Privacy policy

WSET Group External Privacy Notice

 

 1.) Introduction

This privacy notice sets out what personal data we hold about you and how we collect, use and share it. It also contains important information about your rights in relation to your personal data, and how to contact us or supervisory authorities in the event you have a complaint.

The Wine and Spirit Education Trust (WSET) is a data controller as it determines and purposes and means of the processing of your personal data. WSET is a UK company registered with the Information Commissioner’s Office (ICO) under reference Z8972470.

If you have any questions about this Privacy Notice, please contact our Data Protection Lead by emailing us at dpc@wsetglobal.com.

The purposes for processing personal data, the types of personal data collected and the lawful basis for processing this data are set out below, grouped into the categories of data subject that we interact with.

2.) Exam participants

Purpose

Categories of personal data

Lawful basis

Online exams

Candidate number

Exam data

Legitimate interest

Remote invigilation

Candidate number

Exam data

Video footage

Legitimate interest

Marking exam papers

Candidate number

Exam data

Legitimate interest

Issuing results

Candidate number

Exam data

Legitimate interest

Issuing replacement certificates

Candidate number

Exam data

Legitimate interest

Dealing with candidate complaints

Contact details

Complaint details

Legitimate interest

Enquiry and feedback

Candidate number
Exam data
Health data
Reasonable adjustments
Special considerations

Legitimate interest

Collecting payment

Candidate number

Contact details

Bank details

Course details

Contract

Payment by instalments

Candidate number

Contact details

Bank details

Course details

Contract

Refunds

Candidate number

Contact details

Bank details

Course details

Contract

Exam related invoices

Candidate number

Contract

 

If you do not provide personal data when requested, we may not be able to carry out the exam process and you may not be able to exercise your statutory or contractual rights.

Retention periods

Category of data

Retention period

Candidate number

Exam data

Video footage

Contact details

Health data
Reasonable adjustments
Special considerations

10 years

Bank details

6 years

 

 3.) WSET School students

Purpose

Categories of personal data

Lawful basis

Reviewing applications

Contact details

Application information

Consent

Onboarding new students

Contact details

Application information

Legitimate interest

Conducting training courses

Contact details

Course details

Contract

Facilitating exams

Candidate number

Contact details

Exam data

Legitimate interest

Student surveys

Contact details

Course details

Ethnicity

Legitimate interest

 

If you do not provide personal data when requested, we may not be able to enrol you onto a course or take an exam, and you may not be able to exercise your statutory or contractual rights.

Retention periods

Category of data

Retention period

Contact details

Application information

Candidate number

10 years

Course details

Exam Data

Ethnicity

10 years

 

4.) Event attendees

Purpose

Categories of personal data

Lawful basis

Event sign up

Contact details

Event details

Consent

Conducting events

Contact details

Event details

Consent

Quiz activations

Contact information

Consent

 

If you do not provide personal data when requested, we may not be able to allow you to attend an event and you may not be able to exercise your statutory or contractual rights.

Retention periods

Category of data

Retention period

Contact details

Event details

Contact information

10 years

 

 5.) Shop customers

Purpose

Categories of personal data

Lawful basis

Online Shop Payments 

Contact details

Payment information

Order details

Contract

 

If you do not provide personal data when requested, we may not be able to fulfil your order and you may not be able to exercise your statutory or contractual rights.

Retention periods

Category of data

Retention period

Order details

Contact details

10 years

Payment information

6 years

 

6.) Visitors to our physical sites

When you visit our physical sites, we will process personal data about you. The personal data we collect, the purposes for processing and the lawful bases are set out below.

Purpose

Personal data used

Lawful basis

Building access management

Identification details

Access logs

Legitimate interest

CCTV management

Images

Legitimate interest

 

If you do not provide personal data when requested we may not be able to provide access to our physical sites and offices.

Retention periods

Category of data

Retention period

Identification details

Access logs

6 months

Images

30 days/as long as necessary for investigations

 

7.) Recipients of marketing communication

When you subscribe to our newsletter, we will process personal data about you. We may also send you marketing communication where you are a professional contact.

Purpose

Personal data used

Lawful basis

Sending marketing communication

Contact details

Consent

Sending marketing communication

Professional contact details

Legitimate interest

 

If you do not provide personal data when requested we may not be able to send you relevant marketing communication.

Retention periods

Category of data

Retention period

Contact details

5 years from last contact

Professional contact details

5 years from last contact

 

8.) Visitors to our website

When you visit and interact with our website, we will process your personal data. The below table sets out the purposes for processing, the personal data used and the lawful basis. This applies to the website www.wsetglobal.com.  

Purpose

Personal data used

Lawful basis

Managing website enquiries

Name

Contact details

Details of enquiry

Consent

Website analytics

Set out in ‘Cookie’ section below.

Consent and legitimate interests

 

Cookies

Cookies are small text files that are storied on your device when you visit our website. They allow the website to function properly, personalise some functions and analyse how people use our website.

Necessary cookies

These cookies are crucial to the functioning of our website and cannot be turned off in our cookie settings.

We do not ask for consent for these cookies and rely on the legitimate interest lawful basis to install them. You can block these cookies using your browser settings, but the website may not function as intended and some parts of the website may not work.

Analytic and Advertisement cookies

These cookies allow us to track the behaviour of users when using the website and optimise the performance of the website. We rely on the lawful basis of consent to install these cookies. Consent is switched off by default, and you have the opportunity to opt-in to these cookies by using the banner at the bottom of the page.

Cookie name

Purpose

Expiry

.ASPXAUTH

These cookies collect information about how visitors use our website, for instance which pages visitors go to most often, and if they get error messages from web pages. These cookies do not collect information that identifies a visitor.

Session

ARRAffinity

These cookies set by Azure app service, and allows the service to choose the right instance established by a user to deliver subsequent requests made by that user

Session

ARRAffinitySameSite

These cookies are set by websites run on the Microsoft Azure cloud platform (which hosts our website). It is used for load balancing to make sure the visitor page requests are routed to the same server in any browsing session.

Session

ASP.NET_SessionId

These cookies used to identify the users' session on the server. The session used to store data in between off HTTP requests on server.

Session

CookieConsent

Stores the user's cookie consent state for the current domain

1 year

MUID

Used widely by Microsoft as a unique user ID. The cookie enables user tracking by synchronising the ID across many Microsoft domains.

1 year

__RequestVerificationToken

This cookie is an anti-forgery token designed to stop unauthorised posting of content to a website.

Session

_ce.s

These cookies are used to track a recording visitor session unique ID, tracking host and start time. cebs is used to track the current user session internally.

1 year

_fbp

Used by Facebook to deliver a series of advertisement products such as real time bidding from third party advertisers.

3 months

_ga

Registers a unique ID that is used to generate statistical data on how the visitor uses the website.

399 days

_ga_7KZQBR9ZJ3

Used by Google Analytics to collect data on the number of times a user has visited the website as well as dates for the first and most recent visit.

399 days

_ga_FG6QBJYZYB

Used by Google Analytics to collect data on the number of times a user has visited the website as well as dates for the first and most recent visit.

399 days

_ga_K87WKE25HV

Used by Google Analytics to collect data on the number of times a user has visited the website as well as dates for the first and most recent visit.

399 days

_gid

Registers a unique ID that is used to generate statistical data on how the visitor uses the website.

Session

_hjSessionUser_1013636

Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded.

Session

_shopify_m

These cookies are to manage user browsing preferences. The purpose of Shopify cookies can range from creating an order cart or tracking users for analytics data.

Session

_shopify_y

These cookies are to manage user browsing preferences. The purpose of Shopify cookies can range from creating an order cart or tracking users for analytics data.

Session

cebs

These cookies are used to track a recording visitor session unique ID, tracking host and start time. cebs is used to track the current user session internally.

1 year

ln_or

Registers statistical data on users' behaviour on the website. Used for internal analytics by the website operator.

Session

 

9.) Our legitimate interests

We process personal data for the following legitimate interests:

  • Meeting obligations in our contracts with Approved Programme Providers.
  • Protecting our staff, premises, physical property and information assets.
  • Establishing, exercising and defending against legal claims.
  • Effective internal administration.
  • Promoting our products, services and business.

 

10.) Recipients of personal data

Your personal data is accessed internally by the individuals and teams that need it to carry out the purposes set out above.  

We use systems and products provided by third party companies to assist us in conducting our business. This includes using data processors such as Microsoft.

We may share your data with the following categories of recipients:

  • Approved Programme Providers
  • Public service providers such as the police or social services
  • IT service providers
  • Professional advisers, such as solicitors.

We will only share your personal data when we are allowed to do so under data protection law.

 

11.) International transfers of personal data

If any personal data is transferred internationally, we ensure appropriate transfer mechanisms are in place depending on the jurisdiction. The types of mechanisms we may employ include ensuring:

  • The country has been deemed to provide an adequate level of protection for personal data
  • Specific contracts approved by the relevant authorities are used which ensure data subjects can exercise their data protection rights in third-countries.

We may transfer personal data to other WSET Group companies to enable us to carry out services to you or for effective internal administration.

 

12.) Your rights

You have the following rights under data protection law in relation to your personal data.

  • The right to be informed- this Privacy Notice is our way of informing you how your data is used. 
  • The right of access- you can request a copy of all the information we hold about you to check that we are lawfully processing it. 
  • The right to rectification- you can request that we rectify information about you that is incorrect. 
  • The right to erasure- also known as the right to be forgotten. You can request that information about you is deleted. 
  • The right to restrict processing- you can request that we pause processing your data so we can verify the lawfulness of processing. 
  • The right to object- you can request that we stop processing your information if you feel that the processing is not lawful. 
  • The right to data portability- you can request that data is transferred to another party so it can be reused across services. 

Where you have given consent for us to use your personal data for specific purposes, you have the right to withdraw this consent at any time. If you would like to exercise any of the above rights, please contact our Data Protection Officer on the contact details above. 

If you would like to exercise any of those rights, please contact our Data Protection Officer by emailing dpc@wsetglobal.com.

We will respond to any request within the statutory deadline of one calendar month. This deadline may be extended where applicable under data protection law. We will inform you if your request meets the extension criteria.

 

13.) How to complain

We hope that we can resolve any query or concern you raise about our use of your information. If you have any questions or queries about how we are processing your data, please contact our Data Protection Officer by emailing dpc@wsetglobal.com.

The Information Commissioner’s Office (ICO) is the UK’s regulator for data protection. Under data protection law you have the right to make a complaint to the ICO if you feel we have not complied with our data protection obligations. You can contact the ICO by:

 

14.) Changes to this privacy notice

This privacy notice was last updated on 21st July 2023.

Where there are substantial changes to this Privacy Notice, we will inform you.

Cookie consent