Privacy Notice

Vision Express takes data protection seriously. We're committed to safeguarding your privacy and keeping your personal information confidential and secure.

We want to be clear and transparent as to why and how we use your data. Our privacy statement:

  • Explains what personal information we collect from you
  • Provides you with details of how we use and lawfully process your personal data
  • Tells you how to contact us should you have a query or complaint or wish to exercise your data rights

This privacy statement applies to any customer personal data that we process in any of our business activities. This includes, data collected in store or on any of our websites, online forms, social media, emails, complaints, customer satisfaction surveys, any written correspondence, and over the telephone.

For information on how we process data for recruitment please see our recruitment privacy statement and for how we use cookies on our website, please read our Cookie Policy.

Vision Express (UK) Limited, Reg Co Number 2189907, belongs to a group of companies, whose parent company, Grand Vision, is registered in the Netherlands. We also have companies registered in the Republic of Ireland and Jersey.

This policy applies to Vision Express (UK), all of its subsidiaries and their subsidiaries, including joint ventures and all are registered with the Information Commissioner's Office (ICO) as data controllers.

The policy also applies to Vision Express (Ireland) Limited, its subsidiaries, and joint ventures and all are registered with the Irish Data Protection Commission as data controllers.

We have appointed a Data Protection Officer who can be contacted at [email protected].

Please note that:

  • We will aim to acknowledge receipt of your email within 48 hours
  • We will need to verify your identity when you contact us.

Protecting your confidentiality

To protect the confidentiality of your information, we will ask you to verify your identity before proceeding with any request you make under this privacy notice.

Our responses may include sensitive personal data and confidential data, so we require:

  • requests to be provided in writing, including email, or verbally. Where possible if you could send your request in writing that would really help us.
  • the request to be signed,
  • details of identity; including first name, last name, address and date of birth.

Please note - in most instances access to your personal data is free of charge.

We are only able to comply with requests that relate to personal data held in accessible, structured filing systems for which we are the data controller

  • Email via our Contact Us form
  • Call 08000 382 177
  • Write to: Customer Service Department, Vision Express (UK) Limited, Ruddington Fields Business Park, Mere Way, Ruddington, Nottingham NG11 6NZ.

Please note that:

  • We will aim to acknowledge receipt of your email within 48 hours
  • We will need to verify your identity when you contact us.
Protecting your confidentiality

To protect the confidentiality of your information, we will ask you to verify your identity before proceeding with any request you make under this privacy notice.

Our responses may include sensitive personal data and confidential data, so we require:

  • requests to be provided in writing, including email, or verbally. Where possible if you could send your request in writing that would really help us.
  • the request to be signed,
  • details of identity; including first name, last name, address and date of birth.

Please note - in most instances access to your personal data is free of charge.

We are only able to comply with requests that relate to personal data held in accessible, structured filing systems for which we are the data controller.

Your RightsWe will:

Right of access - You can request a copy of the personal data that we hold on you. This is called a Subject Access Request.

You can also consent to us making your personal data available to a third party.

For more information on giving consent to a third party or family member, please see the 'Subject Access Requests by Third parties' section below.

We will make your information available to you within the recommended timeframe once we've confirmed your identity.

We'll provide your personal data to a third party if we're happy that the information has been lawfully requested.

Right of rectification - you may request that we correct personal data that we hold about you which you believe is incorrect or inaccurate.

As soon as you contact us, we'll assess your request. Please note that we may ask you to verify any new data that you provide to us and may take our own steps to check that the new data you have supplied us with is right.

In certain circumstances we may have to refuse a request for rectification but we will let you know and explain our decision.

Right to restrict processing - in certain instances, you can request that we stop processing your information e.g. where you believe the information is inaccurate, or you believe there is no legal reason for us to continue to process your data.

Where the data is restricted from being processed, we will (with the exception of storage) not process your personal data without your consent, unless we have a legal reason to do so, or we need to defend any legal claims against us or we need to protect another individual's rights.

Right to data portability - you have the right to have your information transferred to another entity where this is technically possible.

We'll provide your personal data to you in a structured, commonly used and machine readable format.

Right to object - you may object to the processing of your personal data where we use 'legitimate interests' as the lawful basis for processing.

You also have the right to object to the processing of your personal data for purposes of direct marketing.

We'll stop using your personal data unless we believe we have a legitimate overriding reason to continue processing your personal data, or we need to defend any legal claims against us.

We'll record your request and will ensure that no further marketing communications are sent to you. This may take 28 days to take effect from receiving your request.

Right to withdraw consent - whenever you have given us your consent to use your personal data, you have the right to change your mind at any time and withdraw that consent.

We'll stop processing your personal data for the purpose for which the consent was given. The lawfulness of processing based on consent before its withdrawal will not be affected.

Right to Erasure - you have the right to request that we delete the personal information we hold on you. You have the right to have your personal data deleted only in the following circumstances:

  1. Where we no longer need your data for the purposes it was originally collected
  2. Where you have withdrawn consent that you had previously given
  3. Where you object to us processing your data and we have no overriding legal reason to do so
  4. Where the personal data has been unlawfully processed
  5. Where law requires us to delete the personal data

We'll assess your request and confirm if your request can be actioned. However we're not always obliged to erase personal data and in many cases legislation will prevent us from simply deleting personal data and requires us to retain personal data for a period of time. This is more fully discussed in the 'How long do we keep your data' section.

Where we have been asked to erase data but have a legal obligation to keep it, we will:

Inform you of the obligation.
Suppress your record to ensure that no further communications are sent to you.

You also have the right to lodge a complaint with a supervisory body, eg the Information Commissioners Office. You can contact them by:

UK

Post - Information Commissioner Officer, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

Tel: 0303 123 1113

Email: [email protected]

Ireland

Post - Data Protection Commissioner, Canal House, Station Road, Portarlington, Co. Laois, R32 AP23, Eire

 

 

To be able to provide you with our goods and services, we may need to, or be legally required to obtain and process your personal data.

We collect personal data in a number of ways, including when you visit a store, via the website, by phone, email, post and social media.

The type of personal data we collect includes:

  • Personal information such as name, contact details, age, date of birth
  • Medical data concerning your eye health, eye exams, results, retinal photographs, current and past eye conditions, general health, prescriptions, medications, and information received from other health professionals
  • Information on your lifestyle and hobbies collected as part of your eye test
  • Personal information about others eg your family history, next of kin, contact details of your family that you give us
  • Information about your purchases with us, past orders and payments including any discounts applied and refunds
  • Feedback and survey responses
  • Information on the pages that you've visited on our website, your demographics and interests (please see our cookie policy for more information on how we use cookies)
  • Images and recordings such as CCTV
  • Your correspondence with us either in writing or by phone e.g. details of queries, complaints, call recordings or notes taken during conversations, requests for access to information and other requests exercising your rights.
  • Electronic information, for example, your MAC address collected from your device

Your personal data is processed for the following reasons, so that we can provide you with the best possible eye health care and customer experience. Here's how we use your data:

To provide professional eye care services:

  • To perform eye examinations so we can understand your eye health and any medical conditions
  • To determine your prescription for eyewear and dispense your eyewear
  • To book your eye test
  • To confirm your appointment We'll send you a confirmation if you book online and a courtesy reminder will be sent a short period before the appointment is due
  • To contact you about changes to our service that could affect or inconvenience you. eg a change to your usual store's location
  • To send you eye test reminders. Changes in your eyesight are usually very gradual, so regular eye tests are important. The recommendation is to have your eyes tested every two years, unless your optician prescribes otherwise. We'll send you a reminder shortly before the end of the recommended recall period, and follow up if we don't hear from you
  • To send you eye health communication regarding eye health and vision correction and how you can look after this. eg it's essential for your vision that glasses are fitted correctly, so we'll remind you to get your glasses checked and adjusted
  • To send you direct marketing communications - with your consent we'll send you information about our products, offers and discounts by email and/or post. Of course you are free to opt out of these communications at any time by updating your consent preferences. For details see our - How do you contact us or request a change section
  • Survey and feedback requests to help us improve our service to you and make our services and products more relevant to you.

To meet our regulatory obligations:

  • If you choose to exercise your data rights eg a subject access request
  • So we're able to meet our obligations as registered and dispensing optometrists
  • So we can respond to any complaints or claims we receive from regulators or other third parties.

For financial purposes e.g.

  • To process any transactions when you purchase our goods and services
  • To process your credit/ debit card information when used to pay for our goods and services and dealing with refunds.

For commercial purposes e.g.

  • So we can provide our products and services to you
  • To improve our products and services to you, we use data collected through the use of customer surveys, cookies, research and analysis.
  • To communicate with you as well as send you details of special offers and discounts relevant to you.

When requested by third parties e.g.

  • We may need to make your personal data available to other optometrists, medical practitioners, health and social care providers or the NHS,
  • Regulators may request information when carrying out their functions,
  • Other third parties who have a legal right to access personal data eg the police our insurers, external auditors and investigators.
  • Other companies who provide us with updated personal information e.g. changes to your contact information, deceased indicators.

Complaints and Queries eg

So we can respond to complaints, queries and any claims made against us.

Business purposes eg

  • To meet our contractual obligations
  • To recognise you as being a customer
  • Fraud prevention and detection
  • Health and safety of members of the public, our staff and our customers
  • Corporate requirements including mergers and acquisitions.

There are a number of reasons that as a company we will collect and process your personal data, the lawful basis for processing your personal data we use are:

1. Regulatory compliance

As a firm of registered Opticians, we are permitted by law to process special categories of personal data (e.g. data concerning your health).

The provision of eye health services in the UK is regulated by the Opticians Act and the Rules issued by the General Optical Council. In Ireland it is regulated by the Health and Social Care Professional Act and the Optical Registration Board Bye-laws. They legally require us to collect and process your personal data including special categories of your data (eg data concerning your health).

These laws regulate the type of information we can process when performing certain services eg conducting an eye examination, fitting contact lenses or prescription glasses. They also require us to provide information to regulators when they're investigating complaints or claims and to customers or third parties who make a subject access request.

2. Contractual obligations

Sometimes the purchase of a product or use of our services means you need to enter into a contract with us, where it's necessary for us to process your personal data.

For example - if you order a product in store, or via our online services or you join our contact lens Direct Debit scheme, we'll process the personal data you give us to ensure we deliver the correct product to your selected address, or to collect the Direct Debit payment from you.

We may also need to process your data for insurance purposes or to fulfil our contractual obligations with the NHS, or other third parties who we've contracted with.

As part of these obligations, we're required to process your personal data to a suitable standard of quality and accuracy, to provide information to third parties and other industry bodies, and to retain your personal data for set minimum periods of time.

For example, Our NHS Optical contract defines that we have to keep up to date and accurate patient and medical records and provide details of any NHS funded eye tests or purchases to the NHS.

3. Legitimate Interest

Our legitimate interests are derived from our role as provider of eye health services to our customers, to protect and grow our business, commercial and financial interests, as well as our desire to retain existing and attract new customers.

We also rely on legitimate interests to make sure we let you know about our products and services, for sending you eye test reminders, sending you direct marketing communications and advertising, processing and reporting financial transactions, instituting and defending legal claims, market research, safety and security, statistical analysis and complaints.

For example - after your eye test, your optometrist will recommend the date of your next eye test. To help you look after your eye health, we will send you reminders by post or email when your next eye test is due.

4. Consent

In specific situations, we collect and process your data with your consent. We believe consent must be informed, specific and voluntarily given. We may require (written and/or verbal) consent from you in order to process your personal data for specific and limited reasons:

Providing your data to a third party who do not have a legal right to receive the information; including another optometrist, General Practitioners, hospitals or lawyers.
Providing your data to a third person, including another family member.
Consent from a child to provide personal data to a parent, where the child has been deemed capable of giving consent.
Where you have previously consented to the processing of your personal data for a specific reason, you are permitted to withdraw your consent at any time.

Please see our "How to contact us or change consent" section for more information.

5. Protecting the vital interests of data subject

As we collect information regarding your eye health, in exceptional circumstances we may be required to provide this information to another healthcare provider for your safety and to prevent significant harm.

For example - in exceptional circumstances we may provide information regarding your eye health to your hospital if you were unable to give us consent.

 

Whenever we collect or process data, we keep it for as long as is required by law, or for as long as is reasonably necessary to fulfil the purpose it was originally collected for. We also keep records to satisfy industry body requirements, as well as to protect and defend ourselves against any claims.

As a registered provider of optical services, we're required to consider the General Optical Council (GOC) guidelines about contacting our customers for essential eye health check ups and the length of time we must keep customer records.

At the end of the retention period, we will either delete your data completely, anonymise it (for example by consolidating with other data so it can be used for statistical analysis and business planning) or put it beyond use.

We do share your personal data within our group of companies and with trusted third parties as an essential part of being able to provide our services to you. Please be assured we do not sell personal data, and do not provide personal data to list providers for the purposes of marketing.

Examples of third parties we work with to be able to provide our services to you, on our behalf include:

  • Operational companies such as delivery couriers who may deliver products or deliver communication to you on our behalf.
  • Product suppliers who make or provide the products we sell to you.
  • Third parties who we use to help us update your contact information to keep your data accurate.
  • IT and data companies who help support our websites and other business systems.
  • Other medical professionals including other optometrists, doctors or the NHS and third parties appointed by the NHS.
  • Public bodies who have the legal right to have access to the information e.g. the police.
  • Transfer of personal data to third countries

Your personal information may be transferred to companies situated outside of the UK or the European Economic Area (EEA). In these instances, we have put additional safeguards, including contracts, in place as required by data protection laws.

If required, your data will be transferred securely, in line with the requirements of the relevant data protection authorities.

 

Vision Express will not provide personal data to third parties unless we have consent of the individual or we have a legal obligation eg to law enforcement.

If you've authorised a third party to submit a request for the release of your personal data, then we'll ask them for written proof of your consent or to provide a verifiable power of attorney.

Consent / power of attorney must:

  • Be in writing
  • Provide your name, address and date of birth
  • Provide details of the personal data to be disclosed
  • Provide details of the recipient, including contact details and confirmation of identity
  • Be signed and dated by you.

Authorities requiring data under exemptions may request personal data without your consent. These requests should:

  • Be in writing
  • Provide full details of the affiliation or organisation
  • Provide full details of the requester, including name, rank or position
  • Provide full, verifiable contact information
  • Provide details of the data subject, and data required
  • Provide specific details of the incident and cameras if CCTV data is required
  • Details of the format and means by which the response is to be communicated
  • Provide details of the lawful basis of the request
  • Where necessary and disclosable, the reasons for the request.

All requests by authorities should be made to the Data Protection Officer.

We are only able to comply with requests that relate to personal data held in accessible, structured filing systems for which we are the data controller.

 

 

 

We may update this privacy statement from time to time. Any updates will take effect as soon as they are posted on our website.

Last updated 6th June 2019