Privacy policy

1.1 Who we are?

Vision Express (Ireland) Limited, with registered office at Unit 204, The Square, Tallaght, Dublin 24, Ireland with registration number 166283, a company directly or indirectly owned by EssilorLuxottica Group (“Vision Express”)

Where Vision Express is the party that determines the purposes and the means of the processing, we are the Data Controller over your Personal Data.

in certain specified instances, Vision Express are joint controllers with another entity over the processing of your personal data: this means that we are jointly responsible with a third party for deciding on the purposes and the means of the processing. In such instances, we conclude Joint Controllers Agreements and notify you about it in this Privacy Notice. More specifically, we are in a joint controlling relationship over your Personal Data with:

Luxottica Group S.p.A., with registered office at Piazzale Cadorna no. 3 – 20123 Milan, Italy, a company in the EssilorLuxottica Group (“Luxottica”)

For further details on the essence of the Joint Controller relationship, you can contact us at the address set out in Section 8 of this Privacy Notice.

In this document where we refer to ‘EssilorLuxottica’ this means Vision Express and Luxottica jointly as joint controllers.

1.2 What is the purpose of this Privacy Notice?

Within EssilorLuxottica Group, we attach particular importance to the lawful processing, confidentiality and security of your Personal Data.

The purpose of this Privacy Notice is to inform you in a clear, simple and complete manner of the processing that we carry out on the Personal Data that we process, the possible transfer to third parties as well as your rights and the options you have to control your Personal Data and to protect your privacy, in accordance with the applicable legislation.

We may update this Privacy Notice from time to time and recommend that you regularly check this page to ensure that you are up to date on our processing activities. We will notify you of any significant changes to the processing of data that we carry out.

We may provide different or additional privacy notices in connection with certain activities, programs, and offerings.

We may also provide additional “just-in-time” notices that may supplement or clarify our privacy practices or provide you with additional choices regarding your Personal Data.

Our websites (‘Sites’) may include links to websites and/or applications operated and maintained by third parties. Please note that we have no control over the privacy practices of websites or applications that we do not own or manage. EssilorLuxottica encourages you to review the privacy notices of those third parties before connecting.

1.3 What is this Privacy Notice about? Key definitions

Personal Data	Any information about an individual (the Data Subject) from which that person can be identified (name, contact details, identification number, etc.). The categories of Personal Data that we may process are listed in this Privacy Notice.
Processing (of Personal Data)	Any action carried out in relation to your Personal Data such as, the collection, recording, organisation, storage, modification, transfer, deletion, access, consultation, etc. of such data.
Recipients (of the Personal Data)	A natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.
Purpose	Refers to the Purpose of the Processing. In other words, the reason why the Personal Data is collected.
Services	Refers to the services provided by Vision Express to the Customers, including the usual services provided by opticians and dispensing opticians (such as eye exams, contact lens fitting and aftercare services), as well as the dispensing and repair of glasses, activation of health insurance coverages, etc.
Sites	Refers to the website(s) of Vision Express.
Data Controller	Means the natural or legal person, department, or organisation, who alone or jointly with others, determines the Purposes and means of the Processing of Personal Data.
Joint Controller	Refers to two or more Data Controllers that jointly determine the Purposes and means of Processing.
Data Processor	Means a natural or legal person, department or other body which processes personal data on behalf of and on the instructions of the Data Controller.
Affiliates	Means subsidiaries of EssilorLuxottica Group, its ultimate holding company and its subsidiaries, or companies that it controls, are controlled by or under common control, and its service providers and strategic business partners
Brands	The brands owned by the companies belonging to EssilorLuxottica Group.
EssilorLuxottica Group	Jointly EssilorLuxottica SA (as ultimate holding company) and all its Affiliates
GDPR	Regulation (EU) 2016/679 (General Data Protection Regulation)

The Personal Data we collect depends on the point of contact through which you interact with us, as well as the purposes of the interaction. We aim to limit personal data that is relevant and appropriate for this interaction.

We use different methods and various sources to collect data from and about you. We collect and obtain information:

1. Provided directly by you

For example, you provide us with your personal data when engaging with us, including such as:

• when booking an appointment, or during the registration process.
• when any of our services are being carried out, e.g. during your eye examination, when fitting contact lenses, providing eye health or after care services.
• when creating an account on the Sites or when purchases or communications are carried out via the use of the Site.
• when you update information that you have previously provided to us.
• when providing us with a prescription or referral letter from another firm of optometrists or issued by the NHS.
• when completing a purchase order or join our engagement programs, prize competitions and events and when you contact us for request, feedback or log a complaint.
• when you respond to a questionnaire or survey.
• We also may maintain call recordings that you make to our customer services calls which are used for quality and assurance purposes.
   

2. Using automatic tracking systems

We use some technologies (e.g. cookies and automatic tracking systems) that automatically collect certain items of information relating to the way in which you utilise the Sites and the Services. For further information on the use of Personal Data collected through automatic tracking systems, please refer to our Cookie Policy available here.
 

3. Through stores visits and other offline technologies

When you visit our store, information may be collected during any pre-examination checks, during your eye examination, during an aftercare services or fittings that we carry out, when you make a purchase from us or for any subsequent adjustments that we make to products purchased. Information concerning the outcome of your eye examination, aftercare or other service will be updated to your patient record, including your prescription.

We also use CCTV in our stores for safety, security, fraud, loss, prevention, and operational purposes.
 

4. From other health or medical practitioners or the PRSI

As a patient, you may be referred to us by another health or medical practitioner, or we may receive claims related information from the PRSI or a contractor or service provider appointed by the PRSI. Your records will be updated with the information that they provide to us.

5. From other sources

We may obtain information about you from other sources, such as data analytics providers, marketing or advertising service providers, fraud prevention service providers, vendors that provide services on behalf of us, or information that is publicly available. We also create information based on our analysis of the information we have collected from you.

The Personal Data we collect depends on the point of contact through which you interact with us, as well as the purposes of this interaction as described hereafter in this Privacy Notice and are also limited to that which is relevant and appropriate for this interaction.

3.1 Categories of Personal Data
 

CATEGORY OF DATA	TYPES OF DATA
Identifiable information	Including information such as name and surname, e-mail address, gender, date of birth, country of residence, postal address and phone numbers, your location as well as your medical insurance number or similar.
Payment information	Means your bank account details that you instruct us to use in order to process the direct debit order used when purchasing products from us. This includes your name used at the banking institution, the name of the bank, sort code and account number. When you pay by credit card, we do not collect this data. Rather, a third-party payment gateway is used to submit the data directly to your bank. All payments are made via a secure platform, supplemented by control measures, including encryption of contact details and details products which you have purchased from us
Profile and Commercial data	Including account name, your password, Personal Data published on your account, billing and delivery addresses, details of products and services which you have purchased from us (in store or online, including your order, tracking and invoices, amount and type of purchase) and your facial images, lifestyle interests and hobbies, family history, emergency contact details, preferences, feedback and survey responses as well as your opinions relating to goods and services when providing your views as a member of a customer panel.
Marketing and Communications Data	Including your preferences for receiving direct marketing from us, your communication preferences and information contained in any correspondence or requests sent by you to us or asked from you by us, including where problems experienced with the Sites, the Services or products that you have purchased are reported
Health and Medical Data	Including your ophthalmic prescription, eye examinations, measurements (optical correction, pupillary distance, etc.), adaptations and information having an impact on your visual health and eyesight checks that can be carried out in our stores as well as medical conditions and medication that you take as you disclose to us. Also includes your prescription and information and referrals issued by other health or medical practitioners.
Device information	Including such as the IP address or other unique code of your device (computer, mobile or other devices), identification as registered user or not (login data), technical information that may include the URL from where you originate, time zone setting and location, browser information and language
Navigation information	Including information regarding your interactions with our Sites, our Services, emails, products or advertisements and statistical data relating to these interactions
Eye Care Plan (‘Plan’)	Information relating to your membership of the Vision Express Eye Care Plan and related matters such as the name of the credit provider to whom you have applied for credit, status of payment and all details relating to the subscription that you enjoy under the Plan.
Insurance information	Details of the insurance cover that you enjoy with the insurer, the premiums paid, claims history and related matters.
Correspondence	Your queries, requests, complaints and in those instances where you exercise your rights as a data subject.

 

3.2 Processing of Sensitive data

Certain categories of Personal Data we process for the purposes set out below, are qualified as Special Personal Data. This is particularly in the case of the Health and Medical Data and the Data related to your eye health and care, medical conditions that you may disclose to us, or your race or ethnic origin that we may process.

However, we only process such Special Personal data in the following circumstances:

• where it is required or allowed under local applicable legislation; or
• where you give us your prior explicit consent.

As a registered firm of optometrists, for the provision of our healthcare services and related matters, Vision Express process your special personal data for the lawful purpose pursuant to the UK GDPR Article 9(h) (processing is necessary to provide our healthcare services). 

What are the uses and legal basis for processing personal data?

We are required to use your data for purposes defined according to the nature of our relationships. Thus, depending on the context in which your data is collected, it may be used for one or more of the following purposes:

PURPOSES	DETAILS	LEGAL BASIS
Provision of our eye health services	Booking details and date of eye examination. Carrying out an eye examination. Referrals provided to or received from other medical or health practitioners. Providing emergency eye care services. Fitting of contact lenses and aftercare. Generation and issue of a specification (prescription). Fundus images taken of the eye. Measurements taken during an eye test. Information on any medical or health matters that you share with us. Details of prescription glasses and contact lenses prescribed and purchased. Details of eye care solutions recommended. Responding to investigations, complaints or clinical queries.	LEGAL OBLIGATION
Follow-up and execution of your orders in shop and online and the after-sales services management	Formalise a quotation. Manage product sales, online and in-store orders (purchase, delivery and supply of products and services). Delivery of your order to your nominated address, including the ability to track the delivery. Manage your invoicing and your warranty. Manage follow-up and provide after-sales service and customer relations (including, for example, returns, warranty and customer support). Send your commercial communications via e-mail, sms, direct mail on similar products, events and services already provided to you, unless you object to such a processing at the time of the collection and on each occasion that we communicate with you.	EXECUTION OF A CONTRACT
Transaction and potential unpaid invoices management	Carry out secure online and in-store payments (with reference to invoicing obligations). Manage incidents related to payment and debts. Process potential unpaid invoices: Identify your known unpaid invoices. Inform you of an unpaid amount, of the means available to you to remedy it, to make observations and to request a review of your situation if necessary.	EXECUTION OF A CONTRACT
On-line Account and inscriptions creation and management	Allow you to register to our Sites and create your own account. Provide the services available through the Sites and the Services (e.g. management of the registration process and access to the account, account management, the reminder for products in the shopping cart, etc.). Manage your client profile. Permit you to join our engagement programs. Allow you to participate in our contests, prize competitions and initiatives promoted. Carry out to surveys and questionnaires.	CONSENT
Communication between us	Send you reminders you that your eye test is due or overdue. Send eye health related articles of interest and guidelines on how to care for your eyes. Send you commercial and promotional communications and periodical updates (e.g., via e-mail, phone, SMS/MMS, postal service, social network and newsletter) related to our products, services, initiatives and events. Manage our personalised commercial offers based on the analysis of your Personal Data related to spending volume, product category, date of birth and methods of purchase). Fulfil your requests (e.g., management of requests for information, booking of eyesight checks, providing the “share with a friend” feature, to notify with the “back in stock” feature, etc.).	CONSENT (where direct marketing messages are sent by electronic means) LEGITIMATE INTERESTS (for all other purposes)
Analysis purposes	Manage personalised content and communications. Carry out statistical analyses on the customer audience. Analyse the performance of our Sites and Services, our media investments and marketing campaigns, and our web orders.	DATA IS ANONYMISED.
Compliance to legal obligations	Comply with the requirements of the laws, regulations, guidelines, protocols and national and EU legislation (including target medical device legislation). Carry out the regulatory obligations required of opticians and firms of opticians. Implement the decisions of public Authorities. Responding to your requests when you exercise your rights, including as a data subject. Product traceability. Data retention with regard to accounting and tax obligations. Combating fraud (certain automatic or manual processes are designed to verify your online payments and to combat fraud involving payment methods and identity theft). For purposes of carrying out our health and safety obligations.	LEGAL OBLIGATIONS
Legitimate interests pursuit	Exercise or defend legal claims in court proceedings or in administrative or out-of-court procedures relating to our rights, of our group companies and/or of our representatives, shareholders, officers and directors. Enable the technical management of the Sites and the Services and its operational functions, including solving any technical problems, to perform tests, updates and upgrades that cannot be performed through non-personal data. Prevent or identify fraudulent activities or misuses of the Sites and the Services or against the EssilorLuxottica group and/or the Users of the Sites and the Services. Complete a potential merger, sale of assets, transfer of all or a material part of its business, or financing transaction by disclosing and transferring the Personal Data to the third party or parties involved in the transaction as part of the transaction. Conduct surveys and market research relating to our products and services by post, telephone or e-mail. Anonymise Personal Data in order to perform statistical analysis.	LEGITIME INTEREST
To meet our contractual obligations	In certain instances, we may have a contractual obligation which we need to carry out which will require the processing of your personal data.	PERFORMANCE OF A CONTRACT TO WHICH THE DATA SUBJECT / DATA CONTROLLER IS A PARTY.
Safety concerns of a patient.	Provided to another medical or healthcare provider for your safety and to prevent significant harm. For example, we may provide your information to a hospital if you are unable to give us consent. Information provided to the Police or to Social Services in the case of legitimate safeguarding or safety concerns.	VITAL INTERESTS

 

Notes to our processing

Where processing is required by law

The provision of eye health services in the Republic of Ireland is regulated by the Health and Social Care Professional Act and the Optical Registration Board byelaws.  Medical devices placed on the market are regulated by Medical Device laws.

 

Where processing is required by a contract that we are a party to

In some cases, processing is required by a contract that we are a party to. This is the case, for example:

• We have concluded a contract with Klarna, a registered credit provider. In order to offer you Klarna’s payment methods, we might in the checkout process pass your personal data in the form of your name, contact and order details to Klarna, in order for Klarna to assess whether you qualify for their payment methods and to tailor those payment methods for you. Your personal data transferred is processed in line with Klarna’s own Privacy Notice.

5.1 What methods do we use to process your personal data?

The processing of your Personal Data is carried out, electronically and manually, only within the limits necessary to pursue the purposes outlined above.

We undertake to protect your Personal Data.

We advise that the password is one of the protection mechanisms of the account. Therefore, you are requested to use a password sufficiently secure and stored in a safe place, limiting access to it on your own computers and browsers, disconnecting it after having visited the Sites and/or the Services.

All Personal Data provided by you is kept on secure servers, adopting adequate security measures to protect Personal Data from non-authorised access, to maintain the accuracy of Personal Data and guarantee the proper use of information.

Furthermore, a secure system for authorising credit card payments and identifying fraudulent activities is used. We use the standard SSL (Secure Sockets Layer) to protect the confidentiality of your Personal Data.

5.2 We share your Personal Data with other Affiliates of the Group

EssilorLuxottica is a global organisation with offices and operations throughout the world and most of your Personal Data is stored and processed within a range of global applications that is used globally by the Affiliates of EssilorLuxottica. The majority of the processing of your personal data is carried out through the concentrated services of two entities: Essilor International and Luxottica S.p.A

We may share your Personal Data with certain Affiliates or Brands of the EssilorLuxottica group, based on your preferences and interests about these Affiliates or Brands, for the purposes set out in this Privacy Notice (in each case in or outside your country), as permitted and required by applicable law and/or in other circumstances with your consent.

We may also share your information for our internal business purposes.

5.3 Is your Personal Data transferred to third parties?

1. Service provider

We may disclose your Personal Data with our third parties service providers entrusted with processing activities that provide services or assistance and advice to us, with special – but not exclusive – reference to technology, accounting, administrative, legal, insurance, IT, marketing, customer services, data subject requests management, and data analysis matters.

Each service provider will act as a data processor, on behalf of and in accordance with the instructions received from us, by virtue of a specific agreement in place per Article 28 of the GDPR, which sets out its obligations and guarantees the implementation of appropriate technical and organisational measures to respect the Applicable Legislation and the protection of your rights.

We require that any such third-party provider is subject to strict control and implements appropriate guarantees of security and confidentiality of your Personal Data.

2. Sale or merger

We may also disclose Users Personal Data:

• in the event that we sell any business or assets, in which case we may disclose Users Personal Data to the prospective purchaser of such business or assets; or
• if we sell, buy, merge with, are acquired by, or partner with other companies or businesses, or sell some or all of our assets. In such transactions, Users Personal Data may be among the transferred assets.

We may share all of the information we collect in connection with a substantial corporate transaction, such as the sale of a website, a merger, consolidation, asset sale, or in the unlikely event of bankruptcy.

3. Legal process

We may disclose your Personal Data to any authority, court, administrative body, or other authorised third party (including, without limitation, external legal advisors and counsel), where the disclosure of Personal Data is required by law, regulation or court order or where such disclosure is necessary for the protection and defence of our rights.

4. Other instances

We may ask if you would like to disclose your information with other third parties who are not described elsewhere in this Privacy Notice. Furthermore, we do not sell, rent, or lease your Personal Data to third parties but we may, from time to time, contact you on behalf of external business partners about a particular offering that may be of interest to you. In those cases, without your consent, your Personal Data would not be transferred to the third party.

The abovementioned recipients will process your Personal Data as data controllers, data processors or persons in charge of processing, depending on the circumstances.

5.4 Is your Personal Data transferred across the border?

Given the presence of EssilorLuxottica in many countries around the world and in order to provide you with personalised services worldwide, some of your data may be collected, accessible or stored outside your country of residence.

As a result of the above, your Personal Data may be accessed and/or transferred to countries which do not have equivalent data protection laws to those required within the European Economic Area (EEA).

In such cases, the party transferring the data will ensure that, always, appropriate safeguards are implemented to ensure that your Personal Data is processed in accordance with applicable legislation. In this respect, where your Personal Data is processed by another EssilorLuxottica entity, the safeguards are based on the commitments taken on the basis of (ii) a dedicated transfer agreement binding upon the EssilorLuxottica entity involved in the processing and (ii) a set of common rules applicable through the EssilorLuxottica Group Data Protection Policy.

Where your data is processed by EssilorLuxottica entities or third parties located outside the European Economic Area, we will ensure that specific contractual protection is implemented to ensure that this requirement is addressed in accordance with the Applicable Legislation as per Articles 44 of the GDPR.

For further information with regarding to the appropriate or suitable safeguards and the means by which to obtain a copy of them, you can contact us in accordance with the methods described in this Privacy Notice.

5.5 For how long do we retain your Personal Data?

We retain all or part of your Personal Data for the time strictly necessary for the reason

1. to meet applicable statutory requirements for data retention,
2. to meet and comply with our legal and/or contractual obligations,
3. to protect and defend legal claims,
4. for as long as necessary to carry out each of the purposes mentioned in this Data Protection Privacy Notice, including for the purposes of satisfying any legal, accounting, reporting requirements.

To determine the appropriate retention period for Personal Data, we consider jointly the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your Personal Data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Once we have established that there is no longer a legal, contractual or other basis to retain your Personal Data, it may be deleted or anonymised. Where it is anonymised, it can no longer be used to identify you directly or indirectly.

Our retention policy requires us to retain customer personal date as follows:

• For adults – 10 years after you were last seen, even if since deceased.
• For children and young people being 18 years and younger – 10 years after they were last seen or until the patient’s 25th birthday, if later. If the child or young person has died, the records will be retain for 10 years after they were last seen.

Should you require further information about our retention periods, please contact us by using the Contact information below.

In some circumstances we may anonymise your Personal Data so that it can no longer be associated with you, in which case we may use such information without further notice to you.
 

5.6 We keep your data safe, updated and accurate

We have a responsibility for the security and accuracy of the Personal Data that we process about you and for keeping data up to date. We have taken steps to eliminate duplicate copies of data and to facilitate updating of data that may change over time.

EssilorLuxottica regards the protection of Personal Data as an essential priority.

In this respect, we have implemented appropriate measures and safeguards to protect the Personal Data that we process.

This is reflected in EssilorLuxottica Group’s procedures, guidelines and policies and in the actual measures implemented throughout the Group.

We have put in place appropriate security measures to prevent your Personal Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your Personal Data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your Personal Data on our instructions, and they are subject to a duty of confidentiality. These measures range from technical security measures that protect IT systems to the physical security measures employed at EssilorLuxottica sites. EssilorLuxottica also requires its staff to participate in information security training. Details of these measures may be obtained from the Group Information Security Department.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

You can exercise any of the following rights, subject to verification of your identity where necessary:

1. Right of Information and Access

You may request the confirmation of the existence of your Personal Data and to be informed of its content and source and obtain a copy of those Personal Data which our databases currently contain.

 

2. Right to Rectification

You may request to rectify what Personal Data our databases currently contain. We may not accommodate a request to change Personal Data if we believe the change would violate any law or legal requirement or cause the information to be incorrect.

 

3. Right to Restriction of the Processing

When applicable, you may restrict the processing of your Personal Data. When such restrictions are not possible, we will advise them accordingly. You can then choose to exercise any other rights under this Privacy Notice, including withdrawing your consent to the processing of your Personal Data.

 

4. Right to Object to the Processing

When applicable, you have the right to object to the processing of your Personal Data on grounds relating to your particular situation or if the processing is based on our legitimate interest. In addition, you have the right to object at any time to processing where Personal Data are processed for direct marketing purposes, which includes profiling to the extent that it is related to such direct marketing.

When we cannot agree to your objections, we will advise you accordingly. You can then choose to exercise any other of your rights under this Privacy Notice, including the withdrawal of your consent to the processing of your Personal Data.

 

5. Right to Erasure

If you should wish to have your Personal Data deleted, then you may submit a request. Upon receipt of such a request for erasure, we will assess your request and notify you if we are unable to entertain it, including the reasons why.

 

6. Right to data Portability

Upon request and when possible and where applicable by local laws, we can provide you with copies of your Personal Data. When such a request cannot be honoured, we will advise you accordingly. You can then choose to exercise any other rights under this Privacy Notice, including withdrawing your consent. Where applicable, we will ensure such changes are shared with any trusted third parties.

 

7. Right to Withdraw your Consent

Where processing is based on consent, you may withdraw your consent at any time to the processing of your Personal Data. Upon receipt of such a withdrawal of consent, we will confirm receipt and proceed to stop processing your Personal Data for the purpose for which consent was received.

8. Right to lodge a complaint with the relevant data protection supervisory authority

If you are not satisfied with the way we process your Personal Data and/or respond to a request to exercise the rights you have exercised, you can lodge a complaint with the relevant data protection competent supervisory authority.

In order to exercise your rights, please contact: privacy@visionexpress.com

 

Furthermore, we offer tools to you to update and amend your Personal Data. Indeed, every registered User may access their own information and update it (e.g. through User account).

Besides, it is also possible for you to modify and update your preferences on how you wish to receive e-mails or other communications from us. You may also request that your information on your account is deleted.

 

8.1 Contact of the Data Controller

Should you have questions or comments on this Privacy Notice or on any data processing we carry out, we may be contacted in the following ways:

• Email us at privacy@visionexpress.com including if you want to escalate a matter to the Data Protection Officer. We will aim to acknowledge receipt of your email within 48 hours.
• Email us using our Contact Us form which can be found at https: //www.visionexpress.com/contact-us.
• Call our Customer Services department on 08000 382 177.
• Write to us: Customer Service Team Manager, EssilorLuxottica, City Tower, Floor 25, New York Street, Manchester, M1 4BT.

8.2 Contact of the Data Protection Officer

Vision Express has appointed a Data Protection Officer who can be contacted at the following email address: dpo@visionexpress.com

Luxottica has appointed a Data Protection Officer who can be contacted at privacy@luxottica.com or by way of post at the address of Piazzale Cadorna 3, Milan, Italy.

You can also send an email to privacy@luxottica.com in case of any question related to this document.

For legal and/or organisational reasons, this Privacy Notice may undergo changes. We suggest, therefore, that you check this Privacy Notice regularly and to refer to the latest version of it, we will post the date it was last updated at the top of this Privacy Notice.

In any case, an updated version of the Privacy Notice will always be available on the Site and we will provide additional notice to you if we make any changes that materially affect your privacy rights.