Privacy Policy

Water Stewardship Assurance Services (WSAS) takes your data privacy seriously.  In the course of Registering for Certification or becoming a contracted supplier with us,  we collect and use personal data which means that we are a ‘Data Controller’ and we are responsible for and committed to  complying with Data Protection Laws including the UK General Data Protection Regulations (UK GDPR), the EU General Data Protection Regulations, the Data Protection Act 2018 and any subsequent laws.

In this Privacy Notice, we want to inform you about what information we collect, how we use it and what rights individuals have in relation to the collection and processing of their personal data.


Our Contact Details:

Water Stewardship Assurance Services Address: 2 Quality Street, North Berwick, Scotland, EH39 4HW


If you have any questions in respect of this Privacy Notice or how we manage your personal data, please contact us using the above details.


Who’s personal data do we collect and process?

We process information about Clients, Auditors, Suppliers and individuals making an enquiry about our services.


What personal data do we collect and process?

In the course of working with you, we can collect the following types of data:

       General contact details such as, Name, Address, Email address, and Telephone number

       Details of your role and business activities if applicable

       General correspondence between you and us in relation to our services

       Details of the services provided to you

       Contact details of nominated contact points and key stakeholders

       Financial details, such as payment information

       Registration details, including log in and account details

       For Auditors and Suppliers o Qualification and Education History o Previous Employment and Background checks

       Information obtained through our use of cookies (please see our Cookie Policy   Your marketing preferences


Special Categories of Personal Data that we collect:

We do not collect any special category personal data 

How we collect your information

In most cases we collect your data directly from you.  We collect data and process it when you:

       Complete an online ‘contact us’ form

       Complete an application for Certification

       Provide information during a meeting or a call

       Correspond with us or send us details in respect of a Certification.

       Email or write to us to enquire about or use our services or provide feedback. In relation to potential onboarding of Auditors, we collect data and process it when you:

o   Send us a CV  o Complete an application form o Take part in an Interview

o   Provide information relating to a potential contract  o Provide references

We also receive your data indirectly from the following sources:

       Public sources – demographic data, market research

       Credit agencies and publicly available company data

       Social media and professional network sites

       Other firms in our group of companies Including Alliance for Water Stewardship and their subsidiaries

       From the person applying on behalf of your organisation where you are nominated as a contact point or named as a key stakeholder

Please remember: Where you provide any of this information relating to or on behalf of another individual such as a nominated contact point, you must remember to ensure that you have the consent of the individual and provide them with a copy of or access to this Privacy Notice.


Why do we collect your information?

Where we collect and process personal data, we are required to identify both the purpose and our legal basis for doing so.  There are 6 possible legal bases which are:

Consent – where we have your consent for processing your personal data for one or more specific purpose

Contract – where the processing is necessary for the performance of a contract or potential contract with you.

Legal Obligation – The processing is necessary for our compliance with a legal obligation  Vital Interests – Where our processing is necessary in order to protect the vital interests of the data subject or another natural person

Public Interest – Where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority

Legitimate Interests – Where the processing is necessary for the purposes of our legitimate interests except where such interests are overridden by your interests or fundamental rights and freedoms.

Our various purposes and legal basis for the information we collect, are detailed below:

Our Purpose                                                           Our Lawful Basis

To understand your requirements prior to entering into a contract of Certification or Services with you

The processing is necessary for the performance of an anticipated Contract

To understand all requirements to ensure that any contract of Certification or Service meets our customer’s needs

The processing is necessary for the performance of a Contract with you

To fulfil our Certification or service contract with you and provide you with the agreed services therein

The processing is necessary for the performance of our Contract with you

To manage our business operations and comply with any internal policies and procedures by understanding what needs to be changed

It is in our legitimate interests to use your personal information to ensure that we can provide and adapt our services at all times

To notify you about changes to our Certification Process or services

It is in our Legitimate Interests to use your personal information to keep you informed about any changes that may affect you

To record discussions and communications to respond to future queries or complaints in relation to previously agreed services

It is in our Legitimate Interests to record discussions and communications in relation to services agreed to enhance and improve our services

For electronic Marketing of services to potential new clients  via personal business email addresses

It is in our Legitimate Interests to use personal business email addresses for marketing purposes where we can

support individual’s rights

To comply with our legal obligations, law enforcement, court and regulatory bodies requirements

To comply with our Legal Obligations

To identify and prevent fraud

It is in our Legitimate Interests to act as a responsible business

To decide whether to enter into a contract of Services with a Supplier

The processing is necessary when considering a supplier Contract

To carry out background and reference checks in relation to supplier onboarding

The processing is necessary when considering a supplier Contract

To communicate with you about a potential contract for service or Certification

The processing is necessary for the performance and compliance with any Contract

Where we rely on your consent you have the right to withdraw this consent at any time by contacting us.

Legitimate Interests – Where the processing of personal data is based on our Legitimate Interests, it is to deliver and improve on our service and security and maintain accurate records.  It is also in an aim to prevent fraud or illegal activity in favour of the wellbeing of our customers, trustees, shareholders and employees.


Direct Marketing

We may send you details of similar services to those you have enquired about or contracted with us previously.   You can opt out of receiving this information from us at any time by contacting us at the above address or clicking ‘unsubscribe’ on any messages you may receive.

We will never share or sell your information to any other party for marketing purposes.


Who do we share your information with? 

From time to time and in the general course of our business, we may share your personal information with some of the following:

       Other firms in our Group of Companies including Alliance for Water Stewardship and its subsidiaries

       Board Members and Certification advisory committee

       Our Accountant or Payment Service Providers

       Regulators and Governing bodies, Lawyers

       Auditors, Suppliers, Contractors, Professional Consultants and Service Providers including Certification Partners

       Software and Cloud storage providers

       Fraud detection Agencies and Credit Reference Agencies

       Police and Law Enforcement agencies where reasonably necessary for the prevention or detection of crime

       Selected Third Parties in connection with any future sale, transfer or disposal of our business


International data transfers

With today’s modern technology including Cloud Storage and software, some recipients of your personal data can be located outside your country or have offices in countries where data protection laws may provide a different level of protection than the laws in your country.

Where this is the case, we make sure that additional safeguards are in place such as ensuring that those countries have a decision of adequacy under the UK GDPR or have entered into Standard Contract Clauses with us in their terms to support and safeguard the protection of your data.


Automated decision-making or Profiling

We do not process personal data for automated decision making or profiling.


How Long do we keep personal data for?

We will retain personal data in accordance with legal and regulatory requirements and for no longer than is necessary to fulfil the purposes set out in this privacy policy.  We maintain and review a detailed retention policy which documents how long we will hold different types of data.  The time period will depend on the purpose for which we collected the information and is never on an indefinite basis.  Subsequently, we will delete your personal data in accordance with our data retention and deletion policy or take steps to properly render the data anonymous, unless we are legally obliged to keep your personal data longer (e.g. for tax, accounting or auditing purposes).

The following details the criteria used to establish the retention period set out within our policy.


Where it is still necessary for the provision of our Services

This includes the duration of any contract for services we have with you and for a period of 3 Years after the end of any contractual agreement with a view to maintaining and improving the performance of our products, keeping our systems secure, and maintaining appropriate business and financial records. Most of our retention periods are determined on the basis of this general rule.


Where required by Statutory, contractual or other similar obligations

Corresponding storage obligations may arise, for example, from laws or regulation. It may also be necessary to store personal data regarding pending or future legal disputes. Personal data contained in contracts, notifications and business letters may be subject to statutory storage obligations depending on national law.


Your Rights as a data subject

As a data subject, you have rights in relation to your personal data.  These are:

Access – You have the right to request details of personal information held or processed and to copies of this data.  We do not usually charge for this service.

Rectification – You have the right to request that any information be corrected that you believe is inaccurate or to complete any information that you believe is incomplete.

Erasure – You have the right to request that we erase your personal information with some exceptions.

Restrict Processing – You have the right to request that we restrict the processing of your personal data under certain circumstances

Object to Processing – You have the right to object to our processing of your data, under certain conditions.

Data Portability – In some circumstances, you have the right to request that we transfer the data that we have collected to another organisation or directly to you.

You also always have the Right to Withdraw Consent where you have previously provided this.

To exercise any of these rights, or if you have a complaint please contact us using the details at the beginning of this notice.

If after contacting us, you remain unhappy with the outcome, you also have the right to complain to the Supervisory Authority.  Where you wish to report a complaint or feel that we have not addressed your concern in a satisfactory manner, you may contact the Information Commissioner’s Office at:

Information Commissioners Office

Wycliffe House

Water Lane


Cheshire SK9 5AF

Helpline: 0303 123 1113

Online Enquiries:


Contractual Obligations and Consequences

In some circumstances, the provision of personal data is partly required by law (for example, tax regulations, employment and legal obligations) or can also result from contractual provisions.  This means that sometimes we cannot complete our agreed service without that information and so if you aren’t able to provide it or ask that we delete it,  there is a possible consequence that our contract would need to be cancelled.


Cookies & similar technologies

When you visit our Website, we use cookies and similar technologies to provide you with a better, faster and safer user experience or to show you personalised advertising. Cookies are small text files that are automatically created by your browser and stored on your device when you visit or use the Website.   For full information on our use of cookies and how to manage them, please see our Cookie Policy

To learn more about how to manage your browser cookie settings in general please see


External Links

When clicking on external links via our website, where you find us via social media platforms, or where you register or sign up to training or webinar video platforms please remember, we have no control over the privacy settings on these domains, so please review the privacy information on those sites and set your preferences in line with their own policies and cookie controls separately.


Data security

We aim to protect your personal data through technical and organisational security measures to minimise risks associated with data loss, misuse, unauthorised access and unauthorised disclosure and alteration.

We store customer records in cloud-based services and data centres which have controlled and restricted access.  We operate records management and Information security policies which detail physical security, cloud storage security monitoring, access control and password security measures.  We also maintain and use anti-virus and malware software and firewalls.


Changes to our Privacy Notice

Water Stewardship Assurance Services keep our Privacy Notice under regular review.  This Privacy Notice was last updated on 16 September 2021.