Introduction

The Fettes Shop (“the Shop”) is part of Fettes Enterprises Ltd with registration number SC187460.  The Shop is a Data Controller for the purposes of Data Protection Law (the Data Protection Act 2018, the General Protection Regulation (EU) 2016/679 and any legislation that, in respect of the United Kingdom, replaces, or enacts into United Kingdom domestic law, the General Data Protection Union (EU) 2016/679, the proposed Regulation on Privacy and Electronic Communications or any other law relating to data protection), which means it determines how an individual’s personal data is processed and for what purposes.

The Shop is located within Fettes College, an independent boarding and day school. Some of the additional policies mentioned in this document relate to policies managed by Fettes College due to the nature of both organisations operating within the same grounds.

Our purpose

The Fettes Shop aims to offer a personalised service to pupils, their parents, staff and customers providing uniforms, gifts, stationery and everyday essential items both in shop and online.

About this Notice

This Notice is intended to provide information about how the Shop will use (or “process”) personal data about individuals including: its personnel, its current, past and prospective pupils and their parents and customers.

This information is provided in accordance with the rights of individuals under Data Protection Law to understand how their data is used. the Shop’s personnel, parents, pupils and prospective customers are all encouraged to read this Privacy Notice and understand the Shop’s obligations to its entire community.

This Privacy Notice also applies in addition to the Shop’s other relevant notices and policies, including:

  • any contract between the Shop and its customers;
  • the Shop’s policy on taking, storing and using images;
  • the Shop’s policy on the use of CCTV (managed by Fettes College);
  • the Shop’s retention of records policy;
  • the Shop’s safeguarding and pastoral policies;
  • the Shop’s Health and Safety policy, including how concerns or incidents are recorded;
  • the Shop’s IT policies, including its Acceptable Use policy and Online Safety policy

Whose data we collect

We collect data relating to individuals who fall into one or more of the categories listed below. This list is not exhaustive and represents the current, former and prospective stages of each category in the list:

  • Pupils
  • Parents
  • Staff
  • Volunteers
  • Suppliers and contractors
  • Visitors

Purposes for processing personal data

In order to carry out its ordinary duties to customers, staff, pupils and parents, the Shop may process a wide range of personal data about individuals (including current, past and prospective staff, pupils, parents or customers) as part of its daily operation.

Some of this activity the Shop will need to carry out in order to fulfil its legal rights, duties or obligations – including those under a contract with its staff, parents of pupils and customers.  Other uses of personal data will be made in accordance with the Shop’s legitimate interests, or the legitimate interests of another, provided that these are not outweighed by the impact on data subjects and provided it does not involve special or sensitive types of data.  Examples of such interests are included below under “Examples of how we might use your information”.

In addition, the Shop may need to process special category personal data (concerning health, ethnicity, religion, biometric data or sexual life) or criminal records information (such as when carrying out PVG checks) in accordance with rights or duties imposed on it by law, including as regards safeguarding and employment, or from time to time by explicit consent where required.  This may include:

  • To safeguard students’ welfare and provide appropriate pastoral (and where necessary, medical) care and to take appropriate action in the event of an emergency, incident or accident with the best services in line with their current health and to provide or seek appropriate medical care, including by disclosing details of an individual’s health to medical professionals where it is in the individual’s interests to do so.
  • To provide educational services in the context of any special educational needs of a pupil;
  • In connection with employment of its staff, for example PVG checks, welfare or pension plans;
  • For legal and regulatory purposes (for example child protection, diversity monitoring and health and safety) and to comply with its legal obligations and duties of care.

Examples of how we might use your information

The below is a list of the Shop’s processing activities that may fall within its, or a third party’s legitimate interest.  We may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data.

How we might use your information to manage your contract with the Shop

  • To provide access to facilities and services offered by the Shop;
  • To safeguard pupils’ welfare and provide appropriate pastoral care;
  • To process financial transactions to ensure the efficient and timely management of payments;
  • To send updates to customers about the Shop’s activities that customers can get involved in or any other relevant news about the Shop;
  • To market the Shop to former customers or prospective customers where we have consent to do so;
  • For security purposes, including CCTV in accordance with the Shop’s purposes, including to obtain appropriate professional advice and insurance for the Shop;
  • Sending updates from the Shop;
  • Invitations to events

How we might use your information if you are a prospective, existing or former employee

  • To manage the recruitment process
  • Processing PVG application forms
  • Paying salaries, pension contributions and tax
  • For the purposes of management planning and forecasting, research and statistical analysis, including that imposed or provided for by law (such as diversity or gender pay gap analysis and taxation records);
  • Managing leave, disciplinary actions, grievance procedures
  • To provide a safe and secure working environment

What information we collect

We will only store relevant data that allows us to fulfil our purposes outlined above. Data is generally collected directly from individuals when they enter into a contract with the Shop. Additional data is collected during an individual’s relationship with the Shop.

Examples of the data we store include:

  • Names, addresses, contact phone numbers, email addresses;
  • Familial relationships
  • Bank details and financial transactions
  • Where appropriate, information about individuals’ health and contact details for their next of kin;
  • Correspondence, attendance at meetings or events, meeting notes
  • References given or received by the Shop about pupils or prospective employees or information provided by previous educational establishments and/or other professionals or organisations working with pupils;
  • Images and video footage of pupils (and occasionally other individuals) engaging in School activities and images captured by the School’s CCTV system (in accordance with the School’s policies on CCTV and Taking, Storing and Using Images of pupils);
  • Car details (about those who use our car parking facilities);
  • Information such as CVs relating to past, present and prospective School personnel;
  • Higher education, engagement, giving capacity
  • Biometric data
  • Health/medical data
  • Criminal data

Where your information is stored

Data is stored both electronically and in hard copy format where necessary. There are strict access policies in place where only authorised personnel can access the information they require. Data storage locations may include:

  • Centralised administration databases
  • Shared internal hard drive
  • Individual hard drives
  • Emails
  • Personal laptops, phones and iPads – may contain temporary notes that will be transferred to a central location
  • Filing cabinets
  • Third parties (See below for more information on data that is shared with third parties)

How we keep your information secure

All those who have access to, and are associated with the processing of, personal data are legally obliged to respect the confidentiality of any data they need to access in order to carry out their work and are obliged to process data in accordance with our internal policies outlined in ‘About this Notice’.

How long we keep your data for

As per our internal Retention Policy, we will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Sharing data with third parties

We may need to share some of your data with a third-party provider to fulfil our purposes. When we share data with a third party we will always ensure that we have the necessary contracts in place to ensure the security of your data. We will only share special category data, securely, with a third party if it is our legal obligation or in order to provide onsite medical care. Examples of third parties we may share data with may include:

  • Administrative databases
  • Email marketing providers
  • Direct mail service providers
  • Educational service (including online) providers
  • HMRC
  • Local authorities
  • Pension providers
  • IT services including cloud storage providers
  • Appointed GP Practice
  • Consultancy organisations who may analyse our data
  • Professional advisors

Transfer of personal data outside of the EEA

Restrictions of data leaving the EEA are in place to ensure that the level of data protection available to individuals within the EEA is not compromised.

Some of our processes may require us to transfer data outside of the EEA. Generally, this occurs when we use a third-party processor who have servers based outside of the EEA. In these instances, we will ensure that the appropriate safeguards in place to ensure an individual’s data protection rights are met.

Getting in touch

If you would like to get in touch to update your information, amend your preferences, change the way we process your information or for any general data protection enquiries, you can do so by using the following means:

Email: shop@fettes.com

Post: The Fettes Shop, Fettes College, Carrington Road, EH4 1QX

Phone: +44 (0) 131 332 2281

Complaints

If you feel your data has not been used in accordance with this policy, please notify us by using the contact details outlined above. We do hope that any matters of complaint may be resolved between the complainant and Fettes Enterprises, however, if you feel the need to leverage any complaint where there has been no satisfactory resolution in dealing directly with Fettes Enterprises, you may contact the ICO ico.org.uk/, who are the governing body for data protection information in the UK.

Your rights

Pupil data

The rights under Data Protection Law belong to the individual to whom the data relates. For the purposes of delivering our obligations under the School contract we will usually liaise with the parent and share pupil data with them relating to their child’s progress and behaviour, school activities and the general wellbeing of their child.

Where a pupil seeks to raise concerns confidentially with a member of staff and expressly withholds their agreement to their personal data being disclosed to their parents, we may be under an obligation to maintain confidentiality unless, in our opinion, there is a good reason to do otherwise; for example, where the school believes disclosure will be in the best interests of any pupil or is required by law.

How to find out if we are processing your data and request a copy of your information

You have the right to ask if your data is being processed by us and the right to ask for a copy of the data related to you that we are processing. A person with parental responsibility will generally be entitled to make a subject access request on behalf a pupil, but the information in question is always considered to belong to the individual to whom the data relates. In Scotland, the law presumes that a child of 12 years or more has the capacity to exercise their rights under the Data Protection Law. A pupil of any age may ask a parent or other representative to make a subject access request on their behalf. Moreover (if of sufficient maturity) their consent or authority may need to be sought by the parent making such a request. Requests for data that are excessive or repetitive will be subject to a fee.

How to have your data amended or deleted

You have the right to have inaccurate data rectified or completed (if it is incomplete), or have your data erased. Some exceptions may apply where we have another lawful reason to continue to process your data.

 How to stop us using your data for certain purposes

You have the right to object to certain processes, such as fundraising activities, as long as it does not interfere with contractual or lawful obligations that we still may need to fulfil.

 How to transfer data

You have the right to request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.

To act upon any of your rights outlined above please contact us using the details previously given. Requests may be made verbally or in writing. We will aim to respond to any such requests within one month of receipt. We may need to take steps to confirm the identity of the requestor depending on the method in which the request was made. Some requests (or part thereof) may be refused and in such cases, we will respond outlining the reason for refusal.