Privacy Notice

We take data protection very seriously at the Drinking Water Quality Regulator for Scotland. Here's how we handle your information.

Last updated: May 2019

Who we are

This policy applies to the Drinking Water Quality Regulator for Scotland (DWQR), who in this case is acting as a Data Controller for your personal data. For the purposes of this policy DWQR will be referred to as we, us and our.

Legal Basis and purpose for processing your personal data

This Privacy Policy, which came into effect on the 8th May 2019 aims to give you information on how we collect and use your personal data. To process your data we must have a lawful basis to do so. The law lays out a number of ways in which we can process your personal data. We will process your personal data where:

  • You have given consent to the processing of your personal data for one or more specific purposes;
  • It is necessary for compliance with a legal obligation to which we are subject;
  • It is necessary in order to protect your vital interests;
  • It is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us;
  • It is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data.

We are committed to protecting your personal information and respecting your privacy. We process your personal data when you access our Services. These include:

  • Viewing or subscribing to our websites and social media platforms.
  • Corresponding with us using services such as web contact forms, telephone, email or written letter.

We use your personal data in the following ways:

  • Respond to your enquiries and complaints;
  • Working with our stakeholders in order to investigate your complaints;
  • Customer satisfaction surveys.

Our legitimate interests

There are times when we will rely on legitimate interests to process personal data, particularly when it is not practical to obtain consent. We will always consider if it is fair and balanced to do so and if it is within your reasonable expectations. We will balance your rights and our legitimate interests to ensure that we use your personal information in ways that are not unduly intrusive or unfair. Examples are:

  • Reporting criminal acts and compliance with law enforcement agencies;
  • Internal and external audit for financial or regulatory compliance purposes;
  • Statutory reporting;
  • Maintenance of “do not contact” lists (suppression lists);
  • Customer satisfaction surveys and market research;
  • Physical and network security;
  • Financial management and control;
  • General administration.

Categories of personal data you give to us

The personal data you give us includes:

  • Name;
  • Address;
  • Telephone number;
  • Email address;
  • Location information.

Information we pass to third parties and other data sharing

In order to facilitate your use of our Services, we may have to share your personal data with third parties who help us provide elements of our Services to you. We will provide your personal data to third parties when they need the data to perform particular functions in delivering our Services to you or as part of our regulatory compliance. These include:

  • Regulators and other authorities acting as processors or joint controllers based in the United Kingdom who require reporting of processing activities in certain circumstances.
  • If we are under a duty to disclose or share your personal data in order to comply with any legal or regulatory obligation or request.

Data security

Once it is within our control, we will do our utmost to ensure your personal data is processed in a way that ensures appropriate security from unauthorised or unlawful processing, accidental loss, destruction or damage.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

Retaining your personal information

We will retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. We may also retain your personal data for a reasonable period afterwards to allow us to respond to any follow up enquiries or complaints, or for as long as you remain a registered user of our products and services.

To determine appropriate retention periods for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, we may use or store this information indefinitely without further notice to you.

In some circumstances you can ask us to delete your data: see Right of Erasure below for further information.

Your data protection rights

Withdraw Consent – Where we are using your personal information on the basis of your consent, you have the right to withdraw that consent at any time.

Right to be Informed – You have the right to be told how your personal information will be used. This policy document, and shorter summary statements used on our communications, are intended to be a clear and transparent description of how your data may be used.

Right of Access – You can write to us asking what information we hold on you and to request a copy of that information. This is called a Subject Access Request. From 25 May 2018, we will have 30 days, from the date we receive your request, to respond to you. The request will proceed once we are satisfied you have the right to see the requested records and we have successfully confirmed your identity.

Right of Erasure – From 25 May 2018, you have the right to be forgotten (i.e. to have your personally identifiable data deleted).

Right of Rectification – If you believe our records are inaccurate you have the right to ask for those records concerning you to be updated. This enables you to have any incomplete or inaccurate data we hold about you corrected.  We may need to verify the accuracy of the new data provided to us.

Right to Restrict Processing – In certain situations you have the right to ask for processing of your personal data to be restricted because there is some disagreement about its accuracy or legitimate usage.

Right to Data Portability – Where we are processing your personal data under your consent, the law allows you to request data portability from us to another service provider. This right is largely seen as a way for people to transfer their personal data from one service provider to another. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.

Changes to this policy

Any changes we may make to our Privacy Policy in the future will be posted on this page and, where appropriate, notified to you.

Contacting us

If you have any queries about this Privacy Policy, please contact us:
Call: 0131 244 0190
Post: Drinking Water Quality Regulator for Scotland, Victoria Quay, Edinburgh, EH6 6QQ

or contact the Data Protection Officer at:
Call: 0131 244 0190
Post: Drinking Water Quality Regulator for Scotland, Victoria Quay, Edinburgh, EH6 6QQ


If, for any reason, you have a complaint, please contact us to discuss your concerns.

Following this, if you are still dissatisfied, you are able to contact the Information Commissioner’s Office directly.

Information Commissioner: Contact telephone number: 0303 123 1113. Website: ICO website