Vision Express takes data protection seriously. We recognise that data protection and privacy are important to our customers, our employees, prospective employees and our suppliers. We undertake to fully comply with all legislation designed to protect privacy and personal data, to protect the rights of individuals, and to lawfully and transparently process personal data.
This privacy statement tells you what to expect when Vision Express collects and processes any personal data. It also provides you with details of how we use your personal data, and how to contact us in the event you have a query or a complaint.
This privacy statement applies to any personal data that we collect in any of our business activities. This includes, but is not limited to, data collected on any of our websites, online forms, social media, emails, complaints, customer satisfaction surveys, any written correspondence, recruitment and careers website, in stores, and over the telephone.
For further information on how we process data for recruitment and job applicants please see our recruitment privacy statement.
Vision Express (UK) Limited Reg Co Number 2189907 is the data controller for the Vision Express group of companies and is registered as such with the Information Commissioner’s Office (ICO). We have registered companies in the UK, Republic of Ireland and Jersey and comply with all country regulations.
We have appointed a Data Protection Officer who can be contacted at firstname.lastname@example.org, and who ensures compliance and provides oversight over all of our data protection issues.
We collect data in a number of ways, including in store, via the website, by phone, post or social media:
The type of data that we collect will depend on the purpose that you contact us. Personal data is likely to include:
There are a number of reasons that as a company we will collect and process your personal data, including:
In certain circumstances you may enter into an expressed or implied contract with Vision Express, and where we may process data on that basis. Typically this is for the use of our services or purchase of a product.
For example – if you order a product in store or online or join our contact lens direct debit scheme we will process the personal data you give us to ensure we deliver the correct product or collect the direct debit payment from you.
Our legitimate interests are derived from our role as provider of eye health services for our customers as well as the administering and maintaining services for employees and job applicants with whom we have established a relationship.
Legitimate interests include some forms of marketing and advertising, health management and reporting, processing and reporting of financial transactions, legal claims, management, market research, safety and security, statistical analysis and complaints.
For example - after you have had your eye test your optometrist will recommend the date of your next eye test. To help you look after your eye health we will then send you eye test reminders by post, email.
We may need to collect and process your personal data when the law or our statutory obligations requires. These reasons include retention and providing information for crime, taxation and reporting. We are also bound by the requirements of the National Health Service, General Optical Council and other professional bodies to process records to a suitable standard of quality and care, to provide certain information to authorities, and to retain records for prescribed minimum periods of time.
For example – Our NHS Optical contract defines that we have to keep up to date and accurate patient and medical records and provide details of any NHS funded eye tests or purchases to the NHS.
Protecting the vital interests of data subject
As we collect information regarding your eye health, in exceptional circumstances we may be required to provide this information to another healthcare provider for your safety and to prevent significant harm.
For example – in exceptional circumstances we may provide information regarding your eye health to your hospital if you were unable to give us direct consent.
In specific situations, we collect and process your data with your consent. Please see the How do we collect consent section for more details.
Vision Express believes in informed consent and requires consent to be provided through an affirmative action.
We require explicit (written and/or verbal) consent from you in order to process your personal data for a few, specific and limited purposes:
For more information regarding consent for the release of personal data to a third party, family member or parent please see Subject Access Requests by Third Parties section below
Vision Express also makes use of informed, implied consent in order to process personal data for purposes that include taking details for eye examination bookings and job applications
You can change your consent to marketing or other processing at any time. Having opted-in you will always be provided with an opportunity to opt out.
Please see our ‘How do you contact us or change consent’ section for more information
Whenever we collect or process data we only keep it for as long as necessary for the purpose it was collected or to comply with relevant legislation and regulations.
At the end of the retention period, your data will be either deleted completely or anonymised, for example by aggregation with other data so it can be used in a non-identifiable way for statistical analysis and business planning. If you would like to keep a copy of your records then please request this information under the right to data access, before the retention period elapses.
Some examples of our data retention periods
We do share your personal data within our group of companies and with trusted third parties. We do not sell personal data, and do not provide personal data to list providers for the purposes of marketing.
Examples of third party companies we work with in the provision of services to you on our behalf include:
All third party data processors will be bound by written agreements as required by legislation. Their activities will be documented, assessed and controlled by Vision Express.
Data will only be transferred with suitable controls and protection. We apply strict policies and procedures to any bulk storage and transfer of data. Data will only be transferred within the European Union, or to countries having adequate data protection laws as directed by legislation.
Our core reasons for processing data are for administration, commercial, customer service, data quality, employment, financial, legal, marketing, medical, research, safety and security, service provision, statistical analysis and suppression.
We want to make our eye health communication with you as tailored and relevant to you as we can, so may combine data captured in our business such as gender, geographical location and transactional history with data from publicly available lists. We do so thoughtfully and always with the intention to cause as little intrusion as possible. We’ll do this on the basis our legitimate business interest.
You may wish to change how we use your data and contact you, and you’ll find details in our How do you contact us or request a change section. Please remember if you choose not to share your personal data with us or refuse certain contact permissions, we might not be able to provide some services you have asked for.
This section explains the types of communications we send out, the lawful basis, when you may receive them, and their purpose.
We contact our customers for the purposes of, eye health medical notifications service and direct marketing and administration. Customers may typically receive the following communication:
We contact job applicants solely for employment purposes, and limit our communications to notification about current application progress and to invite you to apply for future opportunities. For more information please see our recruitment privacy statement.
You have several rights under data protection legislation. This section provides an overview of those rights and how to request changes.
Right to be informed - this means you have a right to be informed about the way we collect and use your data.
Right of Access - also sometimes called a Subject Access Request - this means you have a right to request a copy of the data we hold about you. For more information about requesting data on behalf of someone please see our Subject Access Request section below
Right of Rectification - this means that you can request that we correct your personal data if it is inaccurate. Please be aware in the event that the data was provided by a third party such as a medical diagnosis by an optician, we reserve the right to review and decide on changes at our discretion. Where we decline to make changes we will explain the reasons for the decision.
Right of Erasure - this means you can request that all the data that we hold about you is deleted. However, in many cases legislation will prevent us from simply deleting personal data and obliges us to retain personal data for a period of time as discussed in the “How long do we keep your data” section above.
Where we have been asked to erase data but have a legal obligation to keep it, we will:
Right to Restrict Processing - this means that you can request that processing of your data is limited and your data is stored separately.
Right to Data Portability - this means that under certain circumstances you can request your data in structured electronic format. Unless requested, we will transmit data to the email address we already hold on record. Please note we will need your written consent before transferring your data to a third party.
Right to Object - This means you have a right to object to direct marketing, including profiling. Wherever possible we will do so, unless we believe we have legitimate overriding reason to continue to process your data. For more information please see the section on How do you contact us or request a change
Rights Related to Automated Decision Making - This means that where a decision is being made about you using an automated process, you can request an explanation as to why that process is used and to request human intervention if you believe a human would come to a different conclusion. We do not currently do automated decision making.
If you would like to
If you would like
Data Protection Officer
Please note that:
Vision Express will not provide personal data to third parties unless we have consent of the individual or by statutory exemption.
If you have authorised a third party to submit a request for the release of your personal data, then we will ask them for written proof of this consent or to provide a verifiable power of attorney.
Authorities requiring data under exemptions may request personal data without the consent of the individual. These requests should:
All requests by authorities should be made to the Data Protection Officer.
To protect the confidentiality of your information, we will ask you to verify your identity before proceeding with any request you make under this privacy notice.
Our responses may include sensitive personal data and confidential data, so we require:
Please note – access to your personal data is free of charge.
We are only able to comply with requests that relate to personal data held in accessible, structured filing systems for which we are the data controller.
If you feel that Vision Express has not fulfilled its obligations under data protection legislation or has not protected your data then you have the right to complain.
The Information Commissioner is the Supervising Authority for privacy and data protection in the United Kingdom
Republic of Ireland
The Office of the Data Protection Commissioner for Ireland is the Supervising Authority for privacy and data protection in the Republic of Ireland
At Vision Express we must comply with relevant sections and amendments of numerous current and future legislation, regulations, codes and regulatory guidelines. These include:
We may update this privacy statement and any of our data policies from time-to-time, and in such event we will post a clear message on our Website. Please check the website for any updates before relying on the privacy statement for legal or other purposes.
Last updated 14th May 2018