Vision Express takes data protection seriously. We're committed to safeguarding your privacy and keeping your personal information confidential and secure.
We want to be clear and transparent as to why and how we use your data. Our privacy statement:
This privacy statement applies to any customer personal data that we process in any of our business activities. This includes, data collected in store or on any of our websites, online forms, social media, emails, complaints, customer satisfaction surveys, any written correspondence, and over the telephone.
Vision Express (UK) Limited, Reg Co Number 2189907, belongs to a group of companies, whose parent company, Grand Vision, is registered in the Netherlands. We also have companies registered in the Republic of Ireland and Jersey.
This policy applies to Vision Express (UK), all of its subsidiaries and their subsidiaries, including joint ventures and all are registered with the Information Commissioner's Office (ICO) as data controllers.
The policy also applies to Vision Express (Ireland) Limited, its subsidiaries, and joint ventures and all are registered with the Irish Data Protection Commission as data controllers.
We have appointed a Data Protection Officer who can be contacted at firstname.lastname@example.org.
Please note that:
To protect the confidentiality of your information, we will ask you to verify your identity before proceeding with any request you make under this privacy notice.
Our responses may include sensitive personal data and confidential data, so we require:
Please note - in most instances access to your personal data is free of charge.
We are only able to comply with requests that relate to personal data held in accessible, structured filing systems for which we are the data controller
You have rights regarding your personal data, please see below for more information:
|Your Rights||We will:|
Right of access - You can request a copy of the personal data that we hold on you. This is called a Subject Access Request.
You can also consent to us making your personal data available to a third party.
For more information on giving consent to a third party or family member, please see the 'Subject Access Requests by Third parties' section below.
We will make your information available to you within the recommended timeframe once we've confirmed your identity.
We'll provide your personal data to a third party if we're happy that the information has been lawfully requested.
Right of rectification - you may request that we correct personal data that we hold about you which you believe is incorrect or inaccurate.
As soon as you contact us, we'll assess your request. Please note that we may ask you to verify any new data that you provide to us and may take our own steps to check that the new data you have supplied us with is right.
In certain circumstances we may have to refuse a request for rectification but we will let you know and explain our decision.
Right to restrict processing - in certain instances, you can request that we stop processing your information e.g. where you believe the information is inaccurate, or you believe there is no legal reason for us to continue to process your data.
Where the data is restricted from being processed, we will (with the exception of storage) not process your personal data without your consent, unless we have a legal reason to do so, or we need to defend any legal claims against us or we need to protect another individual's rights.
Right to data portability - you have the right to have your information transferred to another entity where this is technically possible.
We'll provide your personal data to you in a structured, commonly used and machine readable format.
Right to object - you may object to the processing of your personal data where we use 'legitimate interests' as the lawful basis for processing.
You also have the right to object to the processing of your personal data for purposes of direct marketing.
We'll stop using your personal data unless we believe we have a legitimate overriding reason to continue processing your personal data, or we need to defend any legal claims against us.
We'll record your request and will ensure that no further marketing communications are sent to you. This may take 28 days to take effect from receiving your request.
Right to withdraw consent - whenever you have given us your consent to use your personal data, you have the right to change your mind at any time and withdraw that consent.
We'll stop processing your personal data for the purpose for which the consent was given. The lawfulness of processing based on consent before its withdrawal will not be affected.
Right to Erasure - you have the right to request that we delete the personal information we hold on you. You have the right to have your personal data deleted only in the following circumstances:
We'll assess your request and confirm if your request can be actioned. However we're not always obliged to erase personal data and in many cases legislation will prevent us from simply deleting personal data and requires us to retain personal data for a period of time. This is more fully discussed in the 'How long do we keep your data' section.
Where we have been asked to erase data but have a legal obligation to keep it, we will:
You also have the right to lodge a complaint with a supervisory body, eg the Information Commissioners Office. You can contact them by:
Post - Information Commissioner Officer, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
Tel: 0303 123 1113
Post - Data Protection Commissioner, Canal House, Station Road, Portarlington, Co. Laois, R32 AP23, Eire
To be able to provide you with our goods and services, we may need to, or be legally required to obtain and process your personal data.
We collect personal data in a number of ways, including when you visit a store, via the website, by phone, email, post and social media.
The type of personal data we collect includes:
Your personal data is processed for the following reasons, so that we can provide you with the best possible eye health care and customer experience. Here's how we use your data:
To provide professional eye care services:
To meet our regulatory obligations:
For financial purposes e.g.
For commercial purposes e.g.
When requested by third parties e.g.
Complaints and Queries eg
Business purposes eg
There are a number of reasons that as a company we will collect and process your personal data, the lawful basis for processing your personal data we use are:
1. Regulatory compliance
As a firm of registered Opticians, we are permitted by law to process special categories of personal data (e.g. data concerning your health).
The provision of eye health services in the UK is regulated by the Opticians Act and the Rules issued by the General Optical Council. In Ireland it is regulated by the Health and Social Care Professional Act and the Optical Registration Board Bye-laws. They legally require us to collect and process your personal data including special categories of your data (eg data concerning your health).
These laws regulate the type of information we can process when performing certain services eg conducting an eye examination, fitting contact lenses or prescription glasses. They also require us to provide information to regulators when they're investigating complaints or claims and to customers or third parties who make a subject access request.
2. Contractual obligations
Sometimes the purchase of a product or use of our services means you need to enter into a contract with us, where it's necessary for us to process your personal data.
For example - if you order a product in store, or via our online services or you join our contact lens Direct Debit scheme, we'll process the personal data you give us to ensure we deliver the correct product to your selected address, or to collect the Direct Debit payment from you.
We may also need to process your data for insurance purposes or to fulfil our contractual obligations with the NHS, or other third parties who we've contracted with.
As part of these obligations, we're required to process your personal data to a suitable standard of quality and accuracy, to provide information to third parties and other industry bodies, and to retain your personal data for set minimum periods of time.
For example, Our NHS Optical contract defines that we have to keep up to date and accurate patient and medical records and provide details of any NHS funded eye tests or purchases to the NHS.
3. Legitimate Interest
Our legitimate interests are derived from our role as provider of eye health services to our customers, to protect and grow our business, commercial and financial interests, as well as our desire to retain existing and attract new customers.
We also rely on legitimate interests to make sure we let you know about our products and services, for sending you eye test reminders, sending you direct marketing communications and advertising, processing and reporting financial transactions, instituting and defending legal claims, market research, safety and security, statistical analysis and complaints.
For example - after your eye test, your optometrist will recommend the date of your next eye test. To help you look after your eye health, we will send you reminders by post or email when your next eye test is due.
In specific situations, we collect and process your data with your consent. We believe consent must be informed, specific and voluntarily given. We may require (written and/or verbal) consent from you in order to process your personal data for specific and limited reasons:
Where you have previously consented to the processing of your personal data for a specific reason, you are permitted to withdraw your consent at any time.
Please see our "How to contact us or change consent" section for more information.
5. Protecting the vital interests of data subject
As we collect information regarding your eye health, in exceptional circumstances we may be required to provide this information to another healthcare provider for your safety and to prevent significant harm.
For example - in exceptional circumstances we may provide information regarding your eye health to your hospital if you were unable to give us consent.
Whenever we collect or process data, we keep it for as long as is required by law, or for as long as is reasonably necessary to fulfil the purpose it was originally collected for. We also keep records to satisfy industry body requirements, as well as to protect and defend ourselves against any claims.
As a registered provider of optical services, we're required to consider the General Optical Council (GOC) guidelines about contacting our customers for essential eye health check ups and the length of time we must keep customer records.
At the end of the retention period, we will either delete your data completely, anonymise it (for example by consolidating with other data so it can be used for statistical analysis and business planning) or put it beyond use.
We do share your personal data within our group of companies and with trusted third parties as an essential part of being able to provide our services to you. Please be assured we do not sell personal data, and do not provide personal data to list providers for the purposes of marketing.
Examples of third parties we work with to be able to provide our services to you, on our behalf include:
Transfer of personal data to third countries
Your personal information may be transferred to companies situated outside of the UK or the European Economic Area (EEA). In these instances, we have put additional safeguards, including contracts, in place as required by data protection laws.
If required, your data will be transferred securely, in line with the requirements of the relevant data protection authorities.
Vision Express will not provide personal data to third parties unless we have consent of the individual or we have a legal obligation eg to law enforcement.
If you've authorised a third party to submit a request for the release of your personal data, then we'll ask them for written proof of your consent or to provide a verifiable power of attorney.
Consent / power of attorney must:
Authorities requiring data under exemptions may request personal data without your consent. These requests should:
All requests by authorities should be made to the Data Protection Officer.
We are only able to comply with requests that relate to personal data held in accessible, structured filing systems for which we are the data controller.
We may update this privacy statement from time to time. Any updates will take effect as soon as they are posted on our website.
Last updated 6th June 2019