What data do we collect?
We collect personal data in a number of ways, including when you visit a store, via our websites, by phone, email, post, social media and any other engagement that we may have with you.
The type of personal data we collect is:
- Information collected when booking an eye examination, for example, your name and surname, address, contact details (phone and email), date of birth, age and the store that you select.
- Medical and health information concerning current or past eye health and other general health conditions, details of glasses or contact lenses prescribed, your medication, correspondence and reports between your optometrist, your GP or ophthalmologist.
- Your prescription and other information relating to your eyes or eye health forming part of your eye examination or needed to dispense glasses or contact lenses.
- Results and recommendations made by the examining optometrist, retinal photographs, referrals, optometrist comments.
- Information received from other health or medical professionals, including the NHS.
- Details of your purchases including past orders, any discounts applied as well as refunds processed.
- Membership subscriptions that you have with us.
- Your payment details and payment behaviour (where relevant).
- Your marketing and communication preferences.
- Information relating to your lifestyle and hobbies.
- Relevant personal information about others e.g. your family history, next of kin, contact details of your family that you provide to us.
- Feedback and survey responses.
- Your correspondence with us either in writing or by phone e.g. details of queries, complaints, call recordings or notes taken during conversations, requests for access to information and other requests exercising your rights.
- Any other information you have voluntarily given us.
- Information that we have collected from a third party, if it is legal to do so.
- Information that provides marketing and advertising assistance.
How and why do we use your personal data?
Your personal data is processed for the following reasons, so that we can provide you with the best possible eye health care and customer experience. Here’s how we use your data:
1. To provide professional eye care services:
- To book and confirm your appointment for an eye examination. We will send you a confirmation if you book online and a courtesy reminder will be sent a short period before the appointment is due.
- To carry out an eye examination so that we can understand the status of your eye health and any medical or other conditions.
- To formulate your prescription so as to determine your needs for eyewear and for purposes of dispensing your eyewear.
- To carry out aftercare services, for example, where you have purchased contact lenses from us.
- To send you eye test reminders. Changes in your eyesight are usually very gradual, so regular eye tests are important. The recommendation is to have your eyes tested every two years, unless your optician prescribes otherwise. We’ll send you a reminder shortly before the end of the recommended recall period, and send you further reminders if we don’t hear from you.
- To notify you that products that you have purchased are available for collection.
- To refer you to other medical or health professionals, or to the NHS.
2. To process transactions
We will process your personal data:
- So that we can provide our products and services to you and process any transactions, including payments, when you purchase our goods and services, or refunds.
- In respect of payments made to us as well as payments using card processors where payment is processed using a credit or debit card.
- And will make the required personal data available to third parties where you wish to conclude an agreement with that third party. For example, you may wish to apply for and enter into a payment arrangement with a third party, or you may want to apply for and obtain insurance over the product that you have purchased.
- To meet our contractual obligations to third parties e.g. the NHS.
- To ensure delivery of goods to your nominated address where you elect not to collect the goods from a store.
3. To communicate with you
- We send you services messages which may including communications about eye health, vision correction and information on how to look after the health of your eyes.
- We may send you messages to notify you of any relevant changes, for example, to matters that could affect or inconvenience you. For example, a change to your usual store’s location, shop opening or closing hours.
- We may send you direct marketing communications – we will send you information about our products, offers and discounts by email and/or post. You are free to opt out of these communications at any time by contacting us or going online and updating your preferences. For details, refer to the ‘How to contact us’ section.
- We process your personal data to respond to complaints, queries and any claims made against us.
4. To engage with you via our website
- If you are just browsing our website, we will not collect any information which will identify you by name, unless you provide this information, for example when rating our products or services.
- We will process your personal data in order that you can create and manage information in the online account that you have created with us.
- We will collect information using cookies or traffic data which uses IP addresses or other numeric identifiers, which analyse how people use our website. Please refer to our Cookies policy for more information.
- We will process your personal data so as to create and administer your online account.
5. Other reasons
- We may need to provide your personal data to a regulator requesting information when they are carrying out their function.
- We may also make your personal data available to third parties in terms of a contract that we are bound by or who have the legal right to access your personal data. Examples of third parties are our data processors, companies who provide us with updated personal information (e.g. changes to your address, deceased indicators, etc) external auditors and lawyers, the NHS, the police, social services, etc.
- We may need to make your personal data available to other optometrists, medical practitioners, health and social care providers or the NHS.
- For purposes of fraud prevention and detection and for the health and safety of members of the public, our staff and our customers
- For our Corporate requirements, including mergers and acquisitions.
Third Parties we share data with or receive data from
- We use technologies such as cookies within digital marketing networks, ad exchanges and social media networks such as Facebook and other social media to get relevant marketing messages across to you and other customers.
- Delivery or courier companies who we appoint to deliver products that you have purchased from us.
Lawful purpose for processing your personal data
We need a lawful purpose to process your personal data.
1. For processing your special personal data
The services offered by Gardiner Opticians are classified as health services. Health service providers are permitted to process your special personal data (for example, information relating to your health, medical information, etc) as processing is necessary for the purpose of your eye health care or treatment, or for purposes of preventative or occupational medicine, medical diagnosis and for the assessment of the working capacity of an employee.
If we wish to process your special personal data for another purpose, we must have a lawful purpose to do so, which may be the following:
(i) by getting your consent to process your personal data;
(ii) processing is necessary to establish, exercise or defend legal claims or whenever courts are acting in their judicial capacity;
(iii) processing is necessary in the public interest in the area of public health, subject to local laws and safeguarding measures (in particular professional secrecy) or
(iv) processing is necessary for archiving purposes in the public interest, scientific or historical research or statistical purposes, subject to local laws.
2. For processing your personal data
We rely on legal obligations where we have a statutory or other legal obligation to process the information:
- To meet our obligations as registered and dispensing optometrists. The provision of eye health services in the UK is regulated by the Opticians Act and the Rules issued by the General Optical Council. In the Republic of Ireland, the provision of eye health services is regulated by the Health and Social Care Professional Act and the Optical Registration Board bye-laws. They legally require us to collect and process your personal data including special categories of your data.
- To make your personal data available to other optometrists, medical practitioners, health and social care providers.
- To generate and issue invoices.
- Regulators may request information when carrying out their functions.
- Other third parties who have a legal right to access personal data e.g. the police, our insurers, lenders, external auditors and investigators.
- Other companies who provide us with updated personal information e.g. changes to your contact information, deceased indicators.
- If you choose to exercise your data rights e.g. requesting a subject access request.
- To respond to any complaints or claims we receive from regulators or other third parties.
- For purposes of fraud prevention and detection.
- For purposes of health and safety of members of the public, our staff and our customers.
- Corporate requirements including mergers and acquisitions.
We rely on contractual obligations when we process your information to fulfil a contract that we have entered into with you:
- To process any transactions when you purchase our goods and services.
- To process credit and debit card payments as well as payments using payment card processors. We provide your information to the relevant bank in order that they can process payment of a transaction.
- For purposes of us providing our products and services to you, including without limitation our aftercare contact lens service.
- To deliver products purchased to your nominated address.
- To meet any other contractual obligations that we have undertaken to you.
- To meet the contractual obligations that we have with the NHS – the NHS Optical contract defines that we have to keep up to date and accurate patient and medical records and provide details of any NHS funded eye tests or purchases to the NHS.
We rely on your consent:
- To provide your personal data to a third party who does not have a legal right to receive the information, for example a lawyer, a friend, a member of your family who does not have parental responsibility over a child.
- Received from a child to provide personal data to a parent, where the child has been deemed capable of giving consent.
- When you enter a competition.
- In order for a third party to provide you with payment options. In this case, we will pass the required information to them in order that that they can assess where you qualify for the payment method, and to tailor payment methods which they think may be suitable for you.
- To provide your personal data to insurance companies where you wish to apply for insurance cover that you wish to take up. We will pass your contact and other personal data to the insuring company so that they can assess whether you qualify for insurance cover.
Where your personal data is transferred to a third party, for example, the bank, a lender or an insurer, these parties are data controllers and personal data that is transferred is processed in line with the recipient’s own privacy notice.
We rely on our Legitimate Interest when we process your information for any of the following purposes:
- Sending service or direct marketing communications to you.
- Booking an appointment for an eye examination.
- Sending your reminders that your eye test is about to become due or is overdue.
- Processing and reporting financial transactions.
- Instituting and defending legal or other claims.
- When you respond to questionnaires and surveys.
- For purposes of market research and statistical analysis.
Our legitimate interests are derived from our requirement to protect and grow our business, including our commercial and financial interests, as well as our desire to retain existing and attract new customers.
We rely on Vital interests to process your personal data in certain circumstances.
As we collect information regarding your eye health, in exceptional circumstances we may be required to provide this information to another medical or healthcare provider for your safety and to prevent significant harm. For example, in exceptional circumstances we may provide information regarding your eye health to your hospital if you were unable to give us consent.
How long do we process personal data?
We will keep your personal data for as long as is reasonably necessary to provide our products and services, including aftercare services, and to maintain records as needed to satisfy tax and other legal or regulatory requirements, as well as to protect and defend against claims or allegations. We anonymise your personal data once we no longer need it.
When defining our retention periods, we consider healthcare laws and regulations which apply, contracts that we have entered into with the NHS and recommendations made by industry bodies, for example, the College of Optometrists.
Who do we share your personal data with?
We share your personal data within our group of companies, with data processors with whom we have entered into a Data Processing Agreement, with other medical or health professionals and with trusted third parties as an essential part of being able to provide our services to you. Please be assured we do not sell personal data, and do not provide personal data to list providers for the purposes of marketing.
Examples of third parties we work with to be able to provide our services to you, on our behalf include:
- Operational companies such as delivery couriers who may deliver products or deliver communication to you on our behalf.
- Product suppliers who make or provide the products we sell to you.
- Third parties who we use to help us update your contact information to keep your data accurate.
- IT and data companies who help support our websites and other business systems.
- Other medical professionals including other optometrists, medical doctors or the NHS and third parties appointed by the NHS.
- Public bodies who have the legal right to have access to the information e.g. the police, social services etc.
Subject access requests by third parties
Unless there is a lawful basis to do so, we will not provide your personal data to a third party unless we have your consent to do so. If you have authorised a third party to submit a request for the release of your personal data, they will be required to provide written proof of your consent or to provide a verifiable power of attorney. They will also be requested to provide documentation which identifies them. We require that the consent / power of attorney must:
(i) Be in writing; (ii) Detail your name, address and date of birth; (iii) Provide details of the personal data to be disclosed; (iv) Provide details of the recipient, including contact details and confirmation of identity; and (v) Be signed and dated by you.
Public authorities requiring data under exemptions may request personal data without your consent. These requests must: (i) Be in writing on an official letter head and must be signed; (ii) Provide full details of the affiliation or organisation; (iii) Provide full details of the requester, including name, rank or position as well as verifiable contact information; (iv) Provide the name, address, date of birth of the data subject, and specify the information being requested; (v) confirm the lawful basis for the request and the reason for the request (unless the requestor is not permitted to do so, being bound by confidentiality, professional secrecy or similar); (vi) Must detail the format and means by which the response is to be communicated.
All requests by authorities must be addressed to the Data Protection Officer.
We are only able to comply with requests that relate to personal data held in accessible, structured filing systems for which we are the data controller.
Last updated 7 May 2022.
We may update this privacy statement from time to time. Any updates will take effect as soon as they are posted on our website.
All of our rights are reserved.