Worker Privacy Policy


Vision Express takes data protection seriously. We’re committed to safeguarding your privacy and keeping your personal information confidential and secure. We also want to be clear and transparent as to why and how we use your data.

Our privacy statement:

  • Explains what personal information we collect about you as an employee, potential employee, locum, temporary or contract worker at Vision Express.
  • Provides details of how we use and lawfully process your personal data.
  • Tells you how to contact us should you have a query or complaint, or wish to exercise your rights.

A different privacy notice may apply to other categories of personal data collected, for example, in relation to our customers. You’ll find those privacy notices for those services, including our cookies policy, at

Who is Vision Express?

Vision Express (UK) Limited (Registered in England and Wales No: 2189907), belongs to a group of companies, whose parent company, Grand Vision, is registered in the Netherlands. We also have companies registered in the Ireland and Jersey, with a corporate head office in Nottingham, UK.

This notice applies to Vision Express (UK), all of its subsidiaries and their subsidiaries, including joint ventures and all registered with the Information Commissioner’s Office (ICO) as data controllers. The notice also applies to Vision Express (Ireland) Limited, its subsidiaries, and joint ventures to which Vision Express (Ireland) is a party, and who are registered with the Irish Data Protection Commission as data controllers.

We have appointed a Data Protection Officer who can be contacted at:

How to contact us

If you have any questions about how we use your personal data that are not answered here, or if you want to exercise your rights regarding your personal data, please contact us as follows:

For logging requests or complaints


To contact our Data Protection Officer:


Tel: 08000 382 177

You can also write to us our Data Protection Officer at HR Support Services, Vision Express (UK) Limited, Ruddington Fields Business Park, Mere Way, Ruddington, Nottingham NG11 6NZ.

What are your rights regarding your personal data?

Your rights:

We will:

Right of access

You can request access to the personal data that we hold on you, or another person. This is called a Subject Access Request.

You can also consent to us making your personal data available to a third party.

For more information on giving consent to a third party or family member, please see the ‘Subject access requests by third parties’ section below.


We will make your information available to you within the recommended timeframe once we’ve confirmed your identity.

We may provide your personal data to a third party if we are happy that the information has been lawfully requested.

We may withhold information, where allowed, under Data Protection legislation, or where it relates to anyone else. We may also ask you to contribute to the costs of providing the information if your request is excessive or unreasonable, or if you require further copies of your data.

Right of rectification

You can request to have inaccurate information we hold about you corrected.


As soon as you contact us, we will update and correct your information.

Right to restrict processing

In certain instances, you can request that we stop processing your information, eg, where you believe the information is inaccurate or you believe there is no legal reason for us to continue to process your data.


We will (with the exception of storage) not process your personal data without your consent, unless we have a legal reason to do so, we need to defend any legal claims against us or we need to protect another individual’s rights.

Right to data portability

You have the right to have your information transferred to another entity, where this is technically possible.


We’ll provide your personal data to you in a structured, commonly-used and machine readable format. Please note this right only applies to data that is processed by automated means.

Right to object

You may object to the processing of your personal data where we use ‘legitimate interests’ as the lawful basis for processing.

You also have the right to object to the processing of your personal data for purposes of direct marketing.


We’ll stop processing your personal data unless we believe we have a legitimate, overriding reason to continue processing your personal data, or we need to defend any legal claims against us.

We’ll record your request and will ensure that no further marketing communications are sent to you. This may take 28 days to take effect from receiving your request.

Right to withdraw consent

Whenever you have given us your consent to use your personal data, you have the right to change your mind at any time and withdraw that consent.


We’ll stop processing your personal data for the purpose for which the consent was given. The lawfulness of processing based on consent before its withdrawal will not be affected.

Right to erasure

You have the right to request that we delete the personal information we hold on you.


We’ll assess your request and respond to confirm if your request has been actioned or declined, with reasons if your request is declined.

Subject access requests by third parties

We may provide your personal data to a third party if the information has been lawfully requested or you have consented to the release of your data to a third party.

If you’ve authorised a third party to submit a request for the release of your personal data, then we’ll ask them for written proof of your consent or to provide a verifiable power of attorney.

Consent/power of attorney must:

  • Be in writing.
  • Provide your name, address and date of birth.
  • Provide details of the personal data to be disclosed.
  • Provide details of the recipient, including contact details and confirmation of identity.
  • Be signed and dated by you.

You also have the right to lodge a complaint with a supervisory body, eg the Information Commissioner’s Office: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

Tel: 0303 123 1113


The lawful basis for processing your personal data

Vision Express processes personal data for the following lawful purposes:

  • Where we are required to by law – for example, to pay your tax and National Insurance contributions or to verify that you are entitled to work in the UK.
  • Processing is necessary to perform a contract, for example. When we enter into an employment contract with you, we are obliged to pay you for the hours that you’ve worked and to meet the other contractual terms of the agreement.
  • In terms of the legitimate interests of Vision Express, for example, when we ask our employees to complete surveys or give us feedback.
  • With your consent or where processing is necessary to ensure that your vital interests are protected. For example, if you are so ill that you are unable to provide a medical practitioner with vital information in relation to you and your health or medical status.

How we use your personal data

As an employer of individuals on a temporary, permanent or contract basis, Vision Express process personal data to:

  • Fulfil our regulatory obligations, eg to pay tax and National Insurance to HMRC and verify that you have the right to work in the UK.
  • Assess your suitability for employment.
  • Make employee benefits available to you, such as pension fund, life cover etc.
  • Fulfil our contractual obligations, eg to calculate your remuneration and annual/sick leave.
  • Carry out security and other employment vetting, including credit checks, criminal checks and qualifications.
  • Book, cancel and confirm interviews and send appointment reminders.
  • Book local and international travel, including flights, trains, drivers, accommodation, car hire and leases.
  • Assess and processing expense claims.
  • Communicate with you or your next of kin in emergency situations.
  • Understand responses to questionnaires and surveys.
  • Make reasonable adjustments, or consider whether we need to do so, if we hold data about a disability or potential disability.
  • Monitor the use of company assets, including email, internets and company equipment.
  • Monitor your compliance with company policies, such as policies relating to data protection, company information and security.
  • Provide references to future employers.
  • Assist with internal investigations or disciplinary and grievance proceedings.

We may also process your personal data to:

  • Respond to your complaints or queries.
  • Dealing with any claims made against us.
  • Let you know about changes to employee benefits or terms and conditions of employment.
  • Respond to requests from third parties, including credit reference agencies, HMRC, suppliers of employee benefits, regulatory bodies such as the GOC, your previous employers and other vetting agencies.
  • Assist with research, analysis and planning.
  • Carry out employee satisfaction surveys.
  • Prevent and detect crime.
  • Keep to laws or regulations which apply to us, including preventing or detecting when we fail to do so.
  • Maintain records for audit, accounting and tax purposes.
  • Booking and monitor your training activities.
  • Defend any claims or actions and other corporate purposes.
  • Manage and deal with insurance claims.
  • Prevent and detect fraud.
  • Ensure the health and safety of members of the public, our staff and our customers.
  • Meet corporate requirements, including mergers and acquisitions.

We may combine data captured in our business such as gender, geographical location and salary details. We do so thoughtfully and always with the intention to cause as little intrusion as possible. We’ll do this on the basis our legitimate business interest.

Details of the personal data that we collect

The personal data we collect could include your work history, qualifications, salary and benefits, health information, criminal convictions, your dependents and next of kin.

Your personal data may be collected in a number of ways:

From you

In most instances, data is collected directly from you, usually via online services, email, phone or post.

From others

We can collect personal data from third parties, including your previous employer, agents appointed by Vision Express, HMRC, credit reference agencies, social media, regulatory bodies such as the GOC and medical or occupational health professionals.

From devices

Information about you and the devices you use to access our website is collected. We do this by using technologies like cookies. See our Cookie Policy.

The data we collect includes:

  • Personal information about you, for example, your name, contact information, gender, age, date of birth, National Insurance number, a copy of your passport and, if applicable, work permits and visas.
  • Your thoughts and opinions, for example, your feedback to our surveys and questionnaires.
  • Personal information about others, for example, your family history, your next of kin and the contact numbers of family or friends that you give to us.
  • Information relating to your employment, such as your salary, working hours, bank details, tax code, pension details, membership of professional and regulatory bodies, your CV and application form, references, training records and records of any formal or informal procedures, such as disciplinary and grievances.
  • Special personal data concerning health, sick leave and reasons for sick leave, maternity leave and benefits and other information that we may be supplied by health or medical practitioners.
  • Information that you provide relating to your lifestyle, interests and hobbies, and your previous employment information.
  • Information taken from our website, including device information, demographic information and interests (please see our Cookie Policy for more information).
  • Other personal data including images and recordings collected via CCTV in our offices and stores.

The lawful bases for processing data

The lawful bases for processing your personal data are:

Regulatory compliance

As an employer, we are required to process your personal data to comply with various legal obligations. These may relate to taxation, the right to work in the UK, statutory sick pay, pension schemes, holiday pay and maternity and paternity pay.

We may also be required to provide information to regulators investigating complaints or allegations made against us and to customers or third parties making a subject access request.

Contractual obligations

We are required to fulfil our obligations in terms of the employment or services agreement that we have with you. We therefore process personal data about you, such as your bank account details.

Legitimate Interest

Our legitimate interests are derived from our role as an employer. We also rely on legitimate interests to receive references about you, to keep records of training you’ve received, to record CCTV footage, to collect your opinions and any other data you may provide to us about your interests, to collect data from our website through Cookies and to refer you to occupational health.


We may require consent from you in order to process your personal data for a few, specific and limited reasons, listed below. Where you have previously consented to the processing of your personal data for a specific reason, you are permitted to withdraw your consent at any time.

  • Sending you marketing communications using electronic means.
  • The release of your personal data to a third party who does not have a statutory right to receive the information.
  • The release of your personal data to a third person, including another family member or a prospective employer.
  • Recording information relating to equal opportunities monitoring.

Protecting the vital interests of data subject

In certain circumstances, we may be required to provide your personal data to another a third party, for example, in the event of you falling very ill and being unable to give us consent.

How long do we keep data?

Whenever we collect or process data we only keep it for as long as is required by law, or by a directive or a guidelines issued by an industry body, for example, tax laws stipulate that certain categories of information must be kept for at least six years.

At the end of the retention period, your data will be either deleted or taken out of use, anonymised or pseudomised.

With who do we share your personal data?

We do not sell your personal data, and do not provide personal data to list providers for the purposes of marketing.

We may also share your personal data with individuals who have a power of attorney, signed by you, to receive the information or with your consent.

We may also share your personal data within our group of companies and trusted third parties. Our company policy requires that, where possible, we have a written contract in place with those third parties to whom we make your personal data available.

Examples of third party companies we work with in the provision of services to you on our behalf include:

  • External third parties like credit reference agencies for the purpose of obtaining an up-to-date credit report.
  • IT and data companies who help support our websites and other business systems.
  • Providers of products or services, such as employee benefits, pension funds, private medical cover, travel and car hire and leasing.
  • Public bodies like the HMRC, the NHS and other public bodies.
  • Regulatory bodies, such as the GOC

Data will only be transferred with suitable controls and protection. We apply the strict information security policies and procedures required for bulk storage or the transfer of personal data in bulk.

Transfer of personal data to third countries

Your personal information may be transferred to companies situated outside of the UK or the European Economic Area (EEA). In these instances, we have put additional safeguards in place as required by data protection laws, which may include having contract terms agreed with the third party recipients.

We take reasonable steps to make sure your personal information is adequately secured, in line with the requirements of the relevant data protection authorities.

Updates to our privacy statement

We may update this privacy statement from time-to-time. Any updates will take effect as soon as they are posted on our website. If we make changes we think may affect you significantly, particularly if they could have an impact on the choices you have made about marketing, we’ll provide you with a prominent notice by the most appropriate medium, so you know about the changes before they happen.

The effective date of this notice is: 13 August 2019.