The Fettes Shop (“the Shop”) is part of Fettes Enterprises Ltd with registration number SC187460. The Shop is a Data Controller for the purposes of Data Protection Law (the Data Protection Act 2018, the General Protection Regulation (EU) 2016/679 and any legislation that, in respect of the United Kingdom, replaces, or enacts into United Kingdom domestic law, the General Data Protection Union (EU) 2016/679, the proposed Regulation on Privacy and Electronic Communications or any other law relating to data protection), which means it determines how an individual’s personal data is processed and for what purposes.
The Shop is located within Fettes College, an independent boarding and day school. Some of the additional policies mentioned in this document relate to policies managed by Fettes College due to the nature of both organisations operating within the same grounds.
The Fettes Shop aims to offer a personalised service to pupils, their parents, staff and customers providing uniforms, gifts, stationery and everyday essential items both in shop and online.
This Notice is intended to provide information about how the Shop will use (or “process”) personal data about individuals including: its personnel, its current, past and prospective pupils and their parents and customers.
This information is provided in accordance with the rights of individuals under Data Protection Law to understand how their data is used. the Shop’s personnel, parents, pupils and prospective customers are all encouraged to read this Privacy Notice and understand the Shop’s obligations to its entire community.
This Privacy Notice also applies in addition to the Shop’s other relevant notices and policies, including:
We collect data relating to individuals who fall into one or more of the categories listed below. This list is not exhaustive and represents the current, former and prospective stages of each category in the list:
In order to carry out its ordinary duties to customers, staff, pupils and parents, the Shop may process a wide range of personal data about individuals (including current, past and prospective staff, pupils, parents or customers) as part of its daily operation.
Some of this activity the Shop will need to carry out in order to fulfil its legal rights, duties or obligations – including those under a contract with its staff, parents of pupils and customers. Other uses of personal data will be made in accordance with the Shop’s legitimate interests, or the legitimate interests of another, provided that these are not outweighed by the impact on data subjects and provided it does not involve special or sensitive types of data. Examples of such interests are included below under “Examples of how we might use your information”.
In addition, the Shop may need to process special category personal data (concerning health, ethnicity, religion, biometric data or sexual life) or criminal records information (such as when carrying out PVG checks) in accordance with rights or duties imposed on it by law, including as regards safeguarding and employment, or from time to time by explicit consent where required. This may include:
The below is a list of the Shop’s processing activities that may fall within its, or a third party’s legitimate interest. We may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data.
We will only store relevant data that allows us to fulfil our purposes outlined above. Data is generally collected directly from individuals when they enter into a contract with the Shop. Additional data is collected during an individual’s relationship with the Shop.
Examples of the data we store include:
Data is stored both electronically and in hard copy format where necessary. There are strict access policies in place where only authorised personnel can access the information they require. Data storage locations may include:
All those who have access to, and are associated with the processing of, personal data are legally obliged to respect the confidentiality of any data they need to access in order to carry out their work and are obliged to process data in accordance with our internal policies outlined in ‘About this Notice’.
As per our internal Retention Policy, we will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
We may need to share some of your data with a third-party provider to fulfil our purposes. When we share data with a third party we will always ensure that we have the necessary contracts in place to ensure the security of your data. We will only share special category data, securely, with a third party if it is our legal obligation or in order to provide onsite medical care. Examples of third parties we may share data with may include:
Restrictions of data leaving the EEA are in place to ensure that the level of data protection available to individuals within the EEA is not compromised.
Some of our processes may require us to transfer data outside of the EEA. Generally, this occurs when we use a third-party processor who have servers based outside of the EEA. In these instances, we will ensure that the appropriate safeguards in place to ensure an individual’s data protection rights are met.
If you would like to get in touch to update your information, amend your preferences, change the way we process your information or for any general data protection enquiries, you can do so by using the following means:
Email: shop@fettes.com
Post: The Fettes Shop, Fettes College, Carrington Road, EH4 1QX
Phone: +44 (0) 131 332 2281
If you feel your data has not been used in accordance with this policy, please notify us by using the contact details outlined above. We do hope that any matters of complaint may be resolved between the complainant and Fettes Enterprises, however, if you feel the need to leverage any complaint where there has been no satisfactory resolution in dealing directly with Fettes Enterprises, you may contact the ICO ico.org.uk/, who are the governing body for data protection information in the UK.
Pupil data
The rights under Data Protection Law belong to the individual to whom the data relates. For the purposes of delivering our obligations under the School contract we will usually liaise with the parent and share pupil data with them relating to their child’s progress and behaviour, school activities and the general wellbeing of their child.
Where a pupil seeks to raise concerns confidentially with a member of staff and expressly withholds their agreement to their personal data being disclosed to their parents, we may be under an obligation to maintain confidentiality unless, in our opinion, there is a good reason to do otherwise; for example, where the school believes disclosure will be in the best interests of any pupil or is required by law.
How to find out if we are processing your data and request a copy of your information
You have the right to ask if your data is being processed by us and the right to ask for a copy of the data related to you that we are processing. A person with parental responsibility will generally be entitled to make a subject access request on behalf a pupil, but the information in question is always considered to belong to the individual to whom the data relates. In Scotland, the law presumes that a child of 12 years or more has the capacity to exercise their rights under the Data Protection Law. A pupil of any age may ask a parent or other representative to make a subject access request on their behalf. Moreover (if of sufficient maturity) their consent or authority may need to be sought by the parent making such a request. Requests for data that are excessive or repetitive will be subject to a fee.
How to have your data amended or deleted
You have the right to have inaccurate data rectified or completed (if it is incomplete), or have your data erased. Some exceptions may apply where we have another lawful reason to continue to process your data.
How to stop us using your data for certain purposes
You have the right to object to certain processes, such as fundraising activities, as long as it does not interfere with contractual or lawful obligations that we still may need to fulfil.
How to transfer data
You have the right to request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
To act upon any of your rights outlined above please contact us using the details previously given. Requests may be made verbally or in writing. We will aim to respond to any such requests within one month of receipt. We may need to take steps to confirm the identity of the requestor depending on the method in which the request was made. Some requests (or part thereof) may be refused and in such cases, we will respond outlining the reason for refusal.