Understanding why and how we processes your Personal Data. At EssilorLuxottica, we are committed to protect our customers’ Personal Data. Upholding this commitment is essential to our success and reputation, and ultimately our ability to fulfil our mission of helping people see more, be more and live life to its fullest.
1.1 Who we are?
Vision Express (UK) Limited, with registered office at Ruddington Fields Business Park, Mere Way, Nottingham, NG11 6NZ, United Kingdom, a company registered in the United Kingdom Trade Register under number 02189907, a company part of EssilorLuxottica Group (“Vision Express”)
Where Vision Express is the party that determines the purposes and the means of the processing, we are the Data Controller over your Personal Data.
in certain specified instances, Vision Express are joint controllers with another entity over the processing of your personal data: this means that we are jointly responsible with a third party for deciding on the purposes and the means of the processing. In such instances, we conclude Joint Controllers Agreements and notify you about it in this Privacy Notice. More specifically, we are in a joint controlling relationship over your Personal Data with:
Luxottica Group S.p.A., with registered office at Piazzale Cadorna no. 3 – 20123 Milan, Italy, a company in the EssilorLuxottica Group (“Luxottica”)
For further details on the essence of the Joint Controller relationship, you can contact us at the address set out in Section 8 of this Privacy Notice.
In this document where we refer to ‘EssilorLuxottica’ this means Vision Express and Luxottica jointly as joint controllers.
1.2 What is the purpose of this Privacy Notice?
Within the EssilorLuxottica Group, we attach particular importance to the lawful processing, confidentiality and security of your Personal Data.
The purpose of this Privacy Notice is to inform you in a clear, simple and complete manner of the processing that we carry out on the Personal Data that we process, the possible transfer to third parties as well as your rights and the options you have to control your Personal Data and to protect your privacy, in accordance with the applicable legislation.
We may update this Privacy Notice from time to time and recommend that you regularly check this page to ensure that you are up to date on our processing activities. We will notify you of any significant changes to the processing that we carry out.
We may provide different or additional privacy notices in connection with certain activities, programs, and offerings.
We may also provide additional “just-in-time” notices that may supplement or clarify our privacy practices or provide you with additional choices regarding your Personal Data.
Our websites (‘Sites’) may include links to websites and/or applications operated and maintained by third parties. Please note that we have no control over the privacy practices of websites or applications that we do not own or manage. EssilorLuxottica encourages you to review the privacy notices of those third parties before connecting.
1.3 What is this Privacy Notice about? Key definitions
Any information about an individual (the Data Subject) from which that person can be identified (name, contact details, identification number, etc.). The categories of Personal Data that we may process are listed in this Privacy Notice.
Processing (of Personal Data)
Any action carried out in relation to your Personal Data such as, the collection, recording, organisation, storage, modification, transfer, deletion, access, consultation, etc. of such data.
Recipients (of the Personal Data)
A natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.
Refers to the Purpose of the Processing. In other words, the reason why the Personal Data is collected.
Refers to the services provided by Vision Express to the Customers, including the usual services provided by opticians and dispensing opticians (such as eye exams, contact lens fitting and aftercare services), as well as the dispensing and repair of glasses, activation of health insurance coverages, etc.
Refers to the website(s) of Vision Express.
Means the natural or legal person, department or organisation, who alone or jointly with others, determines the Purposes and means of the Processing of Personal Data.
Refers to two or more Data Controllers that jointly determine the Purposes and means of Processing.
Means a natural or legal person, department or other body which processes personal data on behalf of and on the instructions of the Data Controller.
Means subsidiaries of EssilorLuxottica Group, its ultimate holding company and its subsidiaries, or companies that it controls, are controlled by or under common control, and its service providers and strategic business partners
The brands owned by the companies belonging to EssilorLuxottica Group.
Jointly EssilorLuxottica SA (as ultimate holding company) and all its Affiliates
Regulation (EU) 2016/679 (General Data Protection Regulation)
Means the UK GDPR enacted into English law and which took effect on 31 January 2020.
The Personal Data we collect depends on the point of contact through which you interact with us, as well as the purposes of the interaction. We aim to limit personal data that is relevant and appropriate for this interaction.
We use different methods and various sources to collect data from and about you. We collect and obtain information:
- Provided directly by you
For example, you provide us with your personal data when engaging with us, including such as:
- when booking an appointment, or during the registration process.
- when any of our services are being carried out, e.g. during your eye examination, when fitting contact lenses, providing eye health or after care services.
- when creating an account on the Sites or when purchases or communications are carried out via the use of the Site.
- when you update information that you have previously provided to us.
- when providing us with a prescription or referral letter from another firm of optometrists or issued by the NHS.
- when completing a purchase order or join our engagement programs, prize competitions and events and when you contact us for request, feedback or log a complaint.
- when you respond to a questionnaire or survey.
- We also may maintain call recordings that you make to our customer services calls which are used for quality and assurance purposes.
- Using automatic tracking systems
- Through stores visits and other offline technologies
When you visit our store, information may be collected during any pre-examination checks, during your eye examination, during an aftercare services or fittings that we carry out, when you make a purchase from us or for any subsequent adjustments that we make to products purchased. Information concerning the outcome of your eye examination, aftercare or other service will be updated to your patient record, including your prescription.
We also use CCTV in our stores for safety, security, fraud, loss, prevention, and operational purposes.
- From other health or medical practitioners or the NHS
As a patient, you may be referred to us by another health or medical practitioner, the National Health Service (NHS) or a contractor or service provider appointed by the NHS. You record will be updated with the information that they provide to us.
- From other sources
We may obtain information about you from other sources, such as data analytics providers, marketing or advertising service providers, fraud prevention service providers, vendors that provide services on behalf of us, or information that is publicly available. We also create information based on our analysis of the information we have collected from you.
The Personal Data we collect depends on the point of contact through which you interact with us, as well as the purposes of this interaction as described hereafter in this Privacy Notice and are also limited to that which is relevant and appropriate for this interaction.
3.1 Categories of Personal Data
CATEGORY OF DATA
TYPES OF DATA
Including such as name and surname, e-mail address, gender, date of birth, country of residence, postal address and phone numbers, your location as well as your National Insurance number or equivalent if outside of the UK.
Means your bank account details that you instruct us to use in order to process the direct debit order used when purchasing products from us. This includes your name used at the banking institution, the name of the bank, sort code and account number.
When you pay by credit card, we do not collect this data. Rather, a third-party payment gateway is used to submit the data directly to your bank. All payments are made via a secure platform, supplemented by control measures, including encryption of contact details and details products which you have purchased from us
Profile and Commercial data
Including account name, your password, Personal Data published on your account, billing and delivery addresses, details of products and services which you have purchased from us (in store or online, including your order, tracking and invoices, amount and type of purchase) and your facial images, lifestyle interests and hobbies, family history, emergency contact details, preferences, feedback and survey responses as well as your opinions relating to goods and services when providing your views as a member of a customer panel.
Marketing and Communications Data
Including your preferences for receiving direct marketing from us, your communication preferences and information contained in any correspondence or requests sent by you to us or asked from you by us, including where problems experienced with the Sites, the Services or products that you have purchased are reported
Health and Medical Data
Including your ophthalmic prescription, eye examinations, measurements (optical correction, pupillary distance, etc.), adaptations and information having an impact on your visual health and eyesight checks that can be carried out in our stores as well as medical conditions and medication that you take as you disclose to us. Also includes your prescription and information and referrals issued by other health or medical practitioners.
Including such as the IP address or other unique code of your device (computer, mobile or other devices), identification as registered user or not (login data), technical information that may include the URL from where you originate, time zone setting and location, browser information and language
Including information regarding your interactions with our Sites, our Services, emails, products or advertisements and statistical data relating to these interactions
Eye Care Plan (‘Plan’)
Information relating to your membership of the Vision Express Eye Care Plan and related matters such as the name of the credit provider to whom you have applied for credit, status of payment and all details relating to the subscription that you enjoy under the Plan.
Details of the insurance cover that you enjoy with the insurer, the premiums paid, claims history and related matters.
Your queries, requests, complaints and in those instances where you exercise your rights as a data subject.
3.2 Processing of Sensitive data
Certain categories of Personal Data we process for the purposes set out below, are qualified as Special Personal Data. This is particularly in the case of the Health and Medical Data and the Data related to your eye health and care, medical conditions that you may disclose to us, or your race or ethnic origin that we may process.
However, we only process such Special Personal data in the following circumstances:
- where it is required or allowed under local applicable legislation; or
- where you give us your prior explicit consent.
As a registered firm of optometrists, for the provision of our healthcare services and related matters, Vision Express process your special personal data for the lawful purpose pursuant to the UK GDPR Article 9(h) (processing is necessary to provide our healthcare services).
What are the uses and legal basis for processing personal data?
We are required to use your data for purposes defined according to the nature of our relationships. Thus, depending on the context in which your data is collected, it may be used for one or more of the following purposes:
Provision of our eye health services
Follow-up and execution of your orders in shop and online and the after-sales services management
EXECUTION OF A CONTRACT
Transaction and potential unpaid invoices management
EXECUTION OF A CONTRACT
On-line Account and inscriptions creation and management
Communication between us
CONSENT (where direct marketing messages are sent by electronic means)
LEGITIMATE INTERESTS (for all other purposes)
DATA IS ANONYMISED.
Compliance to legal obligations
Legitimate interests pursuit
To meet our contractual obligations
PERFORMANCE OF A CONTRACT TO WHICH THE DATA SUBJECT / DATA CONTROLLER IS A PARTY.
Safety concerns of a patient.
Notes to our processing
Where processing is required by law
The provision of eye health services in the United Kingdom is regulated by the Opticians Act and Opticians Amendment Order and the Rules issued by the General Optical Council. Medical devices placed on the market are regulated by Medical Device laws.
Where processing is required by a contract that we are a party to
In some cases processing is required by a contract that we are a party to. This is the case, for example, of the following:
- Vision Express have concluded contracts with the NHS which stipulates that we are required to keep up to date and accurate patient records and medical information and provide details to the NHS (via their appointed representatives, agents or processors) of any NHS funded eye tests or purchases funded by the NHS.
- We have concluded a contract with Klarna, a registered credit provider. In order to offer you Klarna’s payment methods, we might in the checkout process pass your personal data in the form of your name, contact and order details to Klarna, in order for Klarna to assess whether you quality for their payment methods and to tailor those payment methods for you. Your personal data transferred is processed in line with Klarna’s own Privacy Notice.
5.1 What methods do we use to process your personal data?
The processing of your Personal Data is carried out, electronically and manually, only within the limits necessary to pursue the purposes outlined above.
We undertake to protect your Personal Data.
We advise that the password is one of the protection mechanisms of the account. Therefore, you are requested to use a password sufficiently secure and stored in a safe place, limiting access to it on your own computers and browsers, disconnecting it after having visited the Sites and/or the Services.
All Personal Data provided by you is kept on secure servers, adopting adequate security measures to protect Personal Data from non-authorised access, to maintain the accuracy of Personal Data and guarantee the proper use of information.
Furthermore, a secure system for authorising credit card payments and identifying fraudulent activities is used. We use the standard SSL (Secure Sockets Layer) to protect the confidentiality of your Personal Data.
5.2 We share your Personal Data with other Affiliates of the Group
EssilorLuxottica is a global organisation with offices and operations throughout the world and most of your Personal Data is stored and processed within a range of global applications that is used globally by the Affiliates of EssilorLuxottica. The majority of the processing of your personal data is carried out through the concentrated services of two entities: Essilor International and Luxottica S.p.A
We may share your Personal Data with certain Affiliates or Brands of the EssilorLuxottica group, based on your preferences and interests about these Affiliates or Brand, for the purposes set out in this Privacy Notice, in each case in or outside your country, as permitted and required by applicable law and/or in other circumstances with your consent.
We may also share your information for our internal business purposes.
5.3 Is your Personal Data transferred to third parties?
- Service provider
We may disclose your Personal Data with our third parties service providers entrusted with processing activities that provide services or assistance and advice to us, with special – but not exclusive – reference to technology, accounting, administrative, legal, insurance, IT, marketing, customer services, data subject requests management, and data analysis matters.
Each service provider will act as a data processor, on behalf of and in accordance with the instructions received from us, by virtue of a specific agreement in place per Article 28 of the UK GDPR, which sets out its obligations and guarantees the implementation of appropriate technical and organisational measures to respect the Applicable Legislation and the protection of your rights.
We require that any such third-party provider is subject to strict control and implements appropriate guarantees of security and confidentiality of your Personal Data.
- Sale or merger
We may also disclose Users Personal Data:
- in the event that we sell any business or assets, in which case we may disclose Users Personal Data to the prospective purchaser of such business or assets; or
- if we sell, buy, merge with, are acquired by, or partner with other companies or businesses, or sell some or all of our assets. In such transactions, Users Personal Data may be among the transferred assets.
We may share all of the information we collect in connection with a substantial corporate transaction, such as the sale of a website, a merger, consolidation, asset sale, or in the unlikely event of bankruptcy.
- Legal process
We may disclose your Personal Data to any authority, court, administrative body, or other authorised third party (including, without limitation, external legal advisors and counsel), where the disclosure of Personal Data is required by law, regulation or court order or where such disclosure is necessary for the protection and defence of our rights.
- Other instances
We may ask if you would like to disclose your information with other third parties who are not described elsewhere in this Privacy Notice. Furthermore, we do not sell, rent, or lease your Personal Data to third parties but we may, from time to time, contact you on behalf of external business partners about a particular offering that may be of interest for you. In those cases, without your consent, your Personal Data would not be transferred to the third party.
The abovementioned recipients will process your Personal Data as data controllers, data processors or persons in charge of processing, depending on the circumstances.
5.4 Is your Personal Data transferred across the border?
Given the presence of EssilorLuxottica in many countries around the world and in order to provide you with personalised service worldwide, some of your data may be collected, accessible or stored outside your country of residence.
As a result of the above, your Personal Data may be accessed and/or transferred to countries which do not have equivalent data protection laws to those required within the European Economic Area (EEA) or United Kingdom.
In such cases, the party transferring the data will ensure that, at all times, appropriate safeguards are implemented to ensure that your Personal Data is processed in accordance with applicable legislation. In this respect, where your Personal Data is processed by another EssilorLuxottica entity, the safeguards are based on the commitments taken on the basis of (ii) a dedicated transfer agreement binding upon the EssilorLuxottica entity involved in the processing and (ii) a set of common rules applicable through the EssilorLuxottica Group Data Protection Policy.
Where your data is processed by EssilorLuxottica entities or third parties located outside the European Economic Area or United Kingdom, we will ensure that specific contractual protection is implemented to ensure that this requirement is addressed in accordance with the Applicable Legislation as per Articles 44 of the UK GDPR.
For further information with regard to the appropriate or suitable safeguards and the means by which to obtain a copy of them, you can contact us in accordance with the methods described in this Privacy Notice.
5.5 For how long do we retain your Personal Data?
We retain all or part of your Personal Data for the time strictly necessary for the reason
- to meet applicable statutory requirements for data retention,
- to meet and comply with our legal and/or contractual obligations,
- to protect and defend legal claims,
- for as long as necessary to carry out each of the purposes mentioned in this Data Protection Privacy Notice, including for the purposes of satisfying any legal, accounting, reporting requirements.
To determine the appropriate retention period for Personal Data, we consider jointly the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your Personal Data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Once we have established that there is no longer a legal, contractual or other basis to retain your Personal Data, it may be deleted or anonymised. Where it is anonymised, it can no longer be used to identify you directly or indirectly.
In particular, we inform you that our retention policy requires us to retain customer personal date as follows:
- For adults – 10 years after you were last seen, even if since deceased.
- For children and young people being 18 years and younger – 10 years after they were last seen or until the patient’s 25th birthday, if later. If the child or young person has died, the records will be retain for 10 years after they were last seen.
Should you require further information about our retention periods, please contact us by using the Contact information below.
In some circumstances we may anonymise your Personal Data so that it can no longer be associated with you, in which case we may use such information without further notice to you.
5.6 We keep your data safe, updated and accurate
We have a responsibility for the security and accuracy of the Personal Data that we process about you and for keeping data up to date. We have taken steps to eliminate duplicate copies of data and to facilitate updating of data that may change over time.
EssilorLuxottica regards the protection of Personal Data as an essential priority.
In this respect, we have implemented appropriate measures and safeguards to protect the Personal Data that we process.
This is reflected in EssilorLuxottica Group’s procedures, guidelines and policies and in the actual measures implemented throughout the Group.
We have put in place appropriate security measures to prevent your Personal Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your Personal Data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your Personal Data on our instructions, and they are subject to a duty of confidentiality. These measures range from technical security measures that protect IT systems to the physical security measures employed at EssilorLuxottica sites. EssilorLuxottica also requires its staff to participate in information security trainings. Details of these measures may be obtained from the Group Information Security Department.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
You can exercise any of the following rights, subject to verification of your identity where necessary:
- Right of Information and Access
You may request the confirmation of the existence of your Personal Data and to be informed of its content and source and obtain a copy of those Personal Data which our databases currently contain.
- Right to Rectification
You may request to rectify what Personal Data our databases currently contain. We may not accommodate a request to change Personal Data if we believe the change would violate any law or legal requirement or cause the information to be incorrect.
- Right to Restriction of the Processing
When applicable, you may restrict the processing of your Personal Data. When such restrictions are not possible, we will advise them accordingly. You can then choose to exercise any other rights under this Privacy Notice, including withdrawing your consent to the processing of your Personal Data.
- Right to Object to the Processing
When applicable, you have the right to object to the processing of your Personal Data on grounds relating to your particular situation, if the processing is based on our legitimate interest. In addition, you have the right to object at any time to processing where Personal Data are processed for direct marketing purposes, which includes profiling to the extent that it is related to such direct marketing.
When such objections are not possible, we will advise you accordingly. You can then choose to exercise any other rights under this Privacy Notice, to include withdrawing your consent to the processing of your Personal Data.
- Right to Erasure
If you should wish to have your Personal Data deleted, then you may submit a request. Upon receipt of such a request for erasure, we will assess your request and will notify you if your request is not successful.
- Right to data Portability
Upon request and when possible and where applicable by local laws, we can provide you with copies of your Personal Data. When such a request cannot be honoured, we will advise you accordingly. You can then choose to exercise any other rights under this Privacy Notice, including withdrawing your consent. Where applicable, we will ensure such changes are shared with any trusted third parties.
- Right to Withdraw your Consent
Where processing is based on consent, you may withdraw your consent at any time to the processing of your Personal Data. Upon receipt of such a withdrawal of consent, we will confirm receipt and proceed to stop processing your Personal Data.
- Right to lodge a complaint with the relevant data protection supervisory authority
If you are not satisfied with the way we process your Personal Data and/or respond to a request to exercise the rights you have exercised, you can lodge a complaint with the relevant data protection competent supervisory authority.
In order to exercise your rights, please contact: firstname.lastname@example.org
Furthermore, we offer tools to you to update and amend your Personal Data. Indeed, every registered User may access his/her own information and update it (e.g., through User account).
Besides, it is also possible for you to modify and update your preferences on how you wish to receive e-mails or other communications from us. You may also request that your information on your account is deleted.
8.1 Contact of the Data Controller
Should you have questions or comments on this Privacy Notice or on any data processing we carry out, we may be contacted in the following ways:
- Email us at email@example.com including if you want to escalate a matter to the Data Protection Officer. We will aim to acknowledge receipt of your email within 48 hours.
- Email us using our Contact Us form which can be found at https: //www.visionexpress.com/customer-services/contact-us/.
- Call our Customer Services department on 08000 382 177.
- Write to us: Customer Service Department, Vision Express (UK) Limited, Ruddington Fields Business Park, Mere Way, Ruddington, Nottingham NG11 6NZ.
8.2 Contact of the Data Protection Officer
Vision Express has appointed a Data Protection Officer who can be contacted at the following email address: firstname.lastname@example.org
Luxottica has appointed a Data Protection Officer who can be contacted at email@example.com or by way of post at the address of Piazzale Cadorna 3, Milan, Italy.
You can also send an email to firstname.lastname@example.org in case of any question related to this document.
For legal and/or organisational reasons, this Privacy Notice may undergo changes. We suggest, therefore, that you check this Privacy Notice regularly and to refer to the latest version of it, we will post the date it was last updated at the top of this Privacy Notice.
In any case, an updated version of the Privacy Notice will be always available on the Site and we will provide additional notice to you if we make any changes that materially affect your privacy rights.
Last updated 6th February 2024.
We may update this privacy statement from time to time.
Any updates will take effect as soon as they are posted on our website.
All of our rights are reserved.