Privacy Notice

View the Affinity Water Employee Privacy Policy in an easy-to-read PDF format >

This Privacy Notice will help you understand how we use your personal data as an employee, worker or contractor of Affinity Water Limited.

We recommend that you read this privacy notice in full as it explains how and why we collect personal data about you, how and why it will be processed by us and our commitment to protecting your personal data.

1. ABOUT AFFINITY WATER

Affinity Water Limited ("Affinity Water", "We", "Our" or "Us") is a company registered in England and Wales under company number 02546950 whose registered office is at Tamblin Way, Hatfield, Hertfordshire AL10 9EZ.

We are registered as a data controller with the UK Information Commissioner's Office and our registration number is Z8926206.

We have a data protection officer ("DPO"). Contact details can be found in section 14 of this privacy notice.

2. ABOUT THIS PRIVACY NOTICE

This privacy notice applies to the personal data we process during and after your employment with Affinity Water. We are committed to protecting your personal data in accordance with applicable data protection legislation including the UK GDPR, Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003 (together referred to as "Data Protection Legislation").

This privacy notice may change from time to time and, if it does, the up-to-date version will always be available on the Wave and Athena. We will also tell you about any important changes to our privacy notice. This privacy notice was last updated on 18^th April 2024. 

3. DEFINITION OF PERSONAL DATA

Personal data is any information that relates to an identified or identifiable living individual. This means that the individual is directly identifiable from that information or could be indirectly identified from that information in combination with other information.

4. PERSONAL DATA WE COLLECT ABOUT YOU

We may collect, use, store and transfer different kinds of personal data about you which we  have grouped together as follows:

Identity

• Name and Title
• Date of birth
• Gender
• Marital Status
• Passport number
• Driving license number
• Birth certificate
• Photograph
• Film
• CCTV capture
• Call recordings

Contact

• Home address
• Telephone numbers
• Email address
• Next of kin and emergency contact details

Pay

• Wages
• Pay history
• Salary deductions
• Bank account details
• Benefits
• Pension
• Statutory payments
• Annual leave
• Sickness absence
• Leave records
• P60, P45, P11D etc.

Recruitment

• CV and application forms
• Interview notes and scoring
• Right to work check information
• Background checks such as DBS checks
• Employer references

Contract

• Contract of employment
• Start and end dates of employment
• Location of workplace
• Work history
• Work hours

Employment records

• Probationary performance
• Work performance
• Training records
• Disciplinary, Grievance and other workplace procedures
• Personal measures i.e. for PPE
• Professional membership
• Records of entry and exit of offices and buildings
• Vehicle tracking
• Exit interviews

Special Category Data

Health:

• Accident and incident records
• Reasonable adjustments
• Disability information and/or long-term health conditions
• Absence details
• Results of alcohol and drug testing
• Fitness to work assessments

Race or Ethnic origin

Religious or philosophical beliefs

Sexual orientation

Sex life

Trade union membership

Criminal Conviction Data

• Details of criminal convictions and offences

I.T

• Usage of equipment and systems
• Email monitoring
• IP address

5. HOW YOUR PERSONAL DATA IS COLLECTED

We use different methods to collect personal data from and about you including through:

Direct interactions

We collect personal data from you when you first apply for a job with Affinity Water or as part of a service provision contract, and during the appointment stage. Thereafter we will continue to collect personal data about you which you provide to us. If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you (such as paying you or providing a benefit), or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our workers).

Information we receive from other sources

We may receive personal data about you from third parties who provide it to us. For example:

• Recruitment agencies and platforms such as LinkedIn;
• Background checks performed during the recruitment process;
• CCTV which we may use for the purposes of ensuring safety and for the prevention and detection of crime. Where we collect information through our use of CCTV we will only do so in compliance with our CCTV Policy and Monitoring Policy (which you can access on Athena);
• Monitoring of your use of our IT systems, which includes our telephone systems. We will only ever monitor your use of our IT in compliance with our  policies including our Acceptable Use Policy and Monitoring Policy (which you can access on Athena);
• Telematics software and platforms to manage and utilize our fleet in accordance with our Vehicle Monitoring Devices Policy (AW0152);
• Call recordings to allow us to improve our customer service and investigate complaints or concerns;
• Where our employees are required by law, or otherwise, to undergo any medical assessments to consider and monitor their ability to fulfil the role in which they are employed.

6. PURPOSE AND LEGAL BASIS FOR PROCESSING YOUR PERSONAL DATA

We must have a legal basis for processing your personal data. We predominately process your personal data under the following legal grounds:

• It is necessary in order to comply with legal obligations which apply to us;
• It is necessary for the performance of your employment contract (including for the provision of any employee benefits that you elect or are awarded as part of your employment with us);
• It is necessary in order to fulfil our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests; or
• The law otherwise permits or requires it.

We may also use your personal data in the following situations, which are likely to be rare:

• Where we need to protect your vital interests (or someone else’s interests).
• Where it is needed in the public interest.

Special Category Data

Special category personal data includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, genetic and biometric data. We do not seek to collect or otherwise process your Special Category Data, except where:

• we have obtained your explicit consent prior to processing your Special Category Data;
• processing is necessary for the purposes of carrying out obligations and exercising specific rights in the field of employment;
• the processing is necessary for the detection or prevention of crime (including the prevention of fraud) to the extent permitted by applicable law;
  • you have manifestly made your Special Category Data public;
  • the processing is necessary for the establishment, exercise or defense of legal rights;
  • processing is necessary for reasons of substantial public interest; or
  • processing is necessary to protect the vital interests of you or a third party.

We have set out in the following table some of the most common ways we may use your personal data and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are, where appropriate.

In some cases, we may use more than one legal basis for processing your personal data; this will depend on the specific purpose for which we are using your personal data.

Please contact us using the details at section 14 of this privacy notice if you have any queries about the specific legal basis that we rely on for processing your personal data.

_______________________________________________

What we use your personal data for (purpose) : Recruitment process including sourcing candidates, right to work checks, performing and assessing criminal records and background checks, interview process and provision of reasonable adjustments (where required) and taking receipt of employee declarations.

Type of data : Identity, Contact, Recruitment, Health, Criminal Conviction

Legal basis for processing (including basis of legitimate interest) :

• Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

• Processing is necessary for compliance with a legal obligation.

• Processing is necessary for the purposes of our legitimate interests (to source suitable candidates, to ensure a thorough and fair recruitment process based on competency and organisational need).

• Processing is necessary for the purposes of carrying out obligations and rights in the field of employment.

_______________________________________________

What we use your personal data for (purpose) : To administer your contract with Affinity Water - to pay your wages, to administer your benefits, monitor time and attendance etc.

Type of data : Identity, Contact, Pay, Contract, Employment records, Trade union membership

Legal basis for processing (including basis of legitimate interest) :

• Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

• Processing is necessary for compliance with a legal obligation.

• Processing is necessary for the purposes of carrying out obligations and rights in the field of employment.

_______________________________________________

What we use your personal data for (purpose) : To administer your contract with Affinity Water - to monitor your performance at work or when you are involved in a disciplinary or grievance process. To exercise or defend a legal claim against Affinity Water.

Type of data : Identity, Contact, Contract, Employment records, Special category data

Legal basis for processing (including basis of legitimate interest) : 

• Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

• Processing is necessary for the purposes of our legitimate interests (to ensure employees are working in a productive and effective manner in line with organisational policies, expectations and requirements or to ensure workplace misconduct and grievances are investigated and actioned accordingly or to defend against a claim).

• Processing is necessary for the purposes of carrying out obligations and rights in the field of employment.

• Processing is necessary for compliance with a legal obligation.

• Processing is necessary for establishment, exercise or defense of legal claims.

_______________________________________________

What we use your personal data for (purpose) : To administer your contract with Affinity Water –assessment of working capacity of the employee.

Type of data :  Identity, Contact, Contract, Employment records, Health, Pay

Legal basis for processing (including basis of legitimate interest) :

• Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
• Processing is necessary for compliance with a legal obligation.
• Processing is necessary for the purposes of carrying out obligations and rights in the field of employment.

_______________________________________________

What we use your personal data for (purpose) : Equality, Diversity and Inclusion (EDI) monitoring and reporting.

Type of data : Identity, Health, Employment records, Special category data

Legal basis for processing (including basis of legitimate interest) :

• Processing is necessary for compliance with a legal obligations.

• Processing is necessary for the purposes of our legitimate interests (to ensure Affinity Water is actively promoting EDI and preventing discrimination).

• Processing is necessary for the purposes of carrying out obligations and rights in the field of employment.

• Processing is necessary for reasons of substantial public interest (racial and ethnic diversity at senior levels).

_______________________________________________

What we use your personal data for (purpose) : Training and development

Type of data : Identity, Contract, Employment records

Legal basis for processing (including basis of legitimate interest) :

• Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

• Processing is necessary for compliance with a legal obligation.

• Processing is necessary for the purposes of our legitimate interests (to ensure a trained and competent workforce for organisational effectiveness, safety and employee retention).

• Processing is necessary for establishment, exercise or defense of legal claims.

_______________________________________________

What we use your personal data for (purpose) : Health & Safety – record accidents and monitor workplace safety. To ensure reasonable adjustments in place where needed. To comply with our health & safety requirements to keep employees safe at work.

Type of data : Identity, Contact, Employment records, Health

Legal basis for processing (including basis of legitimate interest) :

• Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

• Processing is necessary for compliance with a legal obligation.

• Processing is necessary for the purposes of carrying out obligations and rights in the field of employment.

• Processing is necessary for establishment, exercise or defense of legal claims.

_______________________________________________

What we use your personal data for (purpose) : Use of IT and telephone systems

Type of data : Identity, Employment records, IT

Legal basis for processing (including basis of legitimate interest) :

• Processing is necessary for the purposes of our legitimate interests (to ensure network and information security, and if necessary, detect and prevent fraud or inappropriate usage).

_______________________________________________

What we use your personal data for (purpose) : Call recordings of customer service and billing calls

Type of data : Identity

Legal basis for processing (including basis of legitimate interest) :

• Processing is necessary for the purposes of our legitimate interests (for training purposes, fraud prevention, data breach investigation, and to handle customer complaints).

_______________________________________________

What we use your personal data for (purpose) : Vehicle tracking (telematics)

Type of data : Identity, Employment Records

Legal basis for processing (including basis of legitimate interest) :

• Processing is necessary for the purposes of our legitimate interests (to improve fleet utilization, reduce response times in an emergency, reduce accidents, provide evidence in the event of a complaint or accident, reduce fleet operating costs, improve driver standards and behaviour).

_______________________________________________

What we use your personal data for (purpose) : Leavers

Type of data : Identity, Contact, Contract, Employment records, Pay, Special category data

Legal basis for processing (including basis of legitimate interest) :

• Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

• Processing is necessary for the purposes of our legitimate interests (to understand the reasons why employees leave, to improve retention and to defend legal claims should they arise).

• Processing is necessary for establishment, exercise or defense of legal claims.

• Processing is necessary for the purposes of carrying out obligations and rights in the field of employment.

_______________________________________

7.    AUTOMATED DECISION-MAKING (INCLUDING PROFILING)

Automated decision-making takes place when an electronic system uses personal data to make a decision without human intervention. We are allowed to use automated decision-making in the following circumstances:

• Where it is necessary for entering into or to perform the contract with you and appropriate measures are in place to safeguard your rights;
• Where it is authorised by law; and
• In limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights.

If we make an automated decision on the basis of Special Category Data, we must have either your explicit written consent or it must be justified as a substantial public interest, and we must also put in place appropriate measures to safeguard your rights.

We may use automated profiling to monitor your sickness absence from the workplace to ensure performance against your contract of employment. Your line manager or Human Resources may begin to investigate with you the reasons for your absences from the workplace in line with policy. No decision on your absences will be made based on automated decision-making alone.

We may also use automated profiling during recruitment or for employment development in the form of psychometric testing. If this applies to you, you will always be provided with a copy of the final report and given the opportunity to comment on the results.

Except where required by law, you will not be subject to decisions that will have a significant impact on you based solely on automated decision-making unless we have given you the opportunity to obtain human intervention, to express your point of view and to contest the decision. 

8. WHO WILL HAVE ACCESS TO YOUR PERSONAL DATA

Personal data will only be handled by our trained employees who have a legitimate business need to access your personal data for the purposes set out in this privacy notice.

9. WHO ELSE WE MIGHT SHARE YOUR PERSONAL DATA WITH

Except as explained in this privacy notice, we will not share your personal data without your consent unless required to do so by law, where we have a legitimate interest in doing so, or to administer the working relationship with you.

We may share your personal data with you, and where we have obtained your consent to do so, your associates and your representatives.

We may disclose your personal data to the Police, Department for Work and Pensions, HMRC, UK Visas and Immigration, fraud prevention and investigation agencies and any other law enforcement agency to the extent necessary for purposes including preventing, investigating, detecting, and prosecuting criminal offences or where required to do so by law.

We may share your personal data with third-party service providers who assist us with administering our employment relationship with you. This may include payroll processors, benefits administration providers, pension trustees, company car and fleet management providers, the Disclosure and Barring Service, insurance providers, IT support providers, occupational health assessors, training providers, and legal service advisers.

We may share your personal data with third parties to whom you are seconded to as part of your employment. This will include limited and basic personal data such as personal contact details (name, address, etc.), emergency contact information, and government identification numbers.

If you drive a company electric fleet vehicle we may share your personal data with our home charging point installation partners and EV charging card providers.

With your consent, we may share your personal data upon request to third parties such as mortgage lenders, rental agencies and prospective employers.

Any such third parties will only be permitted to use your personal data for specific purposes in accordance with our instructions and not for their own purposes.

If a business transfer or change of business ownership takes place or is envisaged, we may transfer your personal data to your new employer or a prospective new employer. If this happens, we will inform you of this transfer.

10.    HOW WE PROTECT YOUR PERSONAL DATA

We are committed to maintaining the privacy and security of the personal data you provide to us through the deployment of physical, technical and organisational security procedures designed to secure your personal data against accidental loss, destruction or damage and unauthorised access, use, alteration or disclosure.

Our employee data is held on secure systems and servers with access controls in place on a need to access basis.

We ensure all our staff are trained in data protection so they understand how they can help keep your personal data safe from unauthorised use and access.

Our sites are highly secured with physical access controls strictly implemented.

Where we have given you (or where you have chosen) a password which enables you to access our systems, you are responsible for keeping this password confidential. You should not share this information with anyone.

Unfortunately, the transmission of your personal data via the internet is not completely secure and although we do our best to protect your personal data, we cannot guarantee the security of your personal data transmitted to us over the internet and you acknowledge that any transmission is at your own risk.

11.    TRANSFERS OF YOUR PERSONAL DATA OUTSIDE THE UK

Your personal data may be transferred to, and stored at, a destination outside the UK. When we transfer and store your personal data outside of the UK we will ensure that it is adequately protected by using appropriate safeguards as further detailed below.

Staff operating outside the UK who work for us, or one of our suppliers, may process your personal data. Such staff may be engaged in, among other things, the processing of your payment details and the provision of support services.

Where your personal data is transferred from the UK to a recipient outside the UK to a country not recognised by the UK as providing an adequate level of protection for personal data we will ensure the transfer shall be covered by the following:

• An International Data Transfer Agreement: and
• An international data transfer risk assessment of the receiving country; or
• In accordance with one of the derogations set out in the Data Protection Legislation.

12.    HOW LONG WE KEEP YOUR PERSONAL DATA

We will keep your personal data for no longer than is necessary for the purposes for which it was obtained. The criteria for determining the duration for which we will retain your personal data are as follows:

We will retain your personal data in a form that permits identification only for as long as:

• we maintain an ongoing relationship with you; or
• your personal data is necessary in connection with the lawful purposes set out in this privacy notice for which we have a valid legal basis.

Plus for the duration of:

• any applicable limitation period under applicable law (i.e. any period during which any person could bring a legal claim against us in connection with your personal data, or to which your personal data may be relevant); or
• an additional reasonable period following the end of such applicable limitation period.

In addition to the above:

• if any relevant legal claims are brought, we may continue to process your personal data for such additional periods as are necessary in connection with that claim.

Where your personal data is retained for claim limitation purposes or for a reasonable period thereafter, we will restrict our processing of your personal data to the storage of, and maintaining the security of, those personal data, except to the extent that those personal data need to be reviewed in connection with any legal claim or obligation under applicable law.

After this period your personal data will be anonymised so that you are no longer identified or identifiable  from such information, or securely deleted/destroyed.

Any third parties that we engage will keep your personal data stored on their systems for as long as is necessary to provide the relevant services to you or us. If we end our relationship with any third-party providers, we will make sure that they securely delete or return your personal data to us.

We may retain personal data about you for statistical purposes. Where personal data is retained for statistical purposes, it will always be anonymised, meaning that you will not be identifiable from that data.

13.    YOUR DATA RIGHTS

The legal rights you have in relation to your personal data are summarised below:

• Right to be informed - You have the right to be informed about the collection and use of your personal data, as covered by this privacy notice.

• Right of access – You have the right to access and receive a copy of your personal data, and other supplementary information (subject to a limited number of exemptions).

• Right to rectification – You have the right to have inaccurate personal data rectified, and incomplete personal data completed. Please keep HR informed if your personal data changes during your working relationship with us or update your details on Oracle. In addition, from time to time we conduct data audits to check the information we hold is accurate.

• Right to erasure – You have the right to request erasure of your personal data in certain circumstances.

• Right to restrict processing – You have the right to request restriction or suppression of your personal data.

• Right to data portability – Where we are processing your personal data based on your consent or for the performance of a contract you may request that we transfer your personal data to another organization in a structured, commonly used machine-readable format. This only applies to personal data provided to us by you.

• Right to object – You have the absolute right to object to our processing of your personal data. The right to request we stop processing your personal data applies when we process your personal data based on a task carried out in the public interest or for our legitimate interests (or those of a third party). However, in these circumstances we may refuse to comply with your request if we can justify compelling legitimate grounds, or where the processing is for establishment, exercise or defense of legal claims.

• Rights related to automated decision-making including profiling – You have the right not to be subject to a decision based solely on automated processing (no human intervention), where the decision affects your legal status or rights or where the decision has a similarly significant effect. This type of processing is permitted where the decision is necessary for entry into or performance of a contract; is authorised by law; or based on your explicit consent. We can only use your Special Category Data for this type of processing where we have your explicit consent or if is necessary for reasons of substantial public interest.

If we are processing your personal data on the basis of consent you have the right to withdraw your consent at any time. If you decide to withdraw your consent, we will stop processing your personal data for that purpose unless there is another lawful basis we can rely on.

You can exercise your rights free of charge. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up and improve our response to you.

We will comply with your request within one calendar month (from the time Affinity Water receives your request, or upon receipt of any additional information we have requested from you). Occasionally we may require more time to respond to your request if your request is complex. We will notify you within one month to inform you that we require additional time to comply with your request.

In exceptional circumstances where your request is manifestly unfounded or excessive, we may charge you for your request, or refuse to comply with your request. We will always inform you of the reasons for not being able to comply with your request.

For more information on your rights and how to use them, or if you would like to make any of the requests set out above, please contact us using the contact details provided below.

14.    FURTHER INFORMATION

If you have any questions or concerns about how we handle your personal data, you can contact us by:

Post:

FAO Data Protection Officer 

Compliance & Ethics

Affinity Way Ltd

Tamblin Way

Hatfield

Hertfordshire 

AL10 9EZ

Email:  data.protection@affinitywater.co.uk

If you are unsatisfied with our response to any data protection issues you raise with us or our DPO, you have the right to make a complaint to the ICO. The ICO is the authority in the UK which is tasked with the protection of personal data and privacy and contact details can be found at https://ico.org.uk/global/contact-us/.