top of page

Privacy Policy

Your privacy

At Cranford Opticians we are committed to the highest privacy standards. However you choose to interact with us, we will only collect data that is necessary for us to deliver the best possible service and ensure you are reminded about appointments or anything else relevant to your ongoing care. This policy provides detailed information on when and why we collect your personal information, how we use it and the very limited conditions under which we may disclose it to others.

 

Collection of your Personal Information

In addition to your basic contact information (name, date of birth, telephone numbers and your addresses) we will collect other relevant details including current and past health and medication information, your examination results, payment details and lifestyle information. We may also store associated information received from other health care professionals as part of your ongoing care.

 

How we use this information

The information we collect about you is used to ensure we provide you with the best and most appropriate products and services. In addition to your ongoing eye care, we will remind you when appointments are due and suggest relevant products or services that we believe would be of interest. We use your contact information to respond to queries from you, and where appropriate your bank details to collect Direct Debit payments as agreed. We may occasionally contact you to ask for your feedback on services we have provided and to offer the opportunity to trial new products.

 

Our policy on storage, processing and retention of your information.

To provision and manage our services, your data is stored and processed by Optix Software Ltd within their UK facilities that are certified to ISO27001. If we collect Direct Debits from you these payments will be processed by Eyecare Payments Ltd. Any third-party company is only permitted to process your data for the specified purposes and in accordance with our instructions.

We retain your information for as long as reasonably necessary to provide our products and services and to maintain records to satisfy tax and other legal requirements.

 

How and when we may share your Personal Information

Where necessary we may disclose your information to health care professionals including the NHS. We may also pass information to external agencies and organisations, including the police, for the prevention and detection of fraud and criminal activity. Should any claim be made, we may pass your personal information to our insurers and if our business is wholly or partially transferred to a third party, your personal information may be one of the transferred assets.

 

Your rights with respect to the Personal Information we hold

You are entitled to access the personal information that we hold on you; any such request should be made using our contact details below. If any data we hold is inaccurate, this will be corrected promptly on request. In certain circumstances you can request that we erase your data which we will do where this would not prevent us meeting our legal and regulatory obligations.

 

Updating your communication preferences

You may ask that we do not send you communications using any of the contact details we hold on our records, this may include your email, SMS, telephone and postal information. You may also request we restrict our communications to clinically necessary messages. Your personal preferences can be changed at any time by using the link at the end of every email and SMS message we send or by using our contact details below.

 

Use of Cookies

A cookie is a small text file containing information that a web site transfers to your computer's hard disk for record-keeping purposes. A cookie cannot give us access to your computer or to your personal information. Most web browsers automatically accept cookies; consult your browser's manual or online help if you want information on restricting or disabling the browser's handling of cookies. If you disable cookies, you can still view the information on our web site, but the functionality of certain areas may be reduced.

Privacy Policy Updates

We reserve our right to make any changes and updates to this privacy policy without giving you notice as and when we need to. Our most up to date privacy policy is always available on our website.

Data subject access

  • Employee data subjects may make subject access requests (“SARs”) at any time to find out more about the personal data which the Company holds about them, what it is doing with that personal data, and why.

  • Employees wishing to make a SAR should do using a Subject Access Request Form, sending the form to the Company’s Data Protection Officer at Cranford Opticians, 742 Bath Road, Hounslow, TW5 9TY, or by email at info@cranfordopticians.co.uk

  • Responses to SARs shall normally be made within one month of receipt, however this may be extended by up to two months if the SAR is complex and/or numerous requests are made. If such additional time is required, the employee data subject shall be informed.

  • All SARs received shall be handled by the Company’s Data Protection Officer.

The Company does not charge a fee for the handling of normal SARs. The Company reserves the right to charge reasonable fees for additional copies of information that has already been supplied to an employee data subject, and for requests that are manifestly unfounded or excessive, particularly where such requests are repetitive.

Rectification of Personal Data

  • Employee data subjects have the right to require the Company to rectify any of their personal data that is inaccurate or incomplete.

  • The Company shall rectify the personal data in question, and inform the employee data subject of that rectification, within one month of the employee data subject informing the Company of the issue. The period can be extended by up to two months in the case of complex requests. If such additional time is required, the employee data subject shall be informed.

  • In the event that any affected personal data has been disclosed to third parties, those parties shall be informed of any rectification that must be made to that personal data.

Erasure of Personal Data

  • Employee data subjects have the right to request that the Company erases the personal data it holds about them in the following circumstances:

    • It is no longer necessary for the Company to hold that personal data with respect to the purpose(s) for which it was originally collected or processed;

    • The employee data subject wishes to withdraw their consent to the Company holding and processing their personal data;

    • The employee data subject objects to the Company holding and processing their personal data (and there is no overriding legitimate interest to allow the Company to continue doing so) (see Part 18 of this Policy for further details concerning the right to object);

    • The personal data has been processed unlawfully;

    • The personal data needs to be erased in order for the Company to comply with a particular legal obligation[;] OR [.]

    • [The personal data is being held and processed for the purpose of providing information society services to a child.]

  • Unless the Company has reasonable grounds to refuse to erase personal data, all requests for erasure shall be complied with, and the employee data subject informed of the erasure, within one month of receipt of the employee data subject’s request. The period can be extended by up to two months in the case of complex requests. If such additional time is required, the employee data subject shall be informed.

  • In the event that any personal data that is to be erased in response to an employee data subject’s request has been disclosed to third parties, those parties shall be informed of the erasure (unless it is impossible or would require disproportionate effort to do so).

Restriction of Personal Data Processing

  • Employee data subjects may request that the Company ceases processing the personal data it holds about them. If an employee data subject makes such a request, the Company shall retain only the amount of personal data concerning that data subject (if any) that is necessary to ensure that the personal data in question is not processed further.

  • In the event that any affected personal data has been disclosed to third parties, those parties shall be informed of the applicable restrictions on processing it (unless it is impossible or would require disproportionate effort to do so).

Data Portability

  • The Company processes personal data relating to employees using automated means. These include the payroll software, Sage.com and Xero.com and electronic submissions to HMRC.

  • Where employee data subjects have given their consent to the Company to process their personal data in such a manner, or the processing is otherwise required for the performance of a contract between the Company and the employee data subject, employee data subjects have the right, under the GDPR, to receive a copy of their personal data and to use it for other purposes (namely transmitting it to other data controllers).

  • To facilitate the right of data portability, the Company shall make available all applicable personal data to employee data subjects in the following format[s]:

    • Hard Copy or Email

    • PDF, word or Excel formats.

  • Where technically feasible, if requested by an employee data subject, personal data shall be sent directly to the required data controller.

  • All requests for copies of personal data shall be complied with within one month of the employee data subject’s request. The period can be extended by up to two months in the case of complex or numerous requests. If such additional time is required, the employee data subject shall be informed.

Objections to Personal Data Processing

  • Employee data subjects have the right to object to the Company processing their personal data based on legitimate interests, direct marketing (including profiling), and processing for scientific and/or historical research and statistics purposes.

  • Where an employee data subject objects to the Company processing their personal data based on its legitimate interests, the Company shall cease such processing immediately, unless it can be demonstrated that the Company’s legitimate grounds for such processing override the employee data subject’s interests, rights, and freedoms, or that the processing is necessary for the conduct of legal claims.

  • Where an employee data subject objects to the Company processing their personal data for direct marketing purposes, the Company shall cease such processing immediately.

  • Where an employee data subject objects to the Company processing their personal data for scientific and/or historical research and statistics purposes, the employee data subject must, under the GDPR, “demonstrate grounds relating to his or her particular situation”. The Company is not required to comply if the research is necessary for the performance of a task carried out for reasons of public interest.

Automated Decision-Making

  • The Company uses personal data in automated decision-making processes with respect to its employees. This includes payroll software such as Xero.com or Sage.com

  • Where such decisions have a legal (or similarly significant effect) on employee data subjects, those employee data subjects have the right to challenge to such decisions under the GDPR, requesting human intervention, expressing their own point of view, and obtaining an explanation of the decision from the Company.

  • The right described in Part 19.2 does not apply in the following circumstances:

    • The decision is necessary for the entry into, or performance of, a contract between the Company and the employee data subject;

    • The decision is authorised by law; or

    • The employee data subject has given their explicit consent.

Profiling

  • The Company may use personal data for profiling purposes with respect to its employees.

  • When personal data is used for profiling purposes, the following shall apply:

    • Clear information explaining the profiling shall be provided to employee data subjects, including the significance and likely consequences of the profiling;

    • Appropriate mathematical or statistical procedures shall be used;

    • Technical and organisational measures shall be implemented to minimise the risk of errors. If errors occur, such measures must enable them to be easily corrected; and

    • All personal data processed for profiling purposes shall be secured in order to prevent discriminatory effects arising out of profiling (see Parts 26 to 30 of this Policy for more details on data security).

Personal Data

The Company holds personal data that is directly relevant to its employees. That personal data shall be collected, held, and processed in accordance with employee data subjects’ rights and the Company’s obligations under the GDPR and with this Policy. The Company may collect, hold, and process the personal data detailed in Parts 21 to 25 of this Policy:

  • Identification information relating to employees:

    • Name;

    • Contact Details;

  • Equal opportunities monitoring information [(such information shall be anonymised where possible)]:

    • Age;

    • Gender;

    • Ethnicity;

    • Nationality;

    • Religion;

  • Health records (Please refer to Part 22, below, for further information):

    • Details of sick leave;

    • Medical conditions;

    • Disabilities;

    • Prescribed medication;

  • Employment records:

    • Interview notes;

    • CVs, application forms, covering letters, and similar documents;

    • Assessments, performance reviews, and similar documents;

    • Details of remuneration including salaries, pay increases, bonuses, commission, overtime, benefits, and expenses;

    • Details of trade union membership (where applicable) [(please refer to Part 24, below, for further information)];

    • Employee monitoring information (please refer to Part 25, below, for further information);

    • Records of disciplinary matters including reports and warnings, both formal and informal;

    • Details of grievances including documentary evidence, notes from interviews, procedures followed, and outcomes;

Health Records

  • The Company holds health records on all employee data subjects which are used to assess the health, wellbeing, and welfare of employees and to highlight any issues which may require further investigation. In particular, the Company places a high priority on maintaining health and safety in the workplace, on promoting equal opportunities, and on preventing discrimination on the grounds of disability or other medical conditions. In most cases, health data on employees falls within the GDPR’s definition of special category data (see Part 4 of this Policy for a definition). Any and all data relating to employee data subjects’ health, therefore, will be collected, held, and processed strictly in accordance with the conditions for processing special category personal data, as set out in Part 4 of this Policy. No special category personal data will be collected, held, or processed without the relevant employee data subject’s express consent.

  • Health records shall be accessible and used only by Nila Mehra, and shall not be revealed to other employees, agents, contractors, or other parties working on behalf of the Company without the express consent of the employee data subject(s) to whom such data relates, except in exceptional circumstances where the wellbeing of the employee data subject(s) to whom the data relates is at stake and such circumstances satisfy one or more of the conditions set out in Part 4.2 of this Policy.

  • Health records will only be collected, held, and processed to the extent required to ensure that employees are able to perform their work correctly, legally, safely, and without unlawful or unfair impediments or discrimination.

  • Employee data subjects have the right to request that the Company does not keep health records about them. All such requests must be made in writing and addressed to Nila Mehra, 742 Bath Road, Hounslow, TW5 9TY

bottom of page