summary of arrangements


This page explains the arrangements that exist for the management of personal customer data protection in the English water market.


In order for the competitive retail market for non-household water customers in England to function, some customer data needs to be shared with others in the market.


The market is operated centrally by the Market Operator Services Ltd (MOSL). MOSL’s role as market operator is to provide infrastructure, information and governance services to enable customers to switch retailer and for financial settlement to take place between water wholesalers (the companies which treat and distribute water and wastewater supplies) and water retailers (companies like Everflow Water, that manage customer services).


MOSL operates the Central Market Operating System (CMOS), which is the core IT system inthe market, which wholesalers and retailers can all access. CMOS manages the electronic transactions involved in switching customers, and some of the data contained in CMOS is personal data. For example, some non-household customers will be sole traders and personal data about them will be held in CMOS.

The personal data held in CMOS is supplied by water companies. It is the responsibility of the organisation that provides the information to make sure it is accurate and kept up to date. MOSL collates that information in CMOS and makes it available to other retailers and wholesalers for the purposes of switching and settlement, as explained above. It is the responsibility of water companies, including Everflow Water, to ensure that only authorised employees are able to access the market system, and that they comply with data protection regulation in their use of this system.


The market is governed by Market Codes which set out obligations and processes for sharing data between water companies and MOSL that are needed for the water retail market to function. Water companies (wholesalers and retailers) and MOSL are required to comply with their obligations in the Market Codes.


Code Subsidiary Document CSD 0301 ‘Data Catalogue’ sets out the data that is held in CMOS and shared between users of CMOS (wholesalers, retailers and MOSL). The processes describing how and when this data is shared are further described in the Market Codes and its Codes Subsidiary Documents. Where data is exchanged bilaterally between wholesalers and retailers, the template forms set out in the Market Codes highlight that these forms may contain personal data. The Market Codes provide that, as Data Controllers, water companies (wholesalers and retailers) and MOSL must:


  • Comply with their obligations under Data Protection Laws;

  • Comply with their obligations relating to Personal Data contained in the Market Codes; and

  • Comply with any mandatory guidance notes published by the Information Commissioner's Office and mandatory Codes of Conduct issued under Article 40 of the General Data Protection Regulation (GDPR).


This includes obligations to:

  • Have a nominated contact points for any data protection issues that may arise;

  • Undertake privacy impact assessments, and protect privacy by design;

  • Maintain records of processing;

  • Publish privacy notices;

  • Handle customer requests for their personal data (‘data subject rights requests’);

  • Maintain data security standards; and

  • Report data breaches.


These data protection provisions are set out in Section 15 and Schedule 13 of the Market Arrangements Code (MAC). For more information on these arrangements, please contact