SPECS2U PRIVACY STATEMENT
Specs2U takes data protection seriously. We recognise that data protection and privacy are important to our customers, our employees, prospective employees and our suppliers. We undertake to fully comply with all legislation designed to protect privacy and personal data, to protect the rights of individuals, and to lawfully and transparently process personal data.
This privacy statement tells you what to expect when Specs2U collects and processes any personal data. It also provides you with details of how we use your personal data, and how to contact us in the event you have a query or a complaint.
This privacy statement applies to any personal data that we collect in any of our business activities. This includes, but is not limited to, data collected on any of our websites, online forms, social media, emails, complaints, customer satisfaction surveys, any written correspondence, recruitment and careers website, in stores, and over the telephone.
Who we are
Specs2U (UK) Limited (Reg Co. Number 08330667) is the data controller for the Specs2U group of companies and is registered as such with the Information Commissioner’s Office (ICO).
We have appointed a Data Protection Officer who can be contacted at firstname.lastname@example.org and who ensures compliance and provides oversight over all of our data protection issues.
What data do we collect?
We collect data in a number of ways, including in store, via the website, by phone, post or social media:
- Ordering and buying goods in store or from our website
- Opting in for Marketing
- Competition and prize draw entry
- Customer feedback satisfaction survey and reviews
- When you contact us such as via our branches or social media
- Applying for a role at Specs2U
The type of data that we collect will depend on the purpose that you contact us. Personal data is likely to include:
- Residential address and delivery address
- Mobile and home phone number
- Purchase and order history
- Age and date of birth
- Eye health and medical information
- Lifestyle and hobbies as part of your eye test
- Feedback and survey responses
- Correspondence - when you contact us either in writing or over the phone
- Payment information
- Information on the pages that you have visited on our website, demographics and interests
- When applying for role with Specs2U we collect education and qualifications, previous employment history, health information, information relating to criminal offences, health information, gender, and previous employment and referee contact details
There are a number of reasons that as a company we will collect and process your personal data, including:
In certain circumstances you may enter into an expressed or implied contract with Specs2U, and where we may process data on that basis. Typically this is for the use of our services or purchase of a product.
For example – if you order a product in store or online we will process the personal data you give us to ensure we deliver the correct product
Our legitimate interests are derived from our role as provider of eye health services for our customers as well as the administering and maintaining services for employees and job applicants with whom we have established a relationship.
Legitimate interests include some forms of marketing and advertising, health management and reporting, processing and reporting of financial transactions, legal claims, management, market research, safety and security, statistical analysis and complaints.
For example - after you have had your eye test your optometrist will recommend the date of your next eye test. To help you look after your eye health we will then send you eye test reminders by post.
We may need to collect and process your personal data when the law or our statutory obligations requires. These reasons include retention and providing information for crime, taxation and reporting. We are also bound by the requirements of the National Health Service, General Optical Council and other professional bodies to process records to a suitable standard of quality and care, to provide certain information to authorities, and to retain records for prescribed minimum periods of time.
For example – Our NHS Optical contract defines that we have to keep up to date and accurate patient and medical records and provide details of any NHS funded eye tests or purchases to the NHS.
Protecting the vital interests of data subject
As we collect information regarding your eye health, in exceptional circumstances we may be required to provide this information to another healthcare provider for your safety and to prevent significant harm.
For example – in exceptional circumstances we may provide information regarding your eye health to your hospital if you were unable to give us direct consent.
In specific situations, we collect and process your data with your consent. Please see below for more details.
How do we collect consent?
Specs2U believes in informed consent and requires consent to be provided through an affirmative action.
We require explicit (written and/or verbal) consent from you in order to process your personal data for a few, specific and limited purposes:
- Contacting customers for certain marketing purposes.
- The release of your personal data to a third party who does not have a statutory exemption; including another optometrist, General Practitioners, hospitals or lawyers.
- The release of personal data to another family member.
- Consent of a child to the release of data to any parent, where the child has been deemed capable of giving consent.
- Retaining job applicants’ data in order to offer opportunities in the future.
For more information regarding consent for the release of personal data to a third party, family member or parent please see Subject Access Requests by Third Parties section below
Specs2U also makes use of informed, implied consent in order to process personal data for purposes that include taking details for eye examination bookings and job applications
You can change your consent to marketing or other processing at any time. Having opted-in you will always be provided with an opportunity to opt out.
Please see our ‘How do you contact us or change consent’ section for more information
How long do we keep data?
Whenever we collect or process data we only keep it for as long as necessary for the purpose it was collected or to comply with relevant legislation and regulations.
At the end of the retention period, your data will be either deleted completely or anonymised, for example by aggregation with other data so it can be used in a non-identifiable way for statistical analysis and business planning. If you would like to keep a copy of your records then please request this information under the right to data access, before the retention period elapses.
Some examples of our data retention periods
- Financial records are retained for 6 years, after period-end in which the record was created.
- Employee records are retained for 6 years, after the employee’s leaving date.
- Job applicant data is retained for 3 years after application.
- Customer medical records of adults are retained for 8 years from the last visit.
- Customer medical records of minors are retained until the person is 26 years of age, or 8 years after death, whichever is the sooner.
Who do we share personal data with?
We do share your personal data within our group of companies and with trusted third parties. We do not sell personal data, and do not provide personal data to list providers for the purposes of marketing.
Examples of third party companies we work with in the provision of services to you on our behalf include:
- Operational companies such as delivery couriers who may deliver products to your home on our behalf.
- Product suppliers who make or provide the products we sell to you
- Direct Marketing companies who help us deliver communications to you.
- IT and data companies who help support our websites and other business systems.
All third party data processors will be bound by written agreements as required by legislation. Their activities will be documented, assessed and controlled by Specs2U.
Data will only be transferred with suitable controls and protection. We apply strict policies and procedures to any bulk storage and transfer of data. Data will only be transferred within the European Union, or to countries having adequate data protection laws as directed by legislation.
Our core reasons for processing data are for administration, commercial, customer service, data quality, employment, financial, legal, marketing, medical, research, safety and security, service provision, statistical analysis and suppression.
We want to make our eye health communication with you as tailored and relevant to you as we can, so may combine data captured in our business such as gender, geographical location and transactional history with data from publicly available lists. We do so thoughtfully and always with the intention to cause as little intrusion as possible. We’ll do this on the basis our legitimate business interest.
You may wish to change how we use your data and contact you, and you’ll find details in our ‘How do you contact us or request a change’ section below. Please remember if you choose not to share your personal data with us or refuse certain contact permissions, we might not be able to provide some services you have asked for.
This section explains the types of communications we send out, the lawful basis, when you may receive them, and their purpose.
We contact our customers for the purposes of, eye health medical notifications service and direct marketing and administration. Customers may typically receive the following communication:
- Confirmation of appointments. On booking an eye health appointment or service with us you will be sent a confirmation. A courtesy reminder may be sent a short period before the appointment is due. This is part of our service and contractual obligations.
- Service notifications. Occasionally we may need to contact you to inform you about changes to our service that could affect or inconvenience you. An example would be change to your usual branch location. This is part of our contractual and legal compliance.
- Eye Test reminders. Changes in your eyesight are usually very gradual, so regular eye tests are important. The recommendation is to have your eyes tested every two years, unless your optician prescribes otherwise. As part of our medical service, we will send out a reminder shortly before the end of the recommended recall period, and follow up if we don’t hear from you. This is part of our legitimate interest in the provision of eye health services.
- Eye Health communication. As part of our medical eye health service we will send you communication regarding eye health and vision correction and how you can look after this. For example it is essential for your vision that glasses are fitted correctly, so we will remind you get your glasses fitting checked and adjusted. This is part of our legitimate interest in the provision of eye health services.
- Direct Marketing communications - With your consent we will also send you direct marketing information about our products, offers and discounts by email and/or post. Of course you are free to opt out of these communications at any time by updating your consent preferences. For details see our ‘How do you contact us or request a change’ section.
- Survey and feedback requests. These are designed to help us improve our service to you. We have legitimate interest to do so as it helps us make our services and products more relevant to you.
We contact job applicants solely for employment purposes, and limit our communications to notification about current application progress and to invite you to apply for future opportunities. For more information please see our recruitment privacy statement.
What are your rights over personal data?
You have several rights under data protection legislation. This section provides an overview of those rights and how to request changes.
Right to be informed - this means you have a right to be informed about the way we collect and use your data.
Right of Access - also sometimes called a Subject Access Request - this means you have a right to request a copy of the data we hold about you. For more information about requesting data on behalf of someone please see our Subject Access Request section below
Right of Rectification - this means that you can request that we correct your personal data if it is inaccurate. Please be aware in the event that the data was provided by a third party such as a medical diagnosis by an optician, we reserve the right to review and decide on changes at our discretion. Where we decline to make changes we will explain the reasons for the decision.
Right of Erasure - this means you can request that all the data that we hold about you is deleted. However, in many cases legislation will prevent us from simply deleting personal data and obliges us to retain personal data for a period of time as discussed in the “How long do we keep your data” section above.
Where we have been asked to erase data but have a legal obligation to keep it, we will:
- Inform you of the obligation.
- Anonymise or remove data where allowed and where possible.
- Restrict details from appearing in systems where data cannot be removed.
- Suppress further communications.
Right to Restrict Processing - this means that you can request that processing of your data is limited and your data is stored separately.
Right to Data Portability - this means that under certain circumstances you can request your data in structured electronic format. Unless requested, we will transmit data to the email address we already hold on record. Please note we will need your written consent before transferring your data to a third party.
Right to Object - This means you have a right to object to direct marketing, including profiling. Wherever possible we will do so, unless we believe we have legitimate overriding reason to continue to process your data. For more information please see the section on How do you contact us or request a change
Rights Related to Automated Decision Making - This means that where a decision is being made about you using an automated process, you can request an explanation as to why that process is used and to request human intervention if you believe a human would come to a different conclusion. We do not currently do automated decision making.
How do you contact us or request a change
If you would like to
- change your data
- stop your data being processed
- change your consent
- stop us from contacting you
- change your direct marketing communication preferences
Email email@example.comCall 0151 305 7211 or write to our Customer Care team
If you would like
- A copy of your data
- Request data as a third party
- Enquire about our data protection policies
- Freedom of information request
Email firstname.lastname@example.org or write to our Data Protection Officer
If you would like to make a data protection complaint
Email email@example.com or write to our Data Protection Officer.
Telephone 0151 305 7211
Address : Customer Service Department, Specs2U Limited, Unit 4, Chapel Brook Trade Park, Wilson Road, Huyton, L36 6FH
Data Protection Officer
Address : Specs2u Limited, Unit 4, Chapel Brook Trade Park, Wilson Road, Huyton, L36 6FH
Please note that:
- We will acknowledge receipt of emails within one working day wherever possible.
- We will attempt to respond as soon as possible, but it may take up to 30 days from receipt of request and confirmation of ID to respond, or as otherwise required by law.
- We will respond using the same method as used in the communication to us, unless otherwise reasonably requested.
Subject access requests by third parties
Specs2U will not provide personal data to third parties unless we have consent of the individual or by statutory exemption.
If you have authorised a third party to submit a request for the release of your personal data, then we will ask them for written proof of this consent or to provide a verifiable power of attorney.
- Be in writing.
- Provide the name, address and date of birth of the individual.
- Provide details of the data to be disclosed.
- Provide details of the recipient, including contact details and confirmation of identity.
- Be signed and dated by the data subject.
Authorities requiring data under exemptions may request personal data without the consent of the individual. These requests should:
- Be in writing.
- Provide full details of affiliation or organisation.
- Provide full details of the requester, including name, rank or position.
- Provide full, verifiable contact information.
- Provide details of the data subject, and data required.
- Provide specific details of the incident and cameras if CCTV data is required.
- Details of the format and means by which the response is to be communicated.
- Where necessary and disclosable, the reasons for the request.
All requests by authorities should be made to the Data Protection Officer.
Protecting your confidentiality
To protect the confidentiality of your information, we will ask you to verify your identity before proceeding with any request you make under this privacy notice.
Our responses may include sensitive personal data and confidential data, so we require:
- all requests to be provided in writing,
- for the request to be signed,
- Details of identity; consisting of first name, last name, address and date of birth.
Please note – access to your personal data is free of charge.
We are only able to comply with requests that relate to personal data held in accessible, structured filing systems for which we are the data controller.
Contacting the supervising authority
If you feel that Specs2U has not fulfilled its obligations under data protection legislation or has not protected your data then you have the right to complain.
The Information Commissioner is the Supervising Authority for privacy and data protection in the United Kingdom
Post : Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
Tel 0303 123 1113
Online: www.ico.org.uk/concerns (opens in a new window; please note we can't be responsible for the content of external websites)
Data legislation and guidelines that we comply with
At Specs2U we must comply with relevant sections and amendments of numerous current and future legislation, regulations, codes and regulatory guidelines. These include:
- General Data Protection Regulations 2016 (GDPR)
- Data Protection Act 1998
- Data Protection Act 1988 and 2003 (Republic of Ireland)
- Access to Health Records Act 1990
- Computer Misuse Act 1990
- Human Rights Act 1998
- Equality Act 2010
- Protection of Freedoms Act 2012
- Privacy and Electronic Communications Regulations 2003
- Employment, safety and tax legislation
- NHS Records Management Code of Practice 2016
- General Optical Council guidelines
- College of Optometrists Guidance for Professional Practice
- Guidance provided by the Information Commissioner’s Office.
Updates to our privacy statement
We may update this privacy statement and any of our data policies from time-to-time, and in such event we will post a clear message on our Website. Please check the website for any updates before relying on the privacy statement for legal or other purposes.