Vision Express is an employer of permanent, temporary or contract staff.
We care about people and their rights under data protection laws and are committed to taking care of your personal data. We safeguard your privacy by keeping your personal data secure and process personal data where we have a lawful basis to do so.
We aim to be clear and transparent as to why and how we use your personal data and draw your attention to your rights as a data subject.
The Group of undertakings to which this Privacy Notice applies is:
• Vision Express (UK) Limited, a company registered in England with company registration Number 2189907 and all of its subsidiaries, and their subsidiaries, including any joint ventures and franchises. All legal entities as well as the DPO are registered with the ICO.
• Vision Express (Ireland) Limited , a company registered in Ireland with company registration Number 166283 and its subsidiaries. The DPO is registed with the Irish Data Commission. (referred to as 'Vision Express').
References to 'Vision Express', 'we', 'us' or 'our' means the companies listed above that process personal data in the capacity of a data controller relating to individuals based in the United Kingdom or the Republic of Ireland (as applicable).
How to contact us
You can contact us in a number of ways:
• Email us firstname.lastname@example.org OR email@example.com including id you want to escalate a matter to the Data Protection Officer. We will aim to acknowledge receipt of your email within 48 hours.
• Call our Talent Acquisition Team on 0115 988 2050
• Write to us: Customer Service Department, Vision Express (UK) Limited, Ruddington Fields Business Park, Mere Way, Ruddington, Nottingham, NG11 6NZ.
Protecting your confidentiality
To protect the confidentiality of your information, we may as you to verify your identity before proceeding with any requests you make when exercising your rights or sending a complaint.
Our response may include sensitive personal data and confidential data, so in certain instances we require:
• That your requests are given to us in writing (including email) or are given verbally
• Details of identity; including as a minimum, first name, last name, address and date of birth.
Please note - in most instances access to your personal data is free of charge. However, we do reserve the right to charge a fee for repeated requests.
We are only able to comply with requests that related to personal data held in accessible, structures filing systems for which we are the data controller.
Right of access (also known as a Subject Access requests):
Once we have received sufficient information to process your request, we will make your information available to you within the regulated timeframe.
• At your request, we will confirm whether or not we are processing your personal data.
• You have a right to receive a copy of your personal data that we process.
• You have the right to consent to us making your personal data available to a third party
We will make your personal data available to a third party if you have consented to this.
For more information on giving consent to a third party or family member, please see the section 'Subject Access Requests by Third Parties' below.
Right to rectification
You can request that incorrect or inaccurate information is corrected
We will assess your request but may need to verify the new data that you provide to us, or we may take our own steps to verify that the new data you have supplied us with is correct.
In certain circumstances we may refuse your request for rectification, but in such a case, we will confirm this to you and explain our decision
Right to restrict procession
In certain instances, you can request that we stop processing some or all of your information, for example, where you believe the information is inaccurate, or you believe there is no legal reason for us to continue to process your personal data.
Where we agree to processing being restricted, we will (with the exception of storage) not process your personal data without your consent, unless we have a legal basis for doing so. This could include, without limiting the right, the need to institute or defence a claim or we need to protect another individual's rights.
Right to data portability
You have the right to have information transferred to another entity. where this is technically possible.
We will provide your personal data to you in a structured, commonly used method.
Right to object
You have the right to object to the processing of your personal data for purposes of direct marketing or where we use 'legitimate interests' as the lawful purpose for processing.
We will record your request to stop processing your personal data for purposes of direct marketing. This may take 28 days to take effect after receiving your request.
We will stop processing your personal data where we rely on 'legitimate interests' as the lawful basis for processing unless we believe that have a legitimate overriding reason to continue processing, or we need to defence any legal claims against us.
Right to withdraw consent
- Whenever you have given us your consent to use your personal data, you have the right to withdraw your consent.
We will: We will stop processing your personal data for the purpose that consent was given upon your consent being withdrawn.
Right to Erasure - you have the right to request that we delete the personal information we hold on you. You have the right to have your personal data deleted only in the following circumstances.
1. Where we no longer need your data for the purposes it was originally collected
2. Where you have withdrawn consent that you had previously given
3. Where you object to us processing your data and we have no overriding legal reason to continue processing it
4. Where the personal data has been unlawfully processed.
5. Where law requires us to delete the personal data
We will assess your request and confirm if your request can be actioned. We are not always obliged to erase personal data as legislation or contracts that we have entered into may place an obligation on us to retain personal data for a period of time.
Where we have been asked to erase your data but have obligation to keep it, we will:
• Inform you of the obligation
• At your request, supress your record to ensure that no further communications are sent to you.
Right to lodge a complain with a supervisory body e.g. the ICO in the UK or the Data commissioner in the Republic of Ireland
The contact details are as follows
• ICO - Information Commissioner Officer, Wycliffe House, Water Lane, Wimslow, Cheshire, SK9 5AF. TEL: 0303 123 1113. Email: firstname.lastname@example.org
•DPC - Data Protection Commissioner, Canal House, Station Road, Portarlington, Co. Laois, R32 AP23, Eire, Republic of Ireland.
In this Privacy Notice, we tell you about:
- Your rights and how to contact us so as to exercise these rights.
- The personal data that we collect, our uses of the data and the legal basis for processing.
- The recipients or categories of recipients to whom your personal data are disclosed.
- Where data is transferred to a third country or international organisations, the safeguards that we rely, in the absence of the recipient country having received an adequacy decision.
- Information relating to the criteria used to determine how long personal data is retained.
Processing your personal data?
We collect your personal data in a number of ways:
Directly from you: In most instances, data is collected directly from you, usually via online services, email, phone or post.
From others: We can collect personal data from third parties, including your previous employer, agents appointed by Vision Express, HMRC, credit reference agencies, social media, regulatory bodies such as the GOC and medical or occupational health professionals, or from other parties in the event that we wish to verify any information that you have provided to us.
The personal data we collect includes any information that you or a third parties provides to us in relation to applying for a role within Vision Express, either permanently or on a temporary or contract basis. This information may include:
• Information collected for purposes of identifying who you are and your contact information. For example, we will process information relating to your name, address, contact information (telephone number, mobile number), national insurance number, email address;
• Information collected for purposes of assessing whether you are suitable for a role. This will include information that you may share with us, for example, information that you have included on your CV including your professional qualifications and memberships, details of current and previous employers, roles that you have held and work experience. It also may include information relating to your lifestyle including sport, culture or other hobbies that you enjoy.
• Special personal data that you have made available to us. For example, information relating to your medical or health status, your race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, information relating to your sex life or sexual orientation, generic data or biometric data to be used for identification purposes.
• Information provided to us by third parties. For example, we will use third parties to verify your qualifications or your right to work in the country that you are working.
• Your marketing and communication preferences
• Your correspondence with us either in writing or by phone e.g. details of queries, complains, call recordings or notes taken during conversations, requests for access to information and other requests exercising your rights.
• Any other information you have voluntarily given us.
How and why do we use your personal data?
Your personal data is processed for the following reasons:
• To book, cancel or confirm interviews and appointment reminders
• To assess your suitability for employment whether on a permanent, temporary or contract basis
• To communicate with you, including for purposes of generating offer letters (if applicable)
• We may invite you to respond to surveys and provide us with feedback of your experience with engaging with us. Where you respond to a survey or provide feedback, we process your personal data to help us improve our services and the way that we work.
• To respond to complaints, queries and any claims made against us.
• For research and scientific reasons by us or third parties. Information provided to third parties will be anonymised
• To engage with you via our website. If you are just browsing, we will not collect information which will identify you, unless you provide this to us. We will process your personal data in order that you can create and manage information in the online account that you have created with us and for purposes of creating and administering your online account
• When browsing online, we will collect information using cookies or traffic data which uses IP addresses or other numeric identifiers, which analyse how people use our website. Please refer to our Cookies policy for more information
• We receive information on how you interact with our adverts and content on third-party websites and social media platforms (such as Google or Facebook) which we use to tailor the information that is displayed to you.
• We may need to provide your personal data to a regulator requesting information when they are carrying out their function as a regulator.
• We may provide your personal data to third parties (including data processors and other data controllers) for purposes of validating information that you have provided to us (for example your qualifications) or for ensuring that we meet our regulatory obligations. As an employer, we have a regulatory responsibility to ensure that you have a right to work and we will carry out checks before making an offer. We will ensure that we have the correct contractual terms signed with data processors as required by law.
Lawful purposes for processing your personal data
We need a lawful purpose to process your personal data, which are:
• To satisfy a legal obligation
For purposes of carrying out our obligations and exercising our rights as an employer, we are permitted or are required to process your personal data and special personal data. Special personal data, for example, may include information relating to your health, your race or ethnicity, trade union membership or religion or philosophical beliefs. Where the law requires us to carry out certain obligations that required the processing of your personal data, the lawful purpose for processing will be to satisfy the legal obligation.
• To meet our contractual obligations
We are required to fulfil our obligations in terms of an employment or other agreement that we may have with you.
• With your consent
In certain instances, we will rely on your consent to process your personal data. We will be able to prove that we have your consent. You will be able to withdraw your consent to the processing at any time after it has been given.
• Legitimate Interest
Our legitimate interests are derived from our role as an employer. When communicating with your and making appointments with you, or when asking that you respond to a questionnaire or survey, we rely on our legitimate interests to process your personal data. We will also rely on our legitimate interests to process your personal data should we continue to send you information about vacancies in our organisation.
Our legitimate interests are derived from our requirement to protect and grow our business, including our commercial and financial interests, as well as our desire to retain existing and attract new talent to our organisation.
WE will only process special personal data that you have supplied to us:
(i) For purposes of carrying out our obligations and exercising our rights as an employer;
(ii) you have consented to the processing;
(iii) processing is necessary in the public interest in the area of public health, subject to local laws and safeguarding measures (in particular professional secrecy) or
(iv) processing is necessary for archiving purposes in the public interest, scientific or historical research or statistical purposes, subject to local laws.
How long do we process personal data?
We will keep your personal data for as long as is reasonably required by an employer and in order to meet our regulatory obligations. We anonymise your personal data once we no longer need it.
When defining our retention periods, we consider the laws that regulate us as well as the uses of the information. We have developed and adopted a retention policy which stipulates how long data is kept for.
In this Privacy Notice, when we refer to ‘you, your’, we mean the person whose personal data we collect, use and process. This includes anyone who engages with us in connection with the products and services we provide or who interacts with us in another manner, for example, in store or by using our website at www.visionexpress.com or www.visionexpress.ie.
Transfer of personal data to third countries
Our main operations are based in the UK and your personal information is generally processed, stored and used within the UK and other countries within the European Economic Area (EEA). In certain instances, it may be necessary to transfer your personal information outside the EEA, for example, where out suppliers and partners provide maintenance support, or where Cloud Services or hosted technologies are situated outside of the EEA.
If the recipient of the personal data is situated in a third country that has not been approved as adequate by the relevant regulator, we will ensure that the required safeguards and level of security are implemented. For example, in the absence of any other safeguard, we may require that the applicable Standard Contractual Clauses are signed.
Subject access requests by third parties
Unless there is a lawful basis to do so, we will not provide your personal data to a third party unless we have your consent to do so. If you have authorised a third party to submit a request for the release of your personal data, they will be required to provide written proof of your consent or to provide a verifiable power of attorney. They will also be requested to provide documentation which identifies them. We require that the consent / power of attorney must:
(i) Be in writing;
(ii) Detail your name, address and date of birth;
(iii) Provide details of the personal data to be disclosed;
(iv) Provide details of the recipient, including contact details and confirmation of identity; and (v) Be signed and dated by you.
Public authorities requiring data under exemptions may request personal data without your consent. These requests must:
(i) Be in writing on an official letter head and must be signed;
(ii) Provide full details of the affiliation or organisation;
(iii) Provide full details of the requester, including name, rank or position as well as verifiable contact information;
(iv) Provide the name, address, date of birth of the data subject, and specify the information being requested;
(v) confirm the lawful basis for the request and the reason for the request (unless the requestor is not permitted to do so, being bound by confidentiality, professional secrecy or similar);
(vi) Must detail the format and means by which the response is to be communicated. All requests by authorities must be addressed to the Data Protection Officer. We are only able to comply with requests that relate to personal data held in accessible, structured filing systems for which we are the data controller.
Updates to our privacy statement
Last updated 25 February 2022. We may update this privacy statement from time to time. Any updates will take effect as soon as tey are posted on our website.
All of our rights are reserved