0 Shortlist Search
Enter your keyword, course, subject or interest
EC Default Banner

Hairdressing and Beauty Therapy Client Registration

Who is collecting the information?

Edinburgh College is the Data Controller. We have an appointed Data Protection Officer (DPO), who can be contacted by emailing: DataProtection@edinburghcollege.ac.uk.

Why are we collecting it, and what are we doing with it (Purpose)?

  • Create and manage your client file, compile a case study and individualised treatment plan. This information helps students learn to assess their clients' needs through discussion and skin analysis, enabling them to provide accurate advice and treatment. This treatment plan also forms part of students’ coursework and will be used to assess their performance.
  • Communicate with you about your appointments.
  • To ensure any treatments are being delivered safely and that there are no contraindications which would prevent or restrict the treatments, as some treatments could exacerbate medical conditions or cause an adverse reaction, and whether we need to ask you to obtain the permission of your GP before undertaking a treatment.
  • We may use your images and anonymised client notes to evidence student work and assessments.
  • Send you marketing information. If you opt to receive marketing communication, we will contact you with details of special offers or events at the salon.

What personal data do we collect?

Personal data

  • Name
  • Address
  • Telephone number
  • Date of birth
  • Name and address of GP
  • Email
  • Photographs

Special Category Data

  • Health data (including mental health)
  • Pregnancy and maternity information

How are we collecting this information? What is the source?

The information is collected from you using the College’s client registration form and medical questionnaire.

The lawful basis for the processing

The basis for processing personal data under the UK General Data Protection Regulation (UK GDPR) is:

  • Article 6(1)(e) “necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller” – where processed to arrange and administer graduation day.
  • Article 6(1)(f) “processing is necessary for the legitimate interests pursued by the controller” – where processed to document, publish and record details and images from the event. The legitimate interest is based on the College’s business interest in recording and promoting its work. We will inform you that we will capture and use your image (through signage at the Graduation venue, this privacy notice, the Graduation website, and individual requests from photographers/videographers on the day).
  • Article 6(1)(a) “consent” – where the College has sought direct consent from individuals for featuring in The Scotsman graduates list, group/individual photographs and case study content. You can withdraw your consent at any time by contacting communications@edinburghcollege.ac.uk. Please be aware that although content can be removed from the College’s website and social media, the College cannot control how it was accessed or used before its removal. Additionally, printed media (e.g., local press newspapers) cannot be recalled.

Who we share the information with

Unless you have opted out, your name will be published in the graduation programme. Where permission has been received, your name will also be published in the day’s edition of The Scotsman newspaper, which is available to anyone who purchases a copy.

Edinburgh College may use selected photographs and video clips from the graduation ceremony to promote the College and future graduations. Your name and image may appear in promotional material, on the Edinburgh College website, and on social media.

Marston Events, our event partner, will receive information about you when you register for graduation. They will also take photos and video on the day for you and on our behalf.

How long do we hold the personal data?

General graduation administration, e.g. information provided in graduation forms, will be retained for one year after the ceremony.

Following completion of Graduation, the College will hold the photos and video recordings

for five years, then securely destroy/delete in accordance with College procedures.

Photographic/video images, along with accompanying information, shared in printed publications, on websites, and on social media, will be in general circulation and may be retained in a historical archive indefinitely.

Individuals’ rights in relation to this processing

Under data protection law, you have a number of rights; some of these rights only apply if certain conditions are met. Your rights are: right to be informed (e.g. privacy notice), right of access, right of rectification, right of erasure (commonly known as the right to be forgotten), right to restrict processing, right to object, right to data portability and the right to know of any automated decision making (including profiling). It’s worth noting that you can exercise your rights either verbally or in writing, and the College would be required to process your request within one month.

The rights that apply to this particular processing are:

  • Right to be Informed – i.e. a privacy notice.
  • Right of Access – this means you have the right to access your personal information.
  • Right to Rectification – this means you have the right to correct inaccurate or incomplete personal information.
  • Right to Erasure – commonly known as the Right to be Forgotten (RTBF) – this means you can request that your personal data be deleted.
  • Right to Data Portability – this means you have the right to request your information in a machine-readable format (e.g. a .csv file) to be provided to you or transferred in that format to another organisation.
  • Right to Restriction – this means you can restrict the processing of your information and links with some of the other rights.
  • Right to Object – this means you can object to how your data is used.
  • Right to be informed of automated individual decision-making (including profiling) – we do not use this for OH purposes, and therefore this does not apply.

Some of the rights above have caveats and only apply in certain circumstances. You can exercise your rights at any time, and the College would be required to answer within a month upon receipt of your request. If you wish to exercise your rights or have any queries in relation to this, please contact the Data Protection Team at DataProtection@edinburghcollege.ac.uk.

Complaints to the UK Information Commissioner’s Office (ICO)

If you are concerned about how your personal data is being used by the College, in the first instance, please contact the College Data Protection Officer (DPO) at DataProtection@edinburghcollege.ac.uk. If you are not satisfied with the outcome, then you can complain to the regulator of data protection, the UK Information Commissioner’s Office (ICO). The ICO guides on the ICO website.

You can email them at casework@ico.org.uk, call them on 0303-123-113, or you can send a letter to them at the following address:

Customer Contact
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF