LONDON & VALLEY WATER

PRIVACY POLICY

  1. Introduction

London & Valley Water Limited (“London & Valley Water”, “we”, “us” and “our”) has set up this website www.londonandvalleywater.com (the “Site”) in connection with a proposed performance improvement and turnaround plan concerning Thames Water that we are finalising. 

We recognise the importance of protecting the privacy of online visitors of the Site and other individuals whose personal data we may hold (“you”). This privacy policy (“Privacy Policy”) explains how we collect, use, disclose, share and protect personal data (as defined below) from and about you that we process through your interactions with us, including your interactions with this Site. London & Valley Water is a data controller under the Data Protection Act 2018 and the UK GDPR, as amended and supplemented from time to time. 

Please read this Privacy Policy carefully to understand what we do with your personal data. The rights discussed in certain sections of this Privacy Policy may be subject to exemptions or other limitations under applicable law. 

  1. Collection of Personal Data

We may collect information about you which may directly or indirectly identify you, and “personal data” in this Privacy Policy has the same meaning as provided to it under the UK GDPR. 

We may process certain categories of personal data from or about you, including: 

  • identifiers and similar information, such as name, address, date of birth, email address, passport number, online identifiers or other similar identifiers;
  • internet or other electronic network activity information, including interactions with the Site, date and time of visit of the Site, or use of certain online tools;
  • professional or employment-related information, including experience, occupation, compensation, employer and title; 
  • commercial and financial information, including records of products or services purchased, obtained or considered, or other purchasing or investment histories or tendencies, credit card details, assets or sources of wealth; 
  • any special category personal data in the event you share these with us, for example racial or ethnic origin, political opinions, religious or philosophical beliefs, or data concerning health, sex life or sexual orientation; and 
  • audio, electronic, visual or similar information.
  1. Sources of Personal Data

We may collect personal data directly from you and/or your intermediaries through sources such as interactions with the Site or written, electronic or verbal correspondence with us or our service providers.  

We may also collect personal data from different categories of sources, such as: (i) our service providers, including professional service providers; (ii) public websites or other publicly accessible directories and sources, including bankruptcy registers, tax authorities, governmental agencies and departments, and regulatory authorities; and/or (iii) from credit reporting agencies, sanctions screening databases, or from sources designed to detect and prevent fraud.

  1. Purposes and Legal Bases for Collection and Use of Personal Data 

We may collect, use or process personal data for the purposes of our work in connection with our proposed performance improvement and turnaround plan for Thames Water, such as:

  • communicating with you;
  • complying with legal or regulatory requirements;
  • performing our contractual and other legal obligations;
  • establishing, exercising or defending legal claims and in order to protect and enforce our (or another person’s) rights, property, or safety, or to assist others to do the same;
  • detecting security incidents and protecting against malicious, deceptive, fraudulent, or illegal activity;
  • administering and improving our Site; 
  • providing you with the information, products or services you requested; 
  • evaluating or conducting a merger, divestiture, restructuring, reorganisation, dissolution or other sale or transfer of some or all of our assets; and
  • internal operations, such as troubleshooting, data analysis, testing, research and statistical purposes.

Our lawful bases for processing such personal data include: 

  • where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests; 
  • to comply with certain legal and regulatory requirements; 
  • depending on the circumstances, we may need to process your personal data for the performance of a contract to which you are a party, or related pre-contractual steps; and
  • with your consent, as required by the UK GDPR. 
  1. Disclosure of Personal Data

We may share personal data with certain third parties for the purposes set out above, including as follows: 

  • We may share your personal data with our service providers to perform the functions for which we engage them. For example, we may share your personal data with professional service providers such as law firms, consultants, marketing agencies and other third parties. We may also use third parties to host the Site or assist us in providing functionality on the Site and provide data analysis and research as regards the Site.
  • We may share your personal data with regulatory, legal and tax authorities, including for example to respond to a subpoena, regulation, binding order of a data protection agency, legal process, governmental request or other legal or regulatory process. We may also share personal data as required to pursue available remedies or limit damages we may sustain. We also may share your personal data with third parties (including, but not limited to, governmental organisations and self-regulatory organisations) to enforce our rights, protect our property or protect the rights, property or safety of others, to prevent fraud, unauthorised transactions or liability; or as needed to support external auditing and compliance functions. 
  • We may share your personal data with third parties, including current, former and potential investors, shareholders and creditors, in the context of our operations, including in relation to our proposed performance improvement and turnaround plan for Thames Water.
  • We may disclose information, including your personal data, to third parties (including potential acquirers) in connection with a change of ownership or control by or of us or any affiliated entity (in each case whether in whole or in part) and where we sell or transfer all or a portion of our business or assets (including in the event of a reorganisation, dissolution or liquidation).
  1. Security and Retention of Personal Data

We endeavour to take reasonable steps to use technical, administrative, organisational and physical security measures appropriate to the nature of the personal data we are processing and designed to prevent unauthorised intrusion to the Site and to protect your personal data from unauthorised access, exfiltration, alteration, acquisition, theft, disclosure, or misuse. We generally restrict access to personal data to those employees and agents who have been advised as to the proper handling of such data and who need to know such data to perform their duties. Given the nature of information security, there is no guarantee that such safeguards will always be successful. To the extent permitted under applicable law, we will not be responsible for loss, corruption or unauthorised acquisition or misuse of personal data that you provide through the Site that is stored by us, or for any damages resulting from such loss, corruption or unauthorised acquisition or misuse.

How long we keep your personal data will vary depending on the type of personal data and our reasons for collecting it. The retention period will be determined by various criteria, including the amount, nature and sensitivity of the personal data, the purposes for which we are using it (as it will need to be kept for as long as is necessary for any of those purposes) and our legal obligations (as laws or regulations may set a minimum period for which we have to keep your personal data). In general, we will retain your personal data only for as long as necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying our legal and regulatory obligations.

  1. Your Rights

Under the GDPR, you have the right in certain circumstances to: (i) request access to and rectification of your personal data; (ii) correct personal data that we hold where it is incomplete or inaccurate; (iii) restrict the processing of your personal data in certain circumstances; (iv) object to the processing of your personal data in certain circumstances, including where we process personal data for direct marketing purposes or where we have processed such data on the basis of our legitimate interests; (v) request that we erase your personal data under certain circumstances; (vi) ask for a copy of your personal data to be provided to you, or to a third party, in a digital form; (vii) withdraw your consent to the processing of your personal data (where applicable); and (viii) lodge a complaint about the processing of your personal data with us or with a relevant data protection authority. 

If you have any concerns about the use of your personal data, please contact us as set out in Section 13 of this Privacy Policy. We will endeavour to acknowledge and respond without undue delay.

If you wish to lodge a complaint with the Information Commissioner’s Office (ICO), the UK data protection authority, you can contact the ICO at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF; telephone number: 0303 123 1113; email: casework@ico.org.uk.

If you wish to exercise any of your rights to the extent applicable, please contact us as set out in Section 13 below.

  1. Transfers of Personal Data Outside the UK

Our activities are such that it may be necessary for personal data that we obtain from you to be transferred and/or processed outside of the UK, chiefly but not limited to the United States. Personal data may be accessible by employees and other persons working on our behalf, located outside of the UK, including to certain service providers (including but not limited to technical service providers and electronic data storage providers) who may process the information you give us. In circumstances where we transfer personal data outside the UK, we will seek to ensure a similar degree of protection is afforded to it by ensuring that, where possible, personal data is generally transferred only to persons in countries outside the UK in one of the following circumstances:

  • to persons and undertakings in countries that have been deemed to provide an adequate level of protection for personal data by the relevant Secretary of State in the UK (an “adequacy decision”);
  • to persons and undertakings based in the United States if they are part of the EU-U.S. Data Privacy Framework which requires them to provide similar protection to personal data shared between the EEA and the United States, as well as personal data shared between the UK and the United States pursuant to the Data Protection (Adequacy) (United States of America) Regulations 2023 for the UK Extension to the EU-U.S. Data Privacy Framework (the UK-US Data Bridge);  
  • to persons and undertakings to whom the transfer of such personal data is made pursuant to a contract that is compliant with the model contracts for the transfer of personal data to third countries from time to time approved by the European Commission or in the form of the international data transfer agreement adopted by the ICO and the UK Parliament or an equivalent or replacement agreement (the IDTA), as applicable, and as supplemented where and if required; 
  • to persons and undertakings outside of The UK pursuant to other appropriate safeguards for the transfer of personal data; and
  • only on one of the conditions allowed under the UK GDPR in the absence of an adequacy decision or appropriate safeguards.
  1. Cookies and Similar Technologies

Cookies are small text files that are stored in your computer’s memory and hard drive, in your mobile device or tablet when you visit certain web pages. They are used to enable websites to function or to provide information to the owners of a website, or other third parties which receive data obtained from that website.

Our Site may use cookies for various purposes, including to distinguish you from other users of our website and collect certain information about your interactions with our website. This may help us, among other things, to improve our Site and comply with legal and regulatory obligations. For further information please refer to our cookie policy page here.

Some web browsers may transmit “do not track” (“DNT”) signals.  We currently do not respond to DNT settings in your web browser.

  1. Links to External Websites

Our Site may contain links to third party websites.  Any access to and use of such third-party websites is not governed by this Privacy Policy, but instead is governed by the privacy policies of those third-party websites, and we are not responsible for the information practices of such third-party websites.

  1. Children 

Our services are not directed at individuals under the age of 18. We do not knowingly solicit or collect personal data from children under the age of 18. If we become aware that a child under 18 has provided us personal data, we will delete such data from our files.

  1. Changes to this Privacy Policy 

We may update this Privacy Policy from time-to-time and any changes to our Privacy Policy will be posted to this page. Accordingly, please refer back to this Privacy Policy frequently as it may change.

13. How to Contact Us

If you have any questions, comments, requests or complaints regarding this Privacy Policy or the use of your personal data, please contact us at info@londonandvalleywater.com.