The Fashion Retail Academy (“FRA”, “we”, “us”) is a training provider specialising in careers in fashion retail offering one year diploma courses and two year fast track Degree courses across a range of head office roles including Buying, Visual Merchandising, Marketing, Design, Digital, Merchandising and Retail Management.
The Fashion Retail Academy is a registered charity (no. 1119540) and company limited by guarantee (no. 5507547). The registered address is 15 Gresse street London W1T 1QL.
How do we collect your personal information?
We collect your personal information:
- When you give it to us directly
For example, personal information that you give to us through our website by ordering a prospectus or signing up to attend an open day, or personal information that you give to us when you communicate with us by email, phone or letter.
- When we obtain it indirectly
Your personal information may be shared with us by third parties including, for example, our sub-contractors in technical services, analytics providers or search information providers. To the extent we have not done so already, we will notify you when we receive personal information about you from them and tell you how and why we intend to use that personal information.
- When it is available publicly
Your personal information may be available to us from external publicly available sources. For example, depending on your privacy settings for social media services, we may access information from those accounts or services (for example when you choose to interact with us through platforms such as Facebook, Instagram or Twitter).
- When you visit our website
When you visit our website, we automatically collect the following types of personal information:
- technical information, including the internet protocol (IP) address used to connect your device to the internet, browser type and version, time zone setting, browser plug-in types and versions and operating systems and platforms.
- Information about your visit to the website, including the uniform resource locator (URL) clickstream to, through and from the website (including date and time), services you viewed or searched for, page response times, download errors, length of visits to certain pages, referral sources, page interaction information (such as scrolling and clicks) and methods used to browse away from the page.
What personal information do we use?
We may collect, store and otherwise use the following kinds of personal information:
- your name and contact details, including postal address, telephone number, email address and, where applicable, social media identity;
- your date of birth;
- your financial information, such as bank details and/or credit/debit card details, account holder name, sort code and account number;
- information about your computer/mobile device and your visits to and use of this website including, for example, your IP address and information about which pages you access;
- details of your qualifications/experience;
- information about our services which you use/which we consider may be of interest to you; and/or
- any other personal information which you choose to share with us or we obtain as per section 1.
Do we process special categories of personal information?
The EU General Data Protection Regulation (“GDPR”) recognises certain categories of personal information as sensitive and therefore requiring more protection, for example information about your health, ethnicity and political opinions.
In certain situations, FRA may collect and/or use these special categories of personal information (for example, in case we need to know about any medical or access requirements so that you can attend an interview, one of our events or so accommodations can be made for you when you start studying with us). We will only use these special categories of personal information if we have both a lawful basis under Article 6 GDPR and can satisfy an exception under Article 9 GDPR (please see section 4 below).
How and why will we use your personal information?
Your personal information will be used for the purposes specified in this Policy. In particular, we may use your personal information:
- to provide you with services, products or information you have requested;
- to coordinate the admissions process, including arranging interviews;
- to enroll you onto our courses;
- to register and administer your participation in events;
- to provide further information about our work, services, activities or products (for electronic marketing, only where you have provided your consent);
- to process payments you make to us;
- to allow you to participate in our courses;
- to answer your questions/communicate with you in general;
- to process your application for a grant or job with us;
- to administer competitions which we run;
- to analyse and improve our work, services, activities, products or information (including our website), or for our internal records;
- to run/administer our website, keep it safe and secure and ensure that content is presented in the most effective manner for you and for your device;
- to further our charitable aims in general;
- to audit and/or administer our accounts;
- to satisfy legal obligations which are binding on us, for example in relation to regulatory, government and/or law enforcement bodies with whom we may work (for example, requirements relating to the payment of tax or anti-money laundering);
- for the prevention of fraud or misuse of services; and/or
- for the establishment, defence and/or enforcement of legal claims.
- In accordance with the SEND Code of Practice 2015
- Arranging work placements
- Communicating student details for the purpose of work placement
- Arranging interviews for potential student (current and alumni) employment
The GDPR requires us to rely on one or more lawful bases to use your personal information. We consider the bases in Article 6 GDPR listed below to be relevant:
- Where you have provided your consent for us to use your personal information in a certain way (for example, we will ask for your consent to send you marketing material by email, and we may ask for your explicit consent to collect special categories of your personal information).
- Where necessary so that we can comply with a legal obligation to which we are subject (for example, where we are obliged to share your personal information with regulatory bodies which govern our work and services).
- Where necessary for the performance of a contract to which you are a party or to take steps at your request prior to entering a contract (for example, to coordinate an interview or to allow you to participate in a course in which you have enrolled).
- Where it is in your/someone else’s vital interests (for example, in case of a medical emergency suffered by a student while on our premises).
- Where there is a legitimate interest in us doing so.
The GDPR allows us to collect and process your personal information if it is reasonably necessary to achieve our or others’ legitimate interests (as long as that processing is fair, balanced and does not unduly impact your rights).
In broad terms, our “legitimate interests” mean the interests of running FRA as a training provider specialising in careers in fashion retail and pursuing our charitable aims and ideals; for example administering training courses or connecting you with the right college for you.
When we process your personal information to achieve such legitimate interests, we consider and balance any potential impact on you (both positive and negative), and your rights under data protection laws. We will not use your personal information for activities where our interests are overridden by the impact on you, for example where use would be excessively intrusive (unless, for instance, we are otherwise required or permitted to by law).
Where we process special categories of your personal information (please see section 2 above), in addition to relying on a lawful basis under Article 6 GDPR we also need to be able to satisfy one of the exceptions to the general prohibition on processing special categories of personal information under Article 9 GDPR. Usually, this will be where you have provided us your explicit consent or where the processing is necessary for reasons of “substantial public interest” (for example to ensure equality of opportunity, promote diversity, or prevent or detect unlawful acts).
We may analyse your personal information to create a profile of your interests and preferences so that we can contact you with information relevant to you. We may make use of additional information about you when it is available from external sources to help us do this effectively. We may also use your personal information to detect and reduce fraud and credit risk.
Communicating for marketing/promotion
We may use your contact details to provide you with information about our work, events, services and/or products which we consider may be of interest to you (for example, about courses you previously attended or expressed interest in).
Where we do this via email, SMS or telephone (where you are registered with the Telephone Preference Service), we will not do so without your prior consent (unless allowed to do so via applicable law).
When you have provided us with your consent previously, we will store your data in the system for 12 months and use it to contact you about our work. If you do not wish to be contacted by us about our work, events, services and/or products anymore, please let us know by email at email@example.com. You can also opt out of receiving emails from FRA at any time by clicking the “unsubscribe” link at the bottom of our emails. Your data may also be held and processed Blue Sparks Digital, NXT and Evorio all hosting is provided by Microsoft Azure within the GB/EU. If you are an applicant, we may share your data with Menzis Mailing to contact you about your application/interview.
Occasionally we share limited applicant data (first part of postcode only) with Experian to analyse which areas our applicants live in for the purpose of targeting our advertising campaigns.
Children’s personal information
When we process children’s personal information, where required we will not do so without their consent or, where required, the consent of a parent/guardian. We will always have in place appropriate safeguards to ensure that children’s personal information is handled with due care.
We are concerned to protect the privacy of children age 13 or under. If you are aged under 13, you must get your parent/guardian's permission beforehand whenever you provide us with personal information.
How long do we keep your personal information?
If you have applied to the FRA, in general, unless still required in connection with the purpose(s) for which it was collected and/or used or for legal or regulatory purposes, we remove your personal information from our records seven years after the date on which it was collected. However, if before that date (i) your personal information is no longer required in connection with such purpose(s), (ii) we are no longer lawfully entitled to process it or (iii) you validly exercise your right of erasure (please see section 11 below) we will remove it from our records at the relevant time.
We do not share, sell or rent your personal information to third parties
We will not share your information with third parties for marketing purposes.
However, we may disclose your personal information to selected third parties in order to achieve the purposes set out in this Policy. Those parties may include (but are not limited to):
- our suppliers, service providers, agents, subcontractors and/or other similar organisations for the performance of contracts we enter into with them (for example IT service providers, such as software developers or network security providers). Please be assured that we only disclose the personal information necessary to deliver the service in question and we have a contract in place that requires them to handle your personal information in line with applicable data protection laws;
- government agencies who provide funding;
- financial companies that process payments on our behalf;
- professional service providers such as accountants and lawyers;
- parties assisting us with research to monitor the impact/effectiveness of our work;
- regulatory authorities, such as tax authorities; and/or
- analytics and search engine providers
In particular, we reserve the right to disclose your personal information to third parties:
- in the event that we sell or buy any business or assets, in which case we will disclose your personal information to the (prospective) seller or buyer of such business or assets;
- if substantially all of our assets are acquired by a third party, personal information held by us may be one of the transferred assets;
- if we are under any legal or regulatory duty to do so; and/or
- to protect the rights, property or safety of FRA, its personnel, users, visitors and others
Security/storage of and access to your personal information
FRA is committed to keeping your personal information safe and secure and we have appropriate and proportionate security policies and organisational and technical measures in place to help protect your information.
Your personal information is only accessible by appropriately trained staff, volunteers and contractors, and stored on secure servers with features enacted to prevent unauthorised access.
International transfers of your personal information
Given that we are a UK-based organisation, we will normally only transfer your personal information within the UK or European Economic Area (“EEA”), where all countries have the same level of data protection law under the GDPR.
However, because we sometimes use agencies and/or suppliers to process your personal information on our behalf, while we take reasonable due diligence measures or put such third parties under contractual obligations, we cannot always control where they store their personal information. It is therefore possible that personal information we collect from you will be transferred to and stored outside a location in the UK or EEA.
By opting in to marketing you are consenting to your data being transferred to Active Campaign or Survey Monkey depending on collection method, third party providers based in the US. Active Campaign and Survey Monkey both adheres to the EU-U.S. Privacy Shield Framework Principles to comply with GDPR.
Please note that some countries outside the UK or EEA have a lower standard of protection for personal information, including lower security requirements and fewer rights for individuals. Where your personal information is transferred, stored and/or otherwise processed outside the UK or EEA in a country that does not offer an equivalent standard of protection to the UK or EEA, we will take all reasonable steps necessary to ensure that the recipient implements appropriate safeguards. For example we may enter into the European Commission approved standard contractual clauses with such providers to protect your personal information and to ensure that your personal information is treated securely and in accordance with this Policy. If you have any questions about the transfer of your personal information, please contact us using the details in section 16 below.
Unfortunately, no transmission of your personal information over the internet can be guaranteed to be 100% secure – however, once we have received your personal information, we will use strict procedures and security features to try and prevent unauthorised access.
Your rights and how to exercise them
Where we rely on your consent to use your personal information, you have the right to withdraw that consent at any time. This includes the right to ask us to stop using your personal information for marketing or fundraising purposes, or to unsubscribe from our email list at any time. You also have the following rights:
- Right of access – you can write to us to ask for confirmation of what personal information we hold on you and to request a copy of that personal information. Provided we are satisfied that you are entitled to see the personal information requested and we have successfully confirmed your identity, we will provide you with your personal information subject to any exemptions that apply.
- Right of erasure – at your request we will delete your personal information from our records as far as we are required to do so. We may keep a record of erasure requests to ensure future compliance and to keep a record of our compliance with your request.
- Right of rectification – if you believe our records of your personal information are inaccurate, you have the right to ask for those records to be updated. You can also ask us to check the personal information we hold about you if you are unsure whether it is accurate/up to date.
- Right to restrict processing – you have the right to ask for processing of your personal information to be restricted if there is disagreement about its accuracy or legitimate use.
- Right to object – you have the right to object to processing where we are (i) processing your personal information on the basis of the legitimate interests basis (see section 4 above), (ii) using your personal information for direct marketing or (iii) using your information for statistical purposes.
- Right to data portability – to the extent required by the GDPR, where we are processing your personal information (that you have provided to us) either (i) by relying on your consent or (ii) because such processing is necessary for the performance of a contract to which you are a party or to take steps at your request prior to entering into a contract, and in either case we are processing your personal information using automated means (i.e. with no human involvement), you may ask us to provide the personal information to you – or another service provider – in a machine-readable format.
- Rights related to automated decision-making – you have the right not to be subject to a decision based solely on automated processing of your personal information which produces legal or similarly significant effects on you, unless such a decision (i) is necessary to enter into/perform a contract between you and us/another organisation, (ii) is authorised by EU or Member State law to which FRA is subject (as long as that law offers you sufficient protection), or (iii) is based on your explicit consent.
Please note that some of these rights only apply in limited circumstances. For more information, we suggest that you contact us using the details in section 16 below.
We encourage you to raise any concerns or complaints you have about the way we use your personal information by contacting us using the details in section 16 below.
You may further make a complaint to the Information Commissioner’s Office – www.ico.org.uk. For further information on how to exercise this right, please contact us using the details in section 16 below.
Changes to this Policy
We may update this Policy from time to time. We will notify you of significant changes by contacting you directly where reasonably possible for us to do so and by placing a notice of update on our website. This Policy was last updated on the 03rd of May 2018.
Data Protection Officer
Our Data Protection Officer (“DPO”) can be contacted directly at firstname.lastname@example.org. Alternately, please use the contact details in section 16 below and mark the email/letter for the attention of the DPO or ask to speak to the DPO.
Links and third parties
Our website may contain links to other websites run by other organisations. This Policy applies only to our website‚ so we encourage you to read the privacy statements on the other websites you visit. We cannot be responsible for the privacy policies and practices of other sites even if you access them using links from our website.
How to contact us
If you have any questions about how we use your personal information, please contact us using the following details:
Telephone: 0207 307 2345
Post: Fashion Retail Academy Customer Service, 15 Gresse Street, London W1T 1QL