The following Market Privacy Notice has been established in accordance with Schedule 25 of the Market Code and provides generic statements which constitute a template for use by the CMA and Trading Parties in their specific Privacy Notices (which should be consistent with the Market Privacy Notice):
Categories of personal data being processed.
Some non-household customers will be sole traders and market related systems will hold personal data about those sole traders. Information about other types of customer (e.g. companies and partnerships) is not personal data. Occasionally, market systems may also hold information indicating that, due to health needs, a non-household customer is a priority for re-connection if there is an interruption to the water supply.
Some tenants or landlords will be sole traders and the Scottish Landlord Portal (SLP) will hold personal data about those sole traders. Information about other types of tenants (e.g. companies and partnerships) is not personal data.
Market participants may collect data from users to help administer accounts and deal with helpdesk queries.
This data may include the name of an individual, a job title, the organisation that the individual works for, contact details and records of any communication with the individual. Data may also include details relating to the address of the sole trader or individual.
Purpose and legal basis of processing.
The information that is held in market related systems will be used to manage all of the electronic transactions involved in switching non-household customers from their current Licensed Provider(s) to their chosen provider. It will also provide usage and settlement data to Scottish Water and Licensed Providers that will then be used in the billing process.
The information held on the Scottish Landlord Portal (SLP) may be updated by a landlord and relates to tenants and the properties that the landlord owns or is responsible for and Licensed Providers then access and search for such data, enabling them to update market data, where required.
Account administration and help-desk facilities may use data about an individual in order to identify and respond such individuals, following a request or direct enquiry, to undertake business planning activities, or to make contact about other market related matters. Such information also enables the provision of advice regarding use of and access to relevant systems, web pages and portals, for internal operations such as audits, surveys and reviews of data security and to assist with service improvements.
The legal basis for the above use of data is that it is necessary (i) in administering the market in water and waste-water retail services in Scotland and (ii) to pursue statutory obligations pursuant to the Water Services (Scotland) Act 1995 and associated legislation.
Recipients of data collected.
Personal information held on market related systems and tenant related data held on the SLP will be shared amongst market participants, but such information will not be shared with third parties other than;
- Where the individual has agreed to their information being shared with a third party,
- Where there is a legal, regulatory or professional obligation to disclose this information, or in order to protect contractual or other rights, property, or safety or those of others,
- Where a market participant, or substantially all of the participant’s assets, are merged or acquired by a third party, in which case this information may form part of the transferred or merged assets, or
- Where a market participant is using a third party service provider to provide services that involve data processing.
Security applied to data
Security arrangements are equivalent to or consistent with relevant international standards and include, where applicable;
- Pseudonymisation
- Encryption
- System controls to deliver ongoing confidentiality, integrity, availability, resilience of data management systems and system restoration following an event
- Processes for regular testing, assessment and the evaluation of the effectiveness of system processes and controls.
Transfers of personal data outside of the EEA
All Market Personal Data is held and processed within the EEA.
[If the above is not the case for a particular market participant, the statement should be amended accordingly.]
Retention of data
All Market Personal Data is retained in order to meet obligations associated with back-up and recovery and also to accommodate any disputes that may arise.
[If the above is not the case for a particular market participant, the statement should be amended accordingly.]
Details of individual rights
Individuals may request the following;
- Access to their data held on a market related system, or on the SLP, or on systems associated with account administration or help-desk queries
- Corrections to any of the above data
- Restrictions to processing of any of the above data
- Cessation of processing to any of the above data
- Erasure of any of the above data
Individuals may also lodge a complaint with the Information Commissioner’s Office and seek to pursue any such complaint via their Licensed Provider.
Automated decision making
The processing of data is undertaken based on pre-determined criteria, with no arbitrary decisions being made automatically.
The following forms should be used and submitted to enquiries@cmascotland.co.uk
Data Subject Processing Change Form
Data Subject Request Confirmation Form