Our Privacy Policy
Introduction
At Martin Reynolds Opticians we take data protection seriously. We recognise that data protection and privacy are important to our patients, our employees, prospective employees and our suppliers. We undertake to fully comply with all legislation designed to protect privacy and personal data, to protect the rights of individuals, and to lawfully and transparently process personal data.
This privacy statement tells you what to expect when we collect and process any personal data. It also provides you with details of how we use your personal data, and how to contact us in the event you have a query or a complaint.
This privacy statement applies to any personal data that we collect in any of our business activities. This includes, but is not limited to, data collected on any of our websites, online forms, social media, emails, complaints, customer satisfaction surveys, any written correspondence, recruitment and careers website, in stores, and over the telephone.
This privacy statement tells you what to expect when we collect and process any personal data. It also provides you with details of how we use your personal data, and how to contact us in the event you have a query or a complaint.
This privacy statement applies to any personal data that we collect in any of our business activities. This includes, but is not limited to, data collected on any of our websites, online forms, social media, emails, complaints, customer satisfaction surveys, any written correspondence, recruitment and careers website, in stores, and over the telephone.
Who we are
Visora Ltd (Company Number: 06282895) is the data controller for Martin Reynolds Opticians and is registered as such with the Information Commissioner’s Office (ICO).
what data we collect?
We collect data in a number of ways, including in store, via the website, by phone, or by post:
The type of data that we collect will depend on the purpose that you contact us. Personal data is likely to include:
- Ordering and buying goods in store or from our website
- Opting in for Marketing
- Competition and prize draw entry
- Customer feedback satisfaction survey and reviews
- When you contact us such as in person, by phone or by post
- CCTV
- Applying for a role at Martin Reynolds Opticians
The type of data that we collect will depend on the purpose that you contact us. Personal data is likely to include:
- Name
- Residential address and delivery address
- Mobile and home phone number
- Purchase and order history
- Age and date of birth
- Images and recordings such as CCTV
- Eye health and medical information
- Lifestyle and hobbies as part of your eye test
- Feedback and survey responses
- Correspondence - when you contact us either in writing or over the phone
- Payment information
- Information on the pages that you have visited on our website, demographics and interests.
- When applying for role with Martin Reynolds Opticians we collect education and qualifications, previous employment history, health information, information relating to criminal offences, health information, gender, and previous employment and referee contact details
Why do we collect your data?
There are a number of reasons that as a company we will collect and process your personal data, including:
Contractual obligations
In certain circumstances you may enter into an expressed or implied contract with Martin Reynolds Opticians. Where we may process data on that basis typically this is for the use of our services or purchase of a product.
For example – if you order a product in store or online or join our contact lens direct debit scheme we will process the personal data you give us to ensure we deliver the correct product or collect the direct debit payment from you.
Legitimate Interest
Our legitimate interests originate from our role as provider of eye health services for our patients as well as the administering and maintaining services for employees and job applicants with whom we have established a relationship.
Legitimate interests include some forms of marketing and advertising, health management and reporting, processing and reporting of financial transactions, legal claims, management, market research, safety and security, statistical analysis and complaints.
For example - after you have had your eye examination your optometrist will recommend the date of your next eye exam. To help you look after your eye health we will then send you reminders by post and/or SMS.
Legal compliance
We may need to collect and process your personal data when the law or our statutory obligations requires. These reasons include retention and providing information for crime, taxation and reporting. We are also bound by the requirements of the National Health Service, General Optical Council and other professional bodies to process records to a suitable standard of quality and care, to provide certain information to authorities, and to retain records for prescribed minimum periods of time.
For example – Our NHS Optical contract defines that we have to keep up to date and accurate patient and medical records and provide details of any NHS funded eye tests or purchases to the NHS.
Protecting the vital interests of data subject
As we collect information regarding your eye health, in exceptional circumstances we may be required to provide this information to another healthcare provider for your safety and to prevent significant harm.
For example – in exceptional circumstances we may provide information regarding your eye health to your hospital if you were unable to give us direct consent.
Consent
In specific situations, we collect and process your data with your consent. Please see the 'How do we collect consent' section for more details.
Contractual obligations
In certain circumstances you may enter into an expressed or implied contract with Martin Reynolds Opticians. Where we may process data on that basis typically this is for the use of our services or purchase of a product.
For example – if you order a product in store or online or join our contact lens direct debit scheme we will process the personal data you give us to ensure we deliver the correct product or collect the direct debit payment from you.
Legitimate Interest
Our legitimate interests originate from our role as provider of eye health services for our patients as well as the administering and maintaining services for employees and job applicants with whom we have established a relationship.
Legitimate interests include some forms of marketing and advertising, health management and reporting, processing and reporting of financial transactions, legal claims, management, market research, safety and security, statistical analysis and complaints.
For example - after you have had your eye examination your optometrist will recommend the date of your next eye exam. To help you look after your eye health we will then send you reminders by post and/or SMS.
Legal compliance
We may need to collect and process your personal data when the law or our statutory obligations requires. These reasons include retention and providing information for crime, taxation and reporting. We are also bound by the requirements of the National Health Service, General Optical Council and other professional bodies to process records to a suitable standard of quality and care, to provide certain information to authorities, and to retain records for prescribed minimum periods of time.
For example – Our NHS Optical contract defines that we have to keep up to date and accurate patient and medical records and provide details of any NHS funded eye tests or purchases to the NHS.
Protecting the vital interests of data subject
As we collect information regarding your eye health, in exceptional circumstances we may be required to provide this information to another healthcare provider for your safety and to prevent significant harm.
For example – in exceptional circumstances we may provide information regarding your eye health to your hospital if you were unable to give us direct consent.
Consent
In specific situations, we collect and process your data with your consent. Please see the 'How do we collect consent' section for more details.
How do we collect Consent?
We believe in informed consent and require consent to be provided with an affirmative action.
We require explicit (written and/or verbal) consent from you in order to process your personal data for a few, specific and limited purposes:
We also make use of informed, implied consent in order to process personal data for purposes that include taking details for eye examination bookings and job applications.
You can change your consent to marketing or other processing at any time. Having opted-in you will always be provided with an opportunity to opt out.
We require explicit (written and/or verbal) consent from you in order to process your personal data for a few, specific and limited purposes:
- Contacting customers for certain marketing purposes.
- The release of your personal data to a third party who does not have a statutory exemption; including another optometrist, General Practitioners, hospitals or lawyers.
- The release of personal data to another family member.
- Consent of a child to the release of data to any parent, where the child has been deemed capable of giving consent.
- Retaining job applicants’ data in order to offer opportunities in the future.
We also make use of informed, implied consent in order to process personal data for purposes that include taking details for eye examination bookings and job applications.
You can change your consent to marketing or other processing at any time. Having opted-in you will always be provided with an opportunity to opt out.
How Long do we keep data?
Whenever we collect or process data we only keep it for as long as necessary for the purpose it was collected or to comply with relevant legislation and regulations.
At the end of the retention period, your data will be deleted completely. If you would like to keep a copy of your records then please request this information under the right to data access, before the retention period elapses.
Some examples of our data retention periods:
At the end of the retention period, your data will be deleted completely. If you would like to keep a copy of your records then please request this information under the right to data access, before the retention period elapses.
Some examples of our data retention periods:
- Job applicant data is retained for 3 years after application.
- Patient records of adults are retained for 10 years from the last visit.
- Patient records of minors (under 18) are retained until the person is 25 years of age, or 10 years after death, whichever is the sooner.
- Employee records. Please refer to the practice site.
Who do we share your data with?
We do share your personal data only with trusted third parties. We do not sell personal data, and do not provide personal data to list providers for the purposes of marketing.
Examples of third party companies we work with in the provision of services to you on our behalf include:
All third party data processors will be bound by agreements as required by legislation. Their activities will be documented, assessed and controlled by us.
Data will only be transferred with suitable controls and protection. We apply strict policies and procedures to any bulk storage and transfer of data. Data will only be transferred within the European Union, or to countries having adequate data protection laws as directed by legislation.
Examples of third party companies we work with in the provision of services to you on our behalf include:
- Operational companies such as delivery couriers or Royal Mail who may deliver products to your home on our behalf.
- Product suppliers who make or provide the products we sell to you,
- Direct Marketing companies who help us deliver communications to you.
- IT and data companies who help support our websites and other business systems.
All third party data processors will be bound by agreements as required by legislation. Their activities will be documented, assessed and controlled by us.
Data will only be transferred with suitable controls and protection. We apply strict policies and procedures to any bulk storage and transfer of data. Data will only be transferred within the European Union, or to countries having adequate data protection laws as directed by legislation.
why do we need your personal data and how we use it
Our main reasons for processing data are for administration, commercial, customer service, employment, financial, legal, marketing, medical, research, safety and security, and service provision.
You may wish to change how we use your data and contact you, and you’ll find details in our 'How do you contact us or request a change section'. Please remember if you choose not to share your personal data with us or refuse certain contact permissions, we might not be able to provide some services you have asked for.
This section explains the types of communications we send out, the lawful basis, when you may receive them, and their purpose.
Patients
We contact our patients for the purposes of eye health medical notifications service and direct marketing and administration. Patients may typically receive the following communication:
Job applicants
We contact job applicants solely for employment purposes, and limit our communications to notification about current application progress and to invite you to apply for future opportunities.
You may wish to change how we use your data and contact you, and you’ll find details in our 'How do you contact us or request a change section'. Please remember if you choose not to share your personal data with us or refuse certain contact permissions, we might not be able to provide some services you have asked for.
This section explains the types of communications we send out, the lawful basis, when you may receive them, and their purpose.
Patients
We contact our patients for the purposes of eye health medical notifications service and direct marketing and administration. Patients may typically receive the following communication:
- Confirmation of appointments. After booking an eye exam appointment or service with us you will be sent a courtesy reminder a short period before the appointment is due. This is part of our service and contractual obligations.
- Service notifications. Occasionally we may need to contact you to inform you about changes to our service that could affect or inconvenience you. An example would be change to the practice location. This is part of our contractual and legal compliance.
- Eye Exam reminders. Changes in your eyesight are usually very gradual, so regular eye exams are important. The recommendation is to have your eyes examined every two years, unless your optometrist recommends otherwise. As part of our service, we will send out a reminder shortly before the end of the recommended recall period, and follow up if we don’t hear from you. This is part of our legitimate interest in the provision of eye health services.
- Eye Health communication. As part of our eye health service we may send you communication regarding eye health and vision correction and how you can look after this. This is part of our legitimate interest in the provision of eye health services.
- Direct Marketing communications - With your consent we will also send you direct marketing information about our products, offers and discounts by email and/or post. Of course you are free to opt out of these communications at any time by updating your consent preferences. For details see our - 'How do you contact us or request a change section'.
- Survey and feedback requests. These are designed to help us improve our service to you. We have legitimate interest to do so as it helps us make our services and products more relevant to you.
Job applicants
We contact job applicants solely for employment purposes, and limit our communications to notification about current application progress and to invite you to apply for future opportunities.
Your rights over your data
You have several rights under data protection legislation. This section provides an overview of those rights and how to request changes.
Right to be informed - this means you have a right to be informed about the way we collect and use your data.
Right of Access - also sometimes called a Subject Access Request - this means you have a right to request a copy of the data we hold about you. For more information about requesting data on behalf of someone please see our 'Subject Access Request' section below
Right of Rectification - this means that you can request that we correct your personal data if it is inaccurate. Please be aware in the event that the data was provided by a third party, such as a medical diagnosis by an ophthalmologist, we reserve the right to review and decide on changes at our discretion. Where we decline to make changes we will explain the reasons for the decision.
Right of Erasure - this means you can request that all the data that we hold about you is deleted. However, in many cases legislation will prevent us from simply deleting personal data and obliges us to retain personal data for a period of time as discussed in the “How long do we keep your data” section above.
Where we have been asked to erase data but have a legal obligation to keep it, we will:
Right to Restrict Processing - this means that you can request that processing of your data is limited and your data is stored separately.
Right to Data Portability - this means that under certain circumstances you can request your data in structured electronic format. Unless requested, we will transmit data to the personal email address we already hold on record, or you supply, whichever is the most current. Please note we will need your written consent before transferring your data to a third party.
Right to Object - This means you have a right to object to direct marketing. Wherever possible we will do so, unless we believe we have legitimate overriding reason to continue to process your data. For more information please see the section on 'How do you contact us or request a change'.
Rights Related to Automated Decision Making - We do not currently do automated decision making. but this means that where a decision is being made about you using an automated process, you can request an explanation as to why that process is used and to request human intervention if you believe a human would come to a different conclusion.
Right to be informed - this means you have a right to be informed about the way we collect and use your data.
Right of Access - also sometimes called a Subject Access Request - this means you have a right to request a copy of the data we hold about you. For more information about requesting data on behalf of someone please see our 'Subject Access Request' section below
Right of Rectification - this means that you can request that we correct your personal data if it is inaccurate. Please be aware in the event that the data was provided by a third party, such as a medical diagnosis by an ophthalmologist, we reserve the right to review and decide on changes at our discretion. Where we decline to make changes we will explain the reasons for the decision.
Right of Erasure - this means you can request that all the data that we hold about you is deleted. However, in many cases legislation will prevent us from simply deleting personal data and obliges us to retain personal data for a period of time as discussed in the “How long do we keep your data” section above.
Where we have been asked to erase data but have a legal obligation to keep it, we will:
- Inform you of the obligation.
- Anonymise or remove data where allowed and where possible.
- Restrict details from appearing in systems where data cannot be removed.
- Stop further communications.
Right to Restrict Processing - this means that you can request that processing of your data is limited and your data is stored separately.
Right to Data Portability - this means that under certain circumstances you can request your data in structured electronic format. Unless requested, we will transmit data to the personal email address we already hold on record, or you supply, whichever is the most current. Please note we will need your written consent before transferring your data to a third party.
Right to Object - This means you have a right to object to direct marketing. Wherever possible we will do so, unless we believe we have legitimate overriding reason to continue to process your data. For more information please see the section on 'How do you contact us or request a change'.
Rights Related to Automated Decision Making - We do not currently do automated decision making. but this means that where a decision is being made about you using an automated process, you can request an explanation as to why that process is used and to request human intervention if you believe a human would come to a different conclusion.
how do you contact us or request a change
To request data or make a change please:
We will attempt to respond as soon as possible, but it may take up to 30 days from receipt of request and confirmation of ID to respond, or as otherwise required by law.
We will respond using the same method as used in the communication to us, unless otherwise reasonably requested.
- email me at [email protected],
- call 01279 757767
- or write to me at Jay Patel, Martin Reynolds Opticians, 24 North Street, Bishops Stortford, Herts. CM23 2LW
We will attempt to respond as soon as possible, but it may take up to 30 days from receipt of request and confirmation of ID to respond, or as otherwise required by law.
We will respond using the same method as used in the communication to us, unless otherwise reasonably requested.
Subject access requests by third parties
We at Martin Reynolds Opticians will not provide personal data to third parties unless we have consent of the individual or by statutory exemption.
If you have authorised a third party to submit a request for the release of your personal data, then we will ask them for written proof of this consent or to provide a verifiable power of attorney.
Consent must:
Authorities requiring data under exemptions may request personal data without the consent of the individual. These requests should:
All requests by authorities should be made to Jay Patel.
Protecting your confidentiality
To protect the confidentiality of your information, we will ask you to verify your identity before proceeding with any request you make under this privacy notice.
Our responses may include sensitive personal data and confidential data, so we require:
We are only able to comply with requests that relate to personal data held in accessible, structured filing systems for which we are the data controller.
If you have authorised a third party to submit a request for the release of your personal data, then we will ask them for written proof of this consent or to provide a verifiable power of attorney.
Consent must:
- Be in writing.
- Provide the name, address and date of birth of the individual.
- Provide details of the data to be disclosed.
- Provide details of the recipient, including contact details and confirmation of identity.
- Be signed and dated by the data subject.
Authorities requiring data under exemptions may request personal data without the consent of the individual. These requests should:
- Be in writing.
- Provide full details of affiliation or organisation.
- Provide full details of the requester, including name, rank or position.
- Provide full, verifiable contact information.
- Provide details of the data subject, and data required.
- Provide specific details of the incident and cameras if CCTV data is required.
- Details of the format and means by which the response is to be communicated.
- Where necessary and disclosable, the reasons for the request.
All requests by authorities should be made to Jay Patel.
Protecting your confidentiality
To protect the confidentiality of your information, we will ask you to verify your identity before proceeding with any request you make under this privacy notice.
Our responses may include sensitive personal data and confidential data, so we require:
- all requests to be provided in writing,
- for the request to be signed,
- Details of identity; consisting of first name, last name, address and date of birth.
We are only able to comply with requests that relate to personal data held in accessible, structured filing systems for which we are the data controller.
Updates to our privacy Policy
We may update this privacy policy and any of our data policies from time-to-time, and in such event we will post a clear message on our Website. Please check the website for any updates before relying on the privacy statement for legal or other purposes.
Updated: 21st May 2018