WSET complies with its obligations under the General Data Protection Regulation (GDPR) by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure; by ensuring that appropriate technical measures are in place to protect personal data and by guaranteeing total transparency on how we manage your data.
This document is intended to clearly set out our personal data policy, but if you have any concerns please get in touch with our data protection officer by emailing firstname.lastname@example.org.
Why we collect your personal data
1. To process your registrations for any courses, assessments or events and to deliver those services to you
2. To send you information regarding the course or event on which you are registered (or have registered interest in)
3. To process sales of products you have purchased from us
4. To manage any account(s) for providing our online services including but not restricted to our online classroom and Global Campus where you have registered with us so that:
- We can provide you with the relevant products and services
- You can access relevant course materials
- We can fulfil our services and communicate with you about them
- To verify your identity
- To carry out research to better understand your requirements on the relevant products and services
5. To personalise, report on and improve the services and products we provide to you, and to provide you with a best in class customer service experience
6. To send you marketing communications including information about our qualifications, upcoming events and links to our blogs.
Other legitimate interests
When we send you news regarding our products we will do so on the basis that we have your consent. However, to allow us to provide continual best in class service we believe we have legitimate interest to process your personal data so that we can:
- Improve our existing product range and services
- Provide you with a best in class customer service experience
- Protect you as our customer, our employees and our business
- Understand your likes and dislikes, what services you wish to hear about and how best to contact you to inform you about them
What personal data we collect
We may collect the following information about you:
- Your name, date of birth and contact details
this could include your postal address, telephone numbers and email address
- Purchases and orders made by you or on your behalf by your chosen course provider
- Your payment card details (which are encrypted) when you purchase any products or services
should you pay for one of our products over the telephone, your card details will not be recorded and kept by WSET
- When you set up any account with us, your login credentials
- Your marketing preferences
- Your correspondence with us
How we collect your personal data
- When you directly provide it to us directly
For example, when you subscribe to a WSET newsletter, or register on one of our courses or events.
- From your chosen course provider
When you are registered for an examination with WSET, your chosen course provider is required to provide our Awards Body with some of your personal data for the purpose of identification and managing your qualifications and results. This includes your name; your mailing address; your date of birth; your email address. If you have any queries about how this information is provided and used, please email the Data Protection Officer, email@example.com
- When our systems collect information or personal data indirectly
For example, whenever you use a website or mobile application. The most common type of information collected is in the form of cookies (cookies are small text files sent by your computer each time you visit our website) but can also include personal data transferred by the device you are using to access our website. The manufacturer of your device or the provider will have the details about what information your device shares.
Sharing your personal data with third parties
For us to provide you with services and goods, we must on occasion share some of your personal data with certain approved third parties, however we make sure that your personal data remains secure at all times.
When do we share your personal data?
- With core service providers to enable our business to function
We rely on a set of external companies who are governed by contractual agreement to provide us with services that enable our business to run effectively. For example – email marketing services, IT service providers for data storage and business continuity/disaster recovery, banks and clearing houses to process payments, courier services for the delivery of course materials and course providers.
- With law enforcement agencies and regulators when required to do so by law
We are required to co-operate with regulators (like the Information Commissioners Office) and law enforcement agencies (like the police or the Serious Fraud Office). Although it does not happen often, regulators and law enforcement agencies can require us to share information with them as part of an investigation, this may include your personal data.
What personal data do we share?
We need to process some of your personal data to fulfil your registration on any events or courses. We will share your payment details with our bank or clearing house so that we can process payment for your purchases or orders
How do we keep your shared personal data secure?
- We conduct a data security review of any third party we are required to share your personal data with to ensure that they meet our high security standards
- Every company we work with is required to have a contract with us that clearly describes how your personal data is kept secure
- We will only ever share data specific to its intended use
- Specific details of what data we have shared is available to you on request
Data retention – how long do we hold your personal data
- We will not hold your personal data for longer than is necessary for the purposes described in this policy.
- We will keep your personal data whilst your accounts remain active
- We may keep categories of personal data, e.g. name, date of birth and address, after your accounts are closed to meet any legal or regulatory requirements
You have several rights under data protection law, these are summarised below however for further information you should contact firstname.lastname@example.org or seek further advice from the Information Commissioners Office www.ico.org.uk
- The right to be informed
You have the right to total transparency on how we are using your personal data, we will endeavour to make this clear by ensuring that this document is regularly reviewed and updated, but if you have any concerns or questions please send them to our data controller at email@example.com
- Your right of access
You have the right to know what information we hold about you and how it is processed. If you wish to access your personal data, contact firstname.lastname@example.org. To process your request, we will ask you to complete a Subject Access Request (SAR) form and provide proof of identity so that we can be sure we are releasing your personal data to the right person. We will respond to your request within the guidelines set out in the SAR and in line with data protection guidelines.
- The right to rectification
If you think that the information we hold about you is inaccurate or incomplete, or if your contact details change, please ask us to amend it by contacting email@example.com. We will process your request without delay and within the guidelines set by the Information Commissioners Office
- The right to erasure
You reserve the right to ask us to delete your personal data, however, this is not an absolute right. We can refuse to erase personal data which we need to keep in order to comply with legal obligations. For example, we are required by HMRC to keep personal data for up to 6 years for VAT reporting purposes, and in relation to investigations by law enforcement agencies or the Information Commissioners Office.
When you ask us to delete your personal data, we assume that you no longer wish to hear from us again. To ensure we do not send you any further communications regarding our products or services in future we will retain just enough of your personal data for suppression purposes.
- The right to transfer your personal data (known as data portability)
You have the right to move, copy or transfer your personal data from one organisation to another. If you do wish to transfer your personal data, we would be happy to help.
If you ask for a data transfer, we will give you a copy of your personal data in a structured, commonly used and machine-readable form (for instance, in a CSV file format). We can provide the personal data to you directly.
When making a transfer request, it would be helpful if you can identify exactly what personal data you wish us to transfer.
We will comply with your request within one month or, if the request is complex or there are several requests from you, within two months.
- The right to object
If you would like us to stop processing your personal data for marketing purposes simply let us know by contacting firstname.lastname@example.org.
- That you control the personal data you provide to us
- We will always inform you what personal data we are collecting from you, how we collect it, and how we will use it.
- We will always use market leading technology and software to ensure that the personal data we have collected is secure.
- Where we make use of third parties for services and this involves sharing your personal data, we will make sure they have the appropriate security measures
- We will only send you marketing communications if you have given consent that we can do so, and we will always offer you a clear and simple means of amending your preferences whenever you wish
We may update this policy from time to time to take account of any new business activity or to reflect any changes in law or best practice in relation to data protection. We will notify you if we do so.
This policy was last updated on 1 May 2018