Privacy Policy

1.0 Purpose and Benefits

Watlington Waterworks Limited ("WWL" or the "Company") and its subsidiary, Bermuda Waterworks Limited, are committed to protecting the personal information of its employees and customers. This Privacy Policy ensures compliance with Bermuda's Personal Information Protection Act (PIPA) and outlines the Company's practices for collecting, processing, storing, and safeguarding personal data.

The purpose of this policy is to provide transparency regarding how the Company manages personal information and to inform individuals about their rights concerning the personal information provided.

2.0 Authority

The CEO is the owner of this policy and may draft, define, and publish appropriate standards and processes, and implement appropriate controls in support of the requirements of this policy.

3.0 Scope

This policy applies to all personal information collected, stored, or processed by the Company, including information related to customers and service users, employees and contractors. It covers all forms of personal information, whether stored digitally or in physical formats.

This policy defines common security requirements for employees and Company systems that create, maintain, store, access, process or transmit information. This includes equipment connected to any Company domain or virtual local area network (VLAN) either by hard-wire or wireless and includes standalone equipment that is deployed by the Company at either its offices or at remote locations.

4.0 Collection and Use of Personal Data

The Company collects personal information directly from individuals including:

  • In-person.
  • By phone, email or website.
  • Self-disclosure forms including service application forms, credit application forms, employment application forms, and enrolment forms for benefits.

4.1 How We Use Personal Information

Personal information provided to WWL may be used to:

  1. Recruitment and employment purposes
  2. Process payment transactions.
  3. Deliver products or services.
  4. Communicate overdue payments and recover outstanding balances.
  5. Respond to requests and inquiries or to provide service support.
  6. Communicate administrative information such as changes to our terms, conditions, and policies.
  7. Analyze and monitor service consumption and to make improvements.

4.2 Types of Information We Collect and Purposes

PurposeTypes of Information CollectedLegal uses of that InformationThird-Party Disclosures
Opening and Maintaining a Customer Account First name, surname, email address, phone numbers, credit data, banking details, marital status and spousal contact information, employment status, proof of property ownership or tenancy agreement, landlord or tenant information. To provide the requested service to the customer and to ensure the applicant is within our acceptable credit risk profile. Credit reference agencies
Authorize.net (payment platform)
Collection Agencies
Law Firms
Seeking and/or Obtaining Employment with WWL First name, surname, email address, nationality / citizenship, phone numbers, banking details, physical addresses, date of birth, education / professional qualifications, beneficiary Information, names of dependents, past and current employment, police checks or criminal record. To perform the services required relating to payroll and benefits management. Bank Signatory Authorisation
Benefit Providers
Meet Legal Requirements
Delivering Products and Services First name, surname, email address, phone numbers, physical addresses, payment information. To provide the requested products and services. None
Communicating administrative information and/or responding to requests and inquiries. First name, surname, email address, phone numbers. To provide operational updates or provide the requested information relating to our services. None
Shareholder Administration First name, surname, physical address, email address, phone numbers. To communicate operational updates and to report to regulatory authorities. Regulatory Authorities including the Corporate Secretary

4.3 Information Sharing and Use

The Company does not rent or sell personal information. The Company does not share personal information with third parties except where required by law or otherwise stated within this Policy. Personal information may be shared internally within the Company to carry-out requested services.

Personal information will only be used as set out in this Privacy Policy and only for the purposes for which it was collected or to perform operational activities directly related to the original purpose (i.e. using personal information provided to assist with the recovery of an outstanding balance). If at any time the Company wishes to use personal information for another purpose, individuals will be informed prior to this change in use and will have the right to withhold or withdraw consent.

5.0 Retention of Personal Information

WWL retains personal information only as long as necessary for the purpose for which it was collected (e.g. performing a requested service) or to meet legal requirements regarding data retention.

Once personal information is no longer required, it is securely deleted or destroyed.

5.1 Security Measures

To protect personal information, the Company employs:

  1. Encrypted and secure systems for processing payment information.
  2. Security procedures and restricted access to our server.
  3. Restricted employee access to sensitive data.
  4. Physical safeguards for hard copy records.

6.0 Additional Protocols and Procedures

In addition to this Privacy Policy, the Company has several internal protocols and procedures in place to ensure the responsible management and protection of personal information. While these protocols are designed for internal use, the Company is committed to providing transparency around their existence and purpose.

6.1 Information Handling and Secure Disposal

This protocol outlines the Company's guidelines for the handling, storage, and secure disposal of all personal information. It also provides guidance on how long the different types of information we collect is retained.

6.2 Information Security and Acceptable Use

This protocol outlines the different safeguards all employees are expected to take when accessing and using personal information on the Company's behalf. It also outlines restricted behavior to prevent misuse and minimize risk.

6.3 Incident Response

This protocol informs the Company's response and actions to any information security incidents that may occur. This includes any potential or realised security breaches to personal information, both physical and digital. This protocol also covers the containment, reporting, assessment, investigation and communication of any information security incident.

6.4 PIPA Request Response

This protocol outlines the steps the Privacy Officer will take when a PIPA Request has been received. This is to ensure that all requests are systematically processed with a high level of care and in a timely manner.

7.0 Compliance

Compliance with this policy is monitored through regular internal audits and reviews. Employees and contractors are required to adhere to all data protection procedures, and non-compliance may result in disciplinary action.

8.0 Individual Rights Under PIPA

Under Bermuda's PIPA, individuals have the right to:

  1. Access their personal information.
  2. Request corrections to inaccuracies.
  3. Withdraw consent for certain use of personal information, subject to applicable laws and service agreements.
  4. Request the deletion of personal information no longer required.

The Company is committed to respecting these rights.

8.1 Exercising Individual Rights

For any requests regarding our Privacy Policy including information requests or complaints, please contact our privacy officer at privacyofficer@bwl.bm.

Withdrawing consent for the use of personal information may result in termination of services provided, or at least the aspects of the services relevant to the information being deleted.

Our Privacy Officer will acknowledge receipt of a request within two business days and respond to all lawful requests as soon as reasonably practicable and within 45 days of receipt of the request as outlined in the Act.

9.0 Definition of Key Terms

  1. Third Parties – external parties encompass any external entities that interact with the Company. This can include but is not limited to customers, vendors, shareholders, and unaffiliated businesses, organisations and individuals.
  2. Personal information – under PIPA, "personal information" means any information that relates to an identified or identifiable individual.
  3. VLAN – Virtual Local Area Network – a network created within a network device, usually used to segment network traffic for administrative, performance and / or security reasons.
  4. Security Breach – a confirmed incident that results in the unauthorised access to information systems or information assets.
  5. Security Incident - an incident that may compromise the safety and security or information systems or information assets.

10.0 Revision and Review

This policy will be reviewed annually to ensure continued compliance with legal and operational requirements.

 

Published January 2025