PRIVACY POLICY
We are committed to protecting your privacy. This Privacy Policy explains how we collect and use your personal data and which rights and options you have in this respect.
Which personal data do we collect?
The personal data we collect may include:
· Contact information, such as your name, postal address, telephone number, mobile phone number and email address;
· Payment data, such as data necessary for processing payments and fraud prevention, including credit/debit card numbers, security code numbers and other related billing information;
· Further business information necessarily processed in a contractual relationship with us or voluntarily provided by you, such as payments made and requests;
· Information collected from publicly available resources, integrity data bases and credit agencies;
· Special categories of personal data. We may ask for information about your health for the purpose of identifying and being considerate of any disabilities you may have. Any use of such information is based on your consent; and/or
· Other personal data regarding your preferences where it is relevant to services that we provide.
How do we collect your personal data?
We may collect personal data about you in a number of circumstances, including:
· When you seek advice from us or use any online services;
· When you browse, make an enquiry or otherwise interaction our website; or
· When you offer to provide or provide services to us.
In some circumstances, we collect personal data about you from a third party source. For example, we may collect personal data from organisations with whom you have dealings, government agencies, a credit reporting agency, an information or service provider or from a publicly available record.
Are you required to provide personal data?
As a general principle, you will provide us with your personal data entirely voluntarily; there are generally no detrimental effects for you if you choose not to consent or to provide personal data. However, there are circumstances in which we cannot take action without certain of your personal data, for example because this personal data is required to process your instructions or orders, provide you with access to a web offering or newsletter or to carry out a legally required compliance screening. In these cases, it will unfortunately not be possible for us to provide you with what you request without the relevant personal data and we will notify you accordingly.
For which purposes will we use your personal data?
We may use your personal data for the following purposes only (Permitted Purposes):
· Providing advice or other services or things you may have requested;
· Managing and administering your business relationship with us, including processing payments, accounting, auditing, billing and collection, support services;
· Compliance with our legal obligations (such as record keeping obligations), compliance screening or recording obligations (e.g. for anti-money laundering, financial and credit check and fraud and crime prevention and detection purposes);
· To analyse and improve our services and communications to you;
· Protecting the security of and managing access to our premises, IT and communication systems, online platforms, websites and other systems, preventing and detecting security threats, fraud or other criminal or malicious activities;
· For insurance purposes;
· For monitoring and assessing compliance with our policies and standards;
· To identify persons authorised to trade on behalf of our customers, suppliers and/or service providers;
· To comply with our legal and regulatory obligations and requests;
· To comply with court orders and exercises and/or defend our legal rights; and
· For any purpose related and/or ancillary to any of the above or any other purpose for which your personal data was provided to us.
Where you have expressly given us your consent, we may process your personal data also for the following purposes:
· Communicating with you through the channels you have approved to keep you up to date on the latest developments, announcements, and other information about our services, products and technologies (including newsletters and other information) as well as our events and projects;
· Customer surveys, marketing campaigns, market analysis, sweepstakes, contests or other promotional activities or events; or
· Collecting information about your preferences to create a user profile to personalise and foster the quality of our communication and interaction with you (for example, by way of newsletter tracking or website analytics).
With regard to marketing-related communication, we will – where legally required – only provide you with such information after you have opted in and provide you the opportunity to opt out anytime if you do not want to receive further marketing-related communication from us. We will not use your personal data for taking any automated decisions affecting you or creating profiles other than described above.
Depending on for which of the above Permitted Purposes we use your personal data, we may process your personal data on one or more of the following legal grounds:
· Because processing is necessary for the performance of an instruction or other contract with you;
· To comply with our legal obligations (e.g. to keep records for tax purposes); or
· Because processing is necessary for purposes of our legitimate interest or those of any third party recipients that receive your personal data, provided that such interests are not overridden by your interests or fundamental rights and freedoms.
In addition, the processing may be based on your consent where you have expressly given that to us.
With whom will we share your personal data?
We may share your personal data in the following circumstances:
· We may disclose your contact details on a confidential basis to third parties for the purposes of collecting your feedback on the firm’s service provision, to help us measure our performance and to improve and promote our services;
· We may share your personal data with companies providing services for money laundering checks, credit risk reduction and other fraud and crime prevention purposes and companies providing similar services, including financial institutions, credit reference agencies and regulatory bodies with whom such personal data is shared;
· We may share your personal data with any third party to whom we assign or novate any of our rights or obligations;
· We may share your personal data with courts, law enforcement authorities, regulators or attorneys or other parties where it is reasonably necessary for the establishment, exercise or defence of a legal or equitable claim, or for the purposes of a confidential alternative dispute resolution process;
· We may also instruct service providers, domestically or abroad, e.g. shared service centres, to process personal data for the Permitted Purposes on our behalf and in accordance with our instructions only. We will retain control over and will remain fully responsible for your personal data and will use appropriate safeguards as required by applicable law to ensure the integrity and security of your personal data when engaging such service providers;
· We may also use aggregated personal data and statistics for the purpose of monitoring website usage in order to help us develop our website and our services.
Personal data about other people which you provide to us
If you provide personal data to us about someone else (such as someone with whom you have business dealings) you must ensure that you are entitled to disclose that personal data to us and that, without our taking any further steps, we may collect, use and disclose that personal data as described in this Privacy Policy. In particular, you must ensure the individual concerned is aware of the various matters detailed in this Privacy Policy, as those matters relate to that individual, including our identity, how to contact us, our purposes of collection, our personal data disclosure practices (including disclosure to overseas recipients), the individual’s right to obtain access to the personal data and make complaints about the handling of the personal data, and the consequences if the personal data is not provided (such as our inability to provide services).
Keeping personal data about you secure
We will take appropriate technical and organisational measures to keep your personal data confidential and secure in accordance with our internal procedures covering the storage, disclosure of and access to personal data. Personal data may be kept on our personal data technology systems, those of our contractors or in paper files.
Transferring your personal data abroad
We may transfer your personal data abroad if required for the Permitted Purposes as described above. We will ensure that any such international transfers are made subject to appropriate or suitable safeguards as required by the General Data Protection Regulation (EU) 2016/679 or other relevant laws. This includes entering into the EU Standard Contractual Clauses which are available here. You may contact us anytime using the contact details below if you would like further information on such safeguards.
We will also require our agents, consultants and sub-contractors and others who are outside the European Economic Area and to whom we transfer your personal data to ensure a similar level of data protection.
When doing so we will comply with applicable data protection requirements and take appropriate safeguards to ensure the security and integrity of your personal data.
Updating personal data about you
If any of the personal data that you have provided to us changes, for example if you change your email address or if you become aware we have any inaccurate personal data about you, please let us know by sending an email to hanwelleyecare@gmail.com. We will not be responsible for any losses arising from any inaccurate, inauthentic, deficient or incomplete Personal Data that you provide to us.
For how long do we retain your personal data?
Your personal data will be deleted when it is no longer reasonably required for the Permitted Purposes or you withdraw your consent (where applicable) and we are not legally required or otherwise permitted to continue storing such data. We will, in particular, retain your personal data where required for us to assert or defend against legal claims until the end of the relevant retention period or until the claims in question have been settled.
Your rights
Subject to certain legal conditions, you have the right to request a copy of the personal data about you which we hold, to have any inaccurate personal data corrected and to object to or restrict our using your personal data. You may also make a complaint if you have a concern about our handling of your personal data.
If you wish to do any of the above please send an email to hanwelleyecare@gmail.com. We may request that you prove your identity by providing us with a copy of a valid means of identification in order for us to comply with our security obligations and to prevent unauthorised disclosure of data. We reserve the right to charge you a reasonable administrative fee for any manifestly unfounded or excessive requests concerning your access to your data, and for any additional copies of the personal data you request from us.
We will consider any requests or complaints which we receive and provide you with a response in a timely manner. If you are not satisfied with our response, you may take your complaint to the relevant privacy regulator. We will provide you with details of your relevant regulator upon request.
Updates to this Privacy Policy
This Privacy Policy was last updated in February 2021. We reserve the right to update and change this Privacy Policy from time to time in order to reflect any changes to the way in which we process your personal data or changing legal requirements. In case of any such changes, we will post the changed Privacy Policy on our website or publish it otherwise. The changes will take effect as soon as they are posted on this website.
Privacy Notice For All Patients of Hanwell Eyecare
Why we collect and process your personal data
Hanwell Eyecare Centre is a registered data controller. This privacy notice sets out our privacy policy. We collect and process patients’ personal data for the purposes of healthcare and marketing. Our legal bases for processing personal data for healthcare purposes, including appointment reminders, include public task or legitimate interests:
· When we provide services under the NHS General Optical Services contract (such as a sight test funded by the NHS), our legal basis for processing personal data in respect of that service is public task
· Otherwise our legal basis is legitimate interests
Our condition for processing special category data is the provision of health or social care. We process our patients' personal data for marketing purposes with their consent or to meet a legitimate interest. This means we can tell you about eye care products and services that may be relevant to you. If you do not want us to process your personal data for marketing purposes, please let us know and we will stop.
The data we may collect and process
The personal data of patients that we may collect and process includes:
· Your name, contact details and personal identifiers (such as date of birth and NHS number)
· Your general and ocular health history, your family medical and ocular history, and any relevant signs or symptoms you tell us about
· Details of medicines, spectacles and contact lenses prescribed for you
· Details of examinations and other healthcare checks and treatments we provide
· Information relevant to your continued care from other people who care for you or know you well, such as other health professionals and relatives
How we hold and share your personal data
We process your personal data in strict confidence. We keep your personal data securely in our filing and electronic systems. Patient records are only accessible to the healthcare professionals working at the practice and those under their supervision. We will usually keep any personal data we hold about you for ten years after our last contact with you before we delete it. This is the period recommended as good practice by the College of Optometrists. If we collected the data when you were aged under 18 we will keep it until your 25th birthday, in line with NHS requirements. In exceptional cases we may need to retain personal data for a longer period, and will explain our reasons for doing so on request.
In the course of processing your personal data we may share it with:
· The healthcare professionals working at this practice and those under their supervision
· Healthcare professionals and those under their supervision at other optical practices, but only if you have specifically asked us to pass your personal data (such as your prescription) to them
· Your GP, ophthalmologists and other healthcare providers and commissioners, and suppliers of optical appliances or similar products, in connection with your ongoing healthcare treatment
· Software providers for our patient record and invoicing systems, and financial institutions, so that we can keep patient records up to date and arrange payment for services provided to you
Your rights
You have legal rights in respect of the personal data we hold about you. The Information Commissioner’s Office (ICO) has published guidance on the full range of rights. The rights that are most relevant to the way in which we use your personal data include:
· The right to be informed about how we use personal data – this privacy notice gives that information
· The right to object – if you object to us processing your data for marketing purposes, or for healthcare purposes where our legal basis is legitimate interests (see ‘why we collect and process your personal data’, above), we will then stop doing so, unless we are processing the data in respect of a legal claim or can otherwise show that our legitimate interest in processing the data overrides your rights and interests
· The right of access – if you ask us for the personal data we hold about you we will provide it within a month, free of charge (unless we have already provided it to you, in which case we may have to charge you the administrative cost of providing it again).
· The right to rectification – if you ask us to correct personal data about you that is inaccurate or incomplete, we will do so within a month (unless we need longer, in which case we will discuss this with you)
· The right to erasure – also known as the ‘right to be forgotten’. If you ask us to delete your personal data, we will do so if there is no compelling reason to continue processing the data. We will not usually delete healthcare data before our usual time limit (see ‘how we hold and share your personal data’ above) where we have a duty to keep accurate records – for example, to comply with a legal obligation, or in connection with a legal claim. If you ask us to delete such data we will discuss this with you
Contacting us and the ICO about your personal data
Please speak to us first if you have any questions or concerns about the way in which we process personal data. You can contact our Data Protection Officer Sonesh Gill via hannwelleyecare@gmail.com. You have the right to complain to the ICO if you have a concern about our handling of your personal data which you do not think we can resolve.