WSET Group External Privacy Notice
1.) Introduction
This privacy notice sets out what personal data we hold about you and how we collect, use and share it. It also contains important information about your rights in relation to your personal data, and how to contact us or supervisory authorities in the event you have a complaint.
The Wine and Spirit Education Trust (WSET) is a data controller as it determines and purposes and means of the processing of your personal data. WSET is a UK company registered with the Information Commissioner’s Office (ICO) under reference Z8972470.
If you have any questions about this Privacy Notice, please contact our Data Protection Lead by emailing us at dpc@wsetglobal.com.
The purposes for processing personal data, the types of personal data collected and the lawful basis for processing this data are set out below, grouped into the categories of data subject that we interact with.
2.) Exam participants
|
Purpose |
Categories of personal data |
Lawful basis |
|
Online exams |
Candidate number Exam data |
Legitimate interest |
|
Remote invigilation |
Candidate number Exam data Video footage |
Legitimate interest |
|
Marking exam papers |
Candidate number Exam data |
Legitimate interest |
|
Issuing results |
Candidate number Exam data |
Legitimate interest |
|
Issuing replacement certificates |
Candidate number Exam data |
Legitimate interest |
|
Dealing with candidate complaints |
Contact details Complaint details |
Legitimate interest |
|
Enquiry and feedback |
Candidate number |
Legitimate interest |
|
Collecting payment |
Candidate number Contact details Bank details Course details |
Contract |
|
Payment by instalments |
Candidate number Contact details Bank details Course details |
Contract |
|
Refunds |
Candidate number Contact details Bank details Course details |
Contract |
|
Exam related invoices |
Candidate number |
Contract |
If you do not provide personal data when requested, we may not be able to carry out the exam process and you may not be able to exercise your statutory or contractual rights.
Retention periods
|
Category of data |
Retention period |
|
Candidate number Exam data Video footage Contact details Health data |
10 years |
|
Bank details |
6 years |
3.) WSET School students
|
Purpose |
Categories of personal data |
Lawful basis |
|
Reviewing applications |
Contact details Application information |
Consent |
|
Onboarding new students |
Contact details Application information |
Legitimate interest |
|
Conducting training courses |
Contact details Course details |
Contract |
|
Facilitating exams |
Candidate number Contact details Exam data |
Legitimate interest |
|
Student surveys |
Contact details Course details Ethnicity |
Legitimate interest |
If you do not provide personal data when requested, we may not be able to enrol you onto a course or take an exam, and you may not be able to exercise your statutory or contractual rights.
Retention periods
|
Category of data |
Retention period |
|
Contact details Application information Candidate number |
10 years |
|
Course details Exam Data Ethnicity |
10 years |
4.) Event attendees
|
Purpose |
Categories of personal data |
Lawful basis |
|
Event sign up |
Contact details Event details |
Consent |
|
Conducting events |
Contact details Event details |
Consent |
|
Quiz activations |
Contact information |
Consent |
If you do not provide personal data when requested, we may not be able to allow you to attend an event and you may not be able to exercise your statutory or contractual rights.
Retention periods
|
Category of data |
Retention period |
|
Contact details Event details Contact information |
10 years |
5.) Shop customers
|
Purpose |
Categories of personal data |
Lawful basis |
|
Online Shop Payments |
Contact details Payment information Order details |
Contract |
If you do not provide personal data when requested, we may not be able to fulfil your order and you may not be able to exercise your statutory or contractual rights.
Retention periods
|
Category of data |
Retention period |
|
Order details Contact details |
10 years |
|
Payment information |
6 years |
6.) Visitors to our physical sites
When you visit our physical sites, we will process personal data about you. The personal data we collect, the purposes for processing and the lawful bases are set out below.
|
Purpose |
Personal data used |
Lawful basis |
|
Building access management |
Identification details Access logs |
Legitimate interest |
|
CCTV management |
Images |
Legitimate interest |
If you do not provide personal data when requested we may not be able to provide access to our physical sites and offices.
Retention periods
|
Category of data |
Retention period |
|
Identification details Access logs |
6 months |
|
Images |
30 days/as long as necessary for investigations |
7.) Recipients of marketing communication
When you subscribe to our newsletter, we will process personal data about you. We may also send you marketing communication where you are a professional contact.
|
Purpose |
Personal data used |
Lawful basis |
|
Sending marketing communication |
Contact details |
Consent |
|
Sending marketing communication |
Professional contact details |
Legitimate interest |
If you do not provide personal data when requested we may not be able to send you relevant marketing communication.
Retention periods
|
Category of data |
Retention period |
|
Contact details |
5 years from last contact |
|
Professional contact details |
5 years from last contact |
8.) Visitors to our website
When you visit and interact with our website, we will process your personal data. The below table sets out the purposes for processing, the personal data used and the lawful basis. This applies to the website www.wsetglobal.com.
|
Purpose |
Personal data used |
Lawful basis |
|
Managing website enquiries |
Name Contact details Details of enquiry |
Consent |
|
Website analytics |
Set out in ‘Cookie’ section below. |
Consent and legitimate interests |
Cookies
Cookies are small text files that are storied on your device when you visit our website. They allow the website to function properly, personalise some functions and analyse how people use our website.
Necessary cookies
These cookies are crucial to the functioning of our website and cannot be turned off in our cookie settings.
We do not ask for consent for these cookies and rely on the legitimate interest lawful basis to install them. You can block these cookies using your browser settings, but the website may not function as intended and some parts of the website may not work.
Analytic and Advertisement cookies
These cookies allow us to track the behaviour of users when using the website and optimise the performance of the website. We rely on the lawful basis of consent to install these cookies. Consent is switched off by default, and you have the opportunity to opt-in to these cookies by using the banner at the bottom of the page.
|
Cookie name |
Purpose |
Expiry |
|
.ASPXAUTH |
These cookies collect information about how visitors use our website, for instance which pages visitors go to most often, and if they get error messages from web pages. These cookies do not collect information that identifies a visitor. |
Session |
|
ARRAffinity |
These cookies set by Azure app service, and allows the service to choose the right instance established by a user to deliver subsequent requests made by that user |
Session |
|
ARRAffinitySameSite |
These cookies are set by websites run on the Microsoft Azure cloud platform (which hosts our website). It is used for load balancing to make sure the visitor page requests are routed to the same server in any browsing session. |
Session |
|
ASP.NET_SessionId |
These cookies used to identify the users' session on the server. The session used to store data in between off HTTP requests on server. |
Session |
|
CookieConsent |
Stores the user's cookie consent state for the current domain |
1 year |
|
MUID |
Used widely by Microsoft as a unique user ID. The cookie enables user tracking by synchronising the ID across many Microsoft domains. |
1 year |
|
__RequestVerificationToken |
This cookie is an anti-forgery token designed to stop unauthorised posting of content to a website. |
Session |
|
_ce.s |
These cookies are used to track a recording visitor session unique ID, tracking host and start time. cebs is used to track the current user session internally. |
1 year |
|
_fbp |
Used by Facebook to deliver a series of advertisement products such as real time bidding from third party advertisers. |
3 months |
|
_ga |
Registers a unique ID that is used to generate statistical data on how the visitor uses the website. |
399 days |
|
_ga_7KZQBR9ZJ3 |
Used by Google Analytics to collect data on the number of times a user has visited the website as well as dates for the first and most recent visit. |
399 days |
|
_ga_FG6QBJYZYB |
Used by Google Analytics to collect data on the number of times a user has visited the website as well as dates for the first and most recent visit. |
399 days |
|
_ga_K87WKE25HV |
Used by Google Analytics to collect data on the number of times a user has visited the website as well as dates for the first and most recent visit. |
399 days |
|
_gid |
Registers a unique ID that is used to generate statistical data on how the visitor uses the website. |
Session |
|
_hjSessionUser_1013636 |
Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. |
Session |
|
_shopify_m |
These cookies are to manage user browsing preferences. The purpose of Shopify cookies can range from creating an order cart or tracking users for analytics data. |
Session |
|
_shopify_y |
These cookies are to manage user browsing preferences. The purpose of Shopify cookies can range from creating an order cart or tracking users for analytics data. |
Session |
|
cebs |
These cookies are used to track a recording visitor session unique ID, tracking host and start time. cebs is used to track the current user session internally. |
1 year |
|
ln_or |
Registers statistical data on users' behaviour on the website. Used for internal analytics by the website operator. |
Session |
9.) Our legitimate interests
We process personal data for the following legitimate interests:
- Meeting obligations in our contracts with Approved Programme Providers.
- Protecting our staff, premises, physical property and information assets.
- Establishing, exercising and defending against legal claims.
- Effective internal administration.
- Promoting our products, services and business.
10.) Recipients of personal data
Your personal data is accessed internally by the individuals and teams that need it to carry out the purposes set out above.
We use systems and products provided by third party companies to assist us in conducting our business. This includes using data processors such as Microsoft.
We may share your data with the following categories of recipients:
- Approved Programme Providers
- Public service providers such as the police or social services
- IT service providers
- Professional advisers, such as solicitors.
We will only share your personal data when we are allowed to do so under data protection law.
11.) International transfers of personal data
If any personal data is transferred internationally, we ensure appropriate transfer mechanisms are in place depending on the jurisdiction. The types of mechanisms we may employ include ensuring:
- The country has been deemed to provide an adequate level of protection for personal data
- Specific contracts approved by the relevant authorities are used which ensure data subjects can exercise their data protection rights in third-countries.
We may transfer personal data to other WSET Group companies to enable us to carry out services to you or for effective internal administration.
12.) Your rights
You have the following rights under data protection law in relation to your personal data.
- The right to be informed- this Privacy Notice is our way of informing you how your data is used.
- The right of access- you can request a copy of all the information we hold about you to check that we are lawfully processing it.
- The right to rectification- you can request that we rectify information about you that is incorrect.
- The right to erasure- also known as the right to be forgotten. You can request that information about you is deleted.
- The right to restrict processing- you can request that we pause processing your data so we can verify the lawfulness of processing.
- The right to object- you can request that we stop processing your information if you feel that the processing is not lawful.
- The right to data portability- you can request that data is transferred to another party so it can be reused across services.
Where you have given consent for us to use your personal data for specific purposes, you have the right to withdraw this consent at any time. If you would like to exercise any of the above rights, please contact our Data Protection Officer on the contact details above.
If you would like to exercise any of those rights, please contact our Data Protection Officer by emailing dpc@wsetglobal.com.
We will respond to any request within the statutory deadline of one calendar month. This deadline may be extended where applicable under data protection law. We will inform you if your request meets the extension criteria.
13.) How to complain
We hope that we can resolve any query or concern you raise about our use of your information. If you have any questions or queries about how we are processing your data, please contact our Data Protection Officer by emailing dpc@wsetglobal.com.
The Information Commissioner’s Office (ICO) is the UK’s regulator for data protection. Under data protection law you have the right to make a complaint to the ICO if you feel we have not complied with our data protection obligations. You can contact the ICO by:
- Visiting the ICO’s website
- Calling them on 0303 123 1113.
14.) Changes to this privacy notice
This privacy notice was last updated on 21st July 2023.
Where there are substantial changes to this Privacy Notice, we will inform you.