on our website. This information is held internally in order for us to assess customer usage of the application. The lawful basis for us to process this information is for the performance of a task carried out in the public interest.

To make improvements to our website and water meter calculator we ask visitors to give their feedback. The basis of lawful processing we use is Article 6(1)(g) of the GDPR legislation 2018. The processing is necessary for the performance of a task carried out in the public interest. We delete the data after two years.


We use Survey Monkey to process this information and you can read their privacy statement here.

Individual’s images for our publications

On some occasions we may use an individual’s image or video footage of an individual at our events for our literature. We process this information under the lawful basis of Article 6(1)(a), consent of the individual.

Website Cookies

Our website uses cookies to collect and store information. Cookies are small text files placed on an individual’s computer and other mobile devices upon browsing our website. They are used to collect standard internet log information and visitor behaviour data. We may use the information stored in cookies to track visitor use of our website and generate reports on website activity. They cannot be used to identify you personally.

Cookies are used to improve services for visitors to our website through, for example:

  • Enabling a service to recognise a device so the user does not have to give the same information several times during one task;
  • Recognising the individual may already have given a username and password so does not need to do if for every web page requested;
  • Measuring how many people are using services so they can be improved and there is sufficient system capacity;
  • Analysing anonymised data to help us understand how people interact with government services so we can make them better.

For further information about cookies, please visit

Google Analytics

When you visit or we utilise a third party service, Google Analytics, to:

  • collect details of visitor behaviour patterns;
  • collect standard internet log data; and
  • monitor the number of visitors to various parts of our website.

We use Google Analytics to collect information about how people use this site. We do this to make sure our website is meeting its users’ needs and to understand how we could do it better.

Google Analytics stores information about what pages are visited visit, how long users are on the site, how they got here and what they clicked on. We do not collect or store personal information (e.g. name or address) so this information cannot be used to identify an individual. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website.

Google Analytics cookies: _utma, _utmb, _utmc, _utmz

  • Purpose: To record how many people are using the CCW website and how they move around the site once they’ve arrived: o _utma tracks how many times (if any) you have visited our website before. o _utmb and _utmc are connected, and track how long you stay on the site. o _utmz tracks identifies where you’ve come from e.g. from a search engine or from another website.
  • Benefit: So service is available when required we measure numbers and volumes of visitors.
  • Data stored by cookies: No personal information about you, just information about your computer and your browser.

Duration of cookies:

  • utma: Expires 2 years after your last visit to this site.
  • _utmb: Expires 30 minutes after your visit, or after 30 minutes of inactivity.
  • _utmc: Expires when you close your browser.
  • _utmz: Expires 6 months after it was last set.

Cookies set by our consumer support site

Customer Portal: cp_session, cp_profile, cp_login_start, oauth_token

  • Purpose: store session specific user data including session ID, answers viewed, number of searches, previously viewed answers, previous searches, previously seen e-mail
  • Data stored: information about the session; the cookie itself contains no personal information.
  • Duration of cookie: expires when you close your browser.


We offer guest Wi-Fi to internal and external stakeholders visiting our Victoria Square House and Cardiff offices. When CCWATER GUEST Wi-Fi, is used, we may collect data about:

  • the device used
  • the volume of data which used;
  • the applications and websites accessed; and
  • your usage by frequency and location and access time.

How your information is stored

Customer information is stored electronically onto our complaint management system. This system, and our network, comply with ISO 27001 I/L2 data security hosting standards, the EU Safe Harbour Data Protection Directive and Telecoms Data Protection Directive. Employees are advised of our IT security policies and procedure and sign a declaration annually. An ICT security report is also submitted annually to our Audit and Risk Management committee.

How information is deleted

Any correspondence we receive about a consumer complaint against a water company is scanned or inputted onto our complaint management system and information we receive by post is filed securely and shredded after one week of receipt, as outlined in our data retention policy.

All other information we receive on paper/hard copy (e.g. paper questionnaires, written notes from focus groups, etc.) is destroyed at our premises by a professional shredding and recycling company which is ISO 27001 accredited and which is controlled by contract and supervised by a CCW employee whilst performing their task. They provide us with evidence of secure disposal as part of their service.

Hardware and devices which have had personal data stored on them are also destroyed using an appropriate and secure method.


As we are classified as a public authority, we have appointed a Data Protection Officer (DPO) to ensure we comply with data protection law. Our DPO operates with independence and is supported by suitability skilled individuals granted all necessary authority. The DPO’s duties include:

  • Informing and advising CCW and its employees who carry out data processing pursuant to data protection regulations, European Union or other Member states data protection provisions;
  • Monitoring compliance in relation to the protection of personal data, including providing relevant training to employees involved in controlling customer data;
  • Providing advice and guidance with regards to carrying out Data Protection Impact Assessments (DPIAs);
  • Operating as a point of contact for and cooperating with supervisory authorities, notably in the event of any data breaches;
  • Implementing and operating a register or system which records requests for information;
  • Reviewing personal data, ensuring that any data which is not necessary to be retained for longer than is necessary is effectively destroyed or obfuscated to reduce CCW’s compliance footprint;
  • Updating CCW’s data protection, privacy and cookie policies to reflect operational changes as a result of audits and corrective actions;
  • Ensuring employees are fully briefed on any changes made to CCW’s data protection, privacy and cookie policies.

Your rights

The right to be informed

You have the right to be informed about the collection and use of your personal data, including:

  • the type of data being processed;
  • recipients of your data;
  • the purposes of the processing;
  • the legitimate interests for the processing (if applicable);
  • the likely period that your data will be retained or the decision process for eventually deleting it; and the existence and details of any automated decision making;
  • the rights available to you in respect of the processing.

The right of access (commonly referred to as Subject Access Requests (SARs))

You have the right to request a copy of the information that we hold relating to you. In order to search for the correct information, we may need to confirm your identify via the use of security questions or ask for certain information to conduct accurate searches. Should you request a copy of some, or all of your personal information, please email or write to the following address:

FAO: Information Team
23 Stephenson Street
B2 4BH

We can accept requests for information either verbally or in writing.

An administration fee will not be imposed for considering and/or complying with such a request unless the request is deemed to be complex or excessive in nature. We have a statutory duty to respond to a SAR within one calendar month of receipt, although we can extend the period of compliance by a further two months if a request is deemed to be complex or numerous. If this is the case, we must inform you within one month of the receipt of the request and explain why the extension is needed.

The right to rectification

You have the right to rectify any inaccurate data held by us. You can make a request for rectification verbally or in writing. The request can be made to any part of our organisation, and is not confined to one particular point of contact or individual.

However, it should be noted that data which has been stored for statistical purposes represent a fixed period in time and therefore we are not obliged to amend any data which was correct at the time of collection.

Depending on the circumstances, you may have the following additional rights:

The right to withdraw consent

Where you have consented to us processing your personal data, you may withdraw your consent at a later time. For any such request, we will review your withdrawal of consent request within a month. We will usually agree to such a request. However where the data is used for reporting purposes, we normally have the right to continue processing your data and only redact or obfuscate the information that would make you identifiable. We will notify you in the event that this situation arises. No fee will be incurred for withdrawal of consent.

If you do not want to be contacted again, we keep ‘no further contact’ lists. Please contact us if you would like to be included on these lists.

The right to erasure (the right to be forgotten)

You may have a right to have all, or some of the information we hold about you erased. You can make a request to have your data erased verbally or in writing. We must act upon a request within 1 month of receipt and we will notify you if your data has been erased. In circumstances where we are unable to erase your data, we will notify you to explain the reasons for refusal.

The right to object

You are within your rights to object to the processing of your personal data depending on our reason for processing. In some circumstances we may have a compelling reason to continue processing your data. We will advise you accordingly. You can make an objection verbally or in writing and we will respond to you within one month.

The right to restrict processing

You sometimes have the right to restrict the processing of your personal data or object to its processing. Should you wish to withdraw the consent for processing of your personal data please contact us. The right to restrict processing applies where:

  • the accuracy of personal data is in question;
  • processing is deemed to be unlawful but you do not want your data erased;
  • we no longer need the data but you need it kept for legal claims; or
  • where you have challenged the balance of our own and/or our clients’ legitimate interests in processing as opposed to your own interests.

We will consider each request on a case by case basis.

The right to data portability

You have the right to receive personal data that we hold in a structured machine readable format and to reuse this for your own purposes to another data controller without hindrance from CCW.  For any requests made, we would be responsible for the transmission of the data and would need to take suitable measures to ensure that it is sent securely to you.

Automated decision making

CCW does not use personal information for any automated decision making activities.

Submitting a complaint with respect to our data handling

We will work with you on any request, complaint or enquiry you have about your personal information. However, should you be dissatisfied with the way a request has been handled, you can initially ask for a review by a senior employee. Should you still be dissatisfied after the internal review has been conducted, you can submit a formal complaint to the Information Commissioner. Contact details for the Information Commissioner are:

Information Commissioner’s Office
Wycliffe House
Water Lane

Tel: 0303 123 1113
Fax: 01625 524 510

Changes to our Privacy Notice

We may amend this privacy notice and will update it to reflect feedback or make it more accessible. We recommend you regularly read this to be informed how we are protecting your privacy.

Alison Townsend is our Data Protection Officer. Should you have any concerns about your personal data held by us please contact us at