We care about our customers and are committed to taking care of their personal data. We safeguard your privacy by keeping your personal data secure and process personal data where we have a lawful basis to do so. We aim to be clear and transparent as to why and how we use your personal data and draw your attention to your rights as a data subject.
In this Privacy Notice, we tell you about:
- Your rights and how to contact us so as to exercise these rights.
- The personal data that we collect, our uses of the data and the legal basis for processing.
- The recipients or categories of recipients to whom your personal data are disclosed.
- Where data is transferred to a third country or international organisations, the safeguards that we rely, in the absence of the recipient country having received an adequacy decision.
- Information relating to data retention and the period that we continue to process your personal data.
This Privacy Notice applies to customer personal data that we process and includes data collected, for example, in our stores, from our website, via the use of online forms, social media, emails, complaints, customer satisfaction surveys, written correspondence and information gathered with speaking to you.
In this Privacy Notice, when we refer to ‘you, your’, we mean the person whose personal data we collect, use and process. This includes anyone who engages with us in connection with the products and services we provide or who interacts with us in another manner, for example, in store or by using our website at www.visionexpress.com or www.visionexpress.ie.
The Group of undertakings to which this Privacy Notice applies is:
- Vision Express (UK) Limited, Company Registration Number 2189907 and all of its subsidiaries, and their subsidiaries, including any joint ventures and franchises. All legal entities as well as the DPO are registered with the ICO.
- Vision Express (Ireland) Limited, Company Registration Number 166283 and its subsidiaries. The DPO is registered with the Irish Data Commission.
(referred to as ‘Vision Express’).
References to ‘Vision Express’, ‘we’, ‘us’ or ‘our’ means the companies listed above that process personal data in the capacity of a data controller relating to individuals based in the United Kingdom or the Republic of Ireland (as applicable).
You can contact us in a number of ways:
- Email us at firstname.lastname@example.org including if you want to escalate a matter to the Data Protection Officer. We will aim to acknowledge receipt of your email within 48 hours.
- Email us using our Contact Us form.
- Call our Customer Services department on 08000 382 177.
- Write to us: Customer Service Department, Vision Express (UK) Limited, Ruddington Fields Business Park, Mere Way, Ruddington, Nottingham NG11 6NZ.
Protecting your confidentiality
To protect the confidentiality of your information, we may ask you to verify your identity before proceeding with any request you make when exercising your rights or sending a complaint.
Our responses may include sensitive personal data and confidential data, so in certain instances we require:
- That your requests are given to us in writing (including email) or are given verbally.
- Details of identity; including as a minimum, first name, last name, address and date of birth.
Please note – in most instances access to your personal data is free of charge. However, we do reserve the right to charge a fee for repeated requests.
We are only able to comply with requests that relate to personal data held in accessible, structured filing systems for which we are the data controller.
|Your rights||We will:|
Right of access (also known as a Subject Access request):
Once we have received sufficient information to process your request, we will make your information available to you within the regulated timeframe.
We will make your personal data available to a third party if you have consented to this.
For more information on giving consent to a third party or family member, please see the section 'Subject Access Requests by Third parties' below.
Right to rectification
We will assess your request but may need to verify the new data that you provide to us, or we may take our own steps to verify that the new data you have supplied us with is correct.
In certain circumstances we may refuse your request for rectification, but in such a case, we will confirm this to you and explain our decision.
Right to restrict processing
Where we agree to processing being restricted, we will (with the exception of storage) not process your personal data without your consent, unless we have a legal basis for doing so. This could include, without limiting the right, the need to institute or defend a claim, or we need to protect another individual's rights.
Right to data portability
You have the right to have information transferred to another entity where this is technically possible.
We will provide your personal data to you in a structured, commonly used method.
Right to object
You have the right to object to the processing of your personal data for purposes of direct marketing or where we use ‘legitimate interests’ as the lawful purpose for processing.
We will record your request and stop processing your personal data for purposes of direct marketing. This may take 28 days to take effect after receiving your request.
We will stop processing your personal data where we rely on ‘legitimate interests’ as the lawful basis for processing unless we believe that we have a legitimate overriding reason to continue processing, or we need to defend any legal claims against us
Right to withdraw consent
Whenever you have given us your consent to use your personal data, you have the right to withdraw your consent.
We will stop processing your personal data for the purpose that consent was given upon your consent being withdrawn.
Right to Erasure
You have the right to request that we delete the personal information we hold on you. You have the right to have your personal data deleted only in the following circumstances:
Where law requires us to delete the personal data.
We will assess your request and confirm if your request can be actioned. We are not always obliged to erase personal data as legislation or contracts that we have entered into may place an obligation on us to retain personal data for a period of time.
Where we have been asked to erase your data but have a obligation to keep it, we will:
At your request, suppress your record to ensure that no further communications are sent to you.
Right to lodge a complaint with a supervisory body
The contact details are as follows:
We collect personal data in a number of ways, including when you visit a store, via our websites, by phone, email, post, social media and any other engagement that we may have with you.
The type of personal data we collect is:
- Information collected when booking an eye examination, for example, your name and surname, address, contact details (phone and email), date of birth, age and the store that you select.
- Medical and health information concerning current or past eye health and other general health conditions, details of glasses or contact lenses prescribed, your medication, correspondence and reports between your optometrist, your GP or ophthalmologist.
- Your prescription and other information relating to your eyes or eye health forming part of your eye examination or needed to dispense glasses or contact lenses.
- Results and recommendations made by the examining optometrist, retinal photographs, referrals, optometrist comments.
- Information received from other health or medical professionals, including the NHS.
- A copy of your facial images that you choose to share with us.
- Details of your purchases including past orders, any discounts applied as well as refunds processed.
- Membership subscriptions that you have with us.
- Your payment details and payment behaviour (where relevant).
- Your marketing and communication preferences.
- Information relating to your lifestyle and hobbies.
- Relevant personal information about others e.g. your family history and emergency contact details that you provide.
- Feedback and survey responses as well as your opinions relating to our goods and services when joining one of our customer panels.
- Images collected via CCTV systems installed in our stores.
- Your correspondence with us either in writing or by phone e.g. including personal that you supply to us and the details of requests, queries, complaints, call recordings or notes taken during conversations, requests for access to information and other requests exercising your rights.
- Feedback and ratings of our products and services published on our website.
- Electronic information, for example, the MAC address collected from your device.
- Any other information you have voluntarily given us.
- Information that we have collected from a third party, if it is legal to do so.
Information that provides marketing and advertising assistance.
Your personal data is processed for the following reasons, so that we can provide you with the best possible eye health care and customer experience. Here’s how we use your data:
- To provide professional eye care services:
- To book and confirm your appointment for an eye examination. We will send you a confirmation if you book online and a courtesy reminder will be sent a short period before the appointment is due.
- To carry out an eye examination so that we can understand the status of your eye health and any medical or other conditions.
- To formulate your prescription so as to determine your need for eyewear and for purposes of dispensing your eyewear.
- To carry out aftercare services, for example, where you have purchased contact lenses from us.
- To send you reminders that your eye test is due or overdue. Changes in your eyesight are usually very gradual, so regular eye tests are important. The recommendation is to have your eyes tested every two years, unless your optician prescribes otherwise. We’ll send you a reminder shortly before the end of the recommended recall period, and send you further reminders if we don’t hear from you.
- To notify you that products that you have purchased are available for collection.
- To refer you to other medical or health professionals, or to the NHS.
- For purposes of investigating and responding to clinical queries or complaints.
- For research and scientific reasons by us or third parties. Information provided to third parties will be anonymised.
- For responding to your requests for information, for example, a copy of your prescription.
- To process transactions
We will process your personal data:
- So that we can provide our products and services to you and process any transactions, including payments, when you purchase our goods and services, or refunds.
- In respect of payments made to us as well as payments using card processors where payment is processed using a credit or debit card.
- We will make personal data available to third parties where you wish to conclude an agreement with that third party. For example, you may wish to apply for and enter into a payment arrangement with a third party, or you may want to apply for and obtain insurance over the product that you have purchased, or for purposes of carrying out payments using a debit or credit card or paying using digital or electronic means.
- To meet our contractual obligations to third parties, for example, to the NHS or other third parties that we have contracted with.
- To ensure delivery of goods to your nominated address or parcel shop/locker where you elect not to collect the goods from a store. In such case, we will provide that personal data necessary for the delivery to take place to our appointed courier company.
- To communicate with you
- We send you services messages which may including communications about eye health, vision correction and information on how to look after the health of your eyes.
- We may send you messages to notify you of any relevant changes, for example, to matters that could affect or inconvenience you. For example, a change to your usual store’s location, shop opening or closing hours.
- We may send you direct marketing communications – we will send you information about our products, offers and discounts by email and/or post. You are free to opt out of these communications at any time by contacting us or going online and updating your preferences. For details, please refer to the ‘How to contact us’ section.
- We may invite you to respond to surveys and provide us with feedback of your experience in one of our stores. Where you respond to a survey or provide feedback, we process your personal data to help us improve our service to you and make our services and products more relevant to you.
- We may invite you to join a customer panel in your sole election. We will process the responses, view and opinions that you provide to us.
- So as to help us meet our regulatory obligations, we will invite you (by way of email) to respond to questions concerning products that you have purchased from us.
- For purposes of investigating and responding to your complaints or to respond to other requests that you have made.
- We process your personal data to respond to complaints, queries and any claims made against us.
- To engage with you via our website
- If you are just browsing our website, we will not collect any information which will identify you by name, unless you provide this information, for example when rating our products or services.
- We will process your personal data in order that you can create and manage information in the online account that you have created with us.
- We will collect information using cookies or traffic data which uses IP addresses or other numeric identifiers, which analyse how people use our website. Please refer to our Cookies policy for more information.
- We will process your personal data so as to create and administer your online account.
- Other reasons
- We may transfer your data to other members of our group of companies where they provide us with their administrative, IT or other services.
- We may need to provide your personal data to a regulator requesting information when they are carrying out their function or for purposes of investigating or responding to a complaint involving us that you have logged with a regulatory or industry body.
- We may also make your personal data available to third parties in terms of a contract that we are bound by or who have the legal or contractual right to access your personal data. Examples of third parties are those parties that we appoint as data processors whose services require the processing of personal data, companies who provide us with updated personal information (e.g. changes to your address, deceased indicators, etc) external auditors and lawyers, the NHS, the police, social services, etc.
- We may make your personal data available to other optometrists, medical practitioners, health and social care providers or the NHS.
- For purposes of fraud prevention and detection and for the health and safety of members of the public, our staff and our customers.
- From time to time, we may receive requests from bodies delivering public services for personal data that we have on record. For example, the police may request information for purposes of investigation crime or social services may request personal data for purpose of assisting in or ensuring the wellbeing of an individual in their care.
- For our Corporate requirements, including mergers and acquisitions, we may share your data with those parties who when have or intend merging with or being acquired by.
Third Parties we share data with or receive data from
- Other data controllers – from time to time, Vision Express may partner with third parties in order that our customers can obtain benefit from the products or services that they offer. These partners may be lenders, insurers, facilitators of payments including banks or payment gateway companies or other regulated entities. Should you wish to take up their products or services, in some instances you may be required to contract with them directly by agreeing to their terms and conditions.
- Once you have indicated to us that you wish to apply for the services of a third party partnering with Vision Express, we will transfer the necessary information (for example your name, contact information and order details) to the third party so that they can assess whether you qualify for their offering, or for purposes of tailoring an offering designed to suit your needs. As the third party is a data controller, they are responsible for ensuring and demonstrating compliance to their regulatory obligations and will have their own Privacy Notice in order to transparently disclose matters concerning their processing of your personal data. We will provide you with information as to how to access their Privacy Notice upon request.
Notification regarding Klarna – in order to offer you Klarna’s payment methods, we might in the checkout process pass your personal data in the form of your name, contact and order details to Klarna, in order for Klarna to assess whether you qualify for their payment methods and to tailor those payment methods for you. Your personal data transferred is processed in line with Klarna’s own privacy notice.
Notification regarding Adaro – should you wish to take up our Eye Care Plan, in order to apply for payment terms, we will make your personal data available to Adaro for purposes of your application being processed. Adaro are regulated by the FCA with whom they are registered. Adaro is a data controller in their own right. For further information, please refer to the Privacy Notice published by Adaro.
- Marketing Companies and Online Advertising – to help us manage our electronic communications to you and to help us show you the advertising you are most likely to be interested in. Companies that provide marketing and advertising assistance (including management of email marketing operations, mobile messaging services such as SMS, and services that deploy advertising on the internet or social media platforms, such as Facebook and Google) as well as analysis of the effectiveness of our advertising and communications campaigns.
- We use technologies such as cookies within digital marketing networks, ad exchanges and social media networks such as Facebook and other social media to get relevant marketing messages across to you and other customers. We share aggregated and anonymised information about the customer segments we are interested in reaching with advertising partners, so they can focus on showing adverts to those who are most likely to be interested in our products, services and offers, and to prevent them showing you irrelevant or repetitive advertisements.
- We share limited information with selected suppliers to enable them to identify new prospective customers on our behalf and to prevent us repeatedly advertising products or services you have already bought.
- We receive information on how you interact with our adverts and content on third-party websites and social media platforms (such as Google or Facebook) which we use to tailor the information that is displayed to you.
- Delivery or courier companies who we appoint to deliver products that you have purchased from us.
We need a lawful purpose to process your personal data.
- For processing your special personal data
The services offered by Vision Express are classified as health services. Health service providers are permitted to process your special personal data (for example, information relating to your health, medical information, etc) as processing is necessary for the purpose of your eye health care or treatment, or for purposes of preventative or occupational medicine, medical diagnosis and for the assessment of the working capacity of an employee.
If we wish to process your special personal data for another purpose, we must have a lawful purpose to do so, which may be one of the following:
(i) by getting your consent to process your personal data;
(ii) processing is necessary to establish, exercise or defend legal claims or whenever courts are acting in their judicial capacity;
(iii) processing is necessary in the public interest in the area of public health, subject to local laws and safeguarding measures (in particular professional secrecy) or
(iv) processing is necessary for archiving purposes in the public interest, scientific or historical research or statistical purposes, subject to local laws.
(v) processing is necessary to protect either your or another person’s vital interests in those events should be you be physically or legally incapable of giving consent.
- For processing your personal data
We rely on legal obligations where we have a statutory or other legal obligation to process the information:
- To meet our obligations as registered and dispensing optometrists. The provision of eye health services in the UK is regulated by the Opticians Act and the Rules issued by the General Optical Council. In the Republic of Ireland, the provision of eye health services is regulated by the Health and Social Care Professional Act and the Optical Registration Board bye-laws. They legally require us to collect and process your personal data including special categories of your data.
- To make your personal data available to other optometrists, medical practitioners, health and social care providers.
- To generate and issue invoices.
- Regulators may request information when carrying out their functions.
- Other third parties who have a legal right to access personal data e.g. the police, our insurers, lenders, external auditors and investigators.
- Other companies who provide us with updated personal information e.g. changes to your contact information, deceased indicators.
- If you choose to exercise your data rights e.g. requesting a subject access request.
- To respond to any complaints or claims we receive from regulators or other third parties.
- For purposes of fraud prevention and detection.
- For purposes of health and safety of members of the public, our staff and our customers.
- Corporate requirements including mergers and acquisitions.
We rely on contractual obligations when we process your information to fulfil a contract that we have entered into with you:
- To process any transactions when you purchase our goods and services.
- To process credit and debit card payments as well as payments using payment card processors. We provide your information to the relevant bank in order that they can process payment of a transaction.
- For purposes of us providing our products and services to you, including without limitation our aftercare contact lens service.
- To deliver products purchased to your nominated address.
- To meet any other contractual obligations that we have undertaken to you.
- To meet the contractual obligations that we have with the NHS – the NHS Optical contract defines that we have to keep up to date and accurate patient and medical records and provide details of any NHS funded eye tests or purchases to the NHS.
We rely on your consent:
- To provide your personal data to a third party who does not have a legal right to receive the information, for example a solicitor or other person making a data subject access request on your behalf, a friend, a member of your family who does not have parental responsibility over a child.
- Received from a child to provide personal data to a parent, where the child has been deemed capable of giving consent.
- When using facial images for purposes of our virtual Try On services, whether online or in a store.
- When you enter a competition.
- In order for a third party to provide you with payment options. In this case, we will pass the required information to them in order that that they can assess where you qualify for the payment method, and to tailor payment methods which they think may be suitable for you.
- To provide your personal data to insurance companies where you wish to apply for insurance cover that you wish to take up. We will pass your contact and other personal data to the insuring company so that they can assess whether you qualify for insurance cover.
You are allowed to withdraw the consent that you have previously given to us after which we will stop processing your personal data for the purpose that consent was given.
Where your personal data is transferred to a third party, for example, the bank, a lender or an insurer, these parties are data controllers and personal data that is transferred is processed in line with the recipient’s own privacy notice.
We rely on our Legitimate Interest when we process your information for any of the following purposes:
- Sending service or direct marketing communications to you.
- Booking an appointment for an eye examination.
- Sending your reminders that your eye test is about to become due or is overdue.
- Processing and reporting financial transactions.
- Instituting and defending legal or other claims.
- In order to process your responses to questionnaires and surveys.
- In order to collate and compile your thoughts and opinions that you may provide to us.
- For purposes of market research and statistical analysis.
- When processing CCTV images for purposes of detecting, investigating or preventing crime and for or (b) apprehending or prosecuting offenders.
Our legitimate interests are derived from our requirement to protect and grow our business, including our commercial and financial interests, as well as our desire to retain existing and attract new customers.
We rely on Vital interests to process your personal data in certain circumstances.
As we collect information regarding your eye health, in exceptional circumstances we may be required to provide this information to another medical or healthcare provider for your safety and to prevent significant harm. For example, in exceptional circumstances we may provide information regarding your eye health to your hospital if you were unable to give us consent.
We will keep your personal data for as long as is reasonably necessary to provide our products and services, including aftercare services, and to maintain records as needed to satisfy tax and other legal or regulatory requirements, as well as to protect and defend against claims or allegations. We anonymise your personal data once we no longer need it.
For adults, we retain customer and patient personal data for a period of eight year after we last saw you. For children aged 18 years and younger, we retain their personal data up to the patients 25th birthday, or 26th birthday if the patient was 17 or younger on the date that they were last seen by us.
When defining our retention periods, we consider healthcare laws and regulations which apply, contracts that we have entered into with the NHS and recommendations made by industry bodies, for example, the College of Optometrists.
We share your personal data within our group of companies, with data processors with whom we have concluded a Data Processing Agreement, with other medical or health professionals and with trusted third parties as an essential part of being able to provide our services to you. Please be assured we do not sell personal data, and do not provide personal data to list providers for the purposes of marketing.
Examples of third parties we work with to be able to provide our services to you, on our behalf include:
- Courier and delivery couriers who we appoint to deliver products and purchases made by you.
- Product suppliers who make or provide the products we sell to you.
- Third parties who we use to help us update your contact information to keep your data accurate.
- IT and data companies who help support our websites and other business systems.
- Other medical professionals including other optometrists, medical doctors or the NHS and third parties appointed by the NHS.
- Public bodies who have the legal right to have access to the information e.g. the police, social services etc.
- Other companies within our group of companies.
Personal data sourced in the UK and the Republic of Ireland are processed on our customer databases held in the UK or as may be hosted by other members of our group of companies. As each of the UK and the EU has granted an adequacy decision to the other, this ensuring an adequate level of protection and does not require any specific authorisation.
In certain instances, it may be necessary to transfer your personal data to a third country, being a country which has not received an adequacy decision by the relevant regulatory authority. In such case, we ensure that the safeguards required by the relevant regulator are implemented. For example, in the absence of any other safeguard, we will require that the EU’s Standard Contractual Clauses (‘SCC’s’) are signed for the transfer of personal data sourced in an EU country. In the case of personal data sourced in the UK and transferred to a third country, we will ensure that either the ICO’s approved International Data Transfer Agreement is signed or the UK Addendum is annexed to the EU’s SCC’s and signed.
Subject access requests by third parties
Unless there is a lawful basis to do so, we will not provide your personal data to a third party unless we have your consent to do so. If you have authorised a third party to submit a request for the release of your personal data, they will be required to provide written proof of your consent or to provide a verifiable power of attorney. They will also be requested to provide documentation which identifies them. We require that the consent / power of attorney must: (i) Be in writing; (ii) Detail your name, address and date of birth; (iii) Provide details of the personal data to be disclosed; (iv) Provide details of the recipient, including contact details and confirmation of identity; and (v) Be signed and dated by you.
Public authorities requiring data under exemptions may request personal data without your consent. These requests must: (i) Be in writing on an official letter head and must be signed; (ii) Provide full details of the affiliation or organisation; (iii) Provide full details of the requester, including name, rank or position as well as verifiable contact information; (iv) Provide the name, address, date of birth of the data subject, and specify the information being requested; (v) confirm the lawful basis for the request and the reason for the request (unless the requestor is not permitted to do so, being bound by confidentiality, professional secrecy or similar); (vi) Must detail the format and means by which the response is to be communicated.
All requests by authorities must be addressed to the Data Protection Officer.
We are only able to comply with requests that relate to personal data held in accessible, structured filing systems for which we are the data controller.
Last updated 24 March 2023.
We may update this privacy statement from time to time. Any updates will take effect as soon as they are posted on our website.
All of our rights are reserved.