PRIVACY NOTICE

BACKGROUND

Infinity Eye Clinic understands that your privacy is important to you and that you care about how your personal data is used. We respect and value the privacy of everyone and will only use personal data in ways that are described here and in a way that is consistent with our obligations and your rights under the law.

This privacy notice lets you know what happens to any personal data that you give to us, or any that we may collect from or about you. It applies to all products and services, and cases/examples where we collect your personal data.

1. Information About Us

Infinity Eye Clinic Ltd, registered in England & Wales under company number 9234840, whose registered address is 5th Floor, 30-31 Furnival Street, London, EC4A 1JQ
Main trading address: Infinity Eye Clinic, 10 Harley Street, London, W1G 9PF
Email address: info@infinityeyeclinic.com
Telephone number: 0800 880 3300
Postal Address: Infinity Eye Clinic, 10 Harley Street, London, W1G 9PF

We are regulated by the Data Protection Act 2018 (the “DPA”) and General Data Protection Regulation (EU Regulation 2016/679) (the “GDPR”). We are a data controller of your personal data.

2. What Does This Notice Cover?

This Privacy Information explains how we use your personal data: how it is collected, how it is held, and how it is processed. It also explains your rights under the law relating to your personal data.

3. What is Personal Data?

Personal data is defined by the General Data Protection Regulation (EU Regulation 2016/679) (the “GDPR”) as ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’.

Personal data is, in simpler terms, any information about you that enables you to be identified. Personal data covers obvious information such as your name and contact details, but it also covers less obvious information such as identification numbers, electronic location data, and other online identifiers.

The personal data that we use is set out in Part 5, below.

4. What Are My Rights?

Under the DPA and GDPR, you have the following rights, which we will work to uphold. They don’t apply in all circumstances. If you wish to use any of them, we’ll explain at that time if they are engaged or not.

  1. The right to be informed about our collection and use of your personal data. This Privacy Notice should tell you everything you need to know, but you can always contact us to find out more or to ask any questions.
  2. The right to request access to the personal data we hold about you.
  3. The right to have your personal data rectified if any of your personal data held by us is inaccurate or incomplete. Please contact us to find out more.
  4. The right to be forgotten, i.e. the right to ask us to delete or otherwise dispose of any of your personal data that we have. Please contact us to find out more.
  5. The right to restrict (i.e. prevent) the processing of your personal data.
  6. The right to object to us using your personal data for a particular purpose or purposes, in particular to data processed for direct marketing purposes and to data processed for certain reasons based on our legitimate interests. You can stop our marketing at any time by contacting us using the details below or by following the instructions in the communication.
  7. The right to data portability. This means that, if you have provided personal data to us directly, we are using it with your consent or for the performance of a contract and that data is processed using automated means, you can ask us for a copy of that personal data to re-use with another service or business in many cases.
  8. Rights relating to automated decision-making and profiling.

For more information about our use of your personal data or to exercise your rights as outlined above, please contact us using the details provided.

Further information about your rights can also be obtained from the Information Commissioner’s Office or your local Citizens Advice Bureau.

If you have any cause for complaint about our use of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office which enforces data protection laws – https://ico.org.uk/

5. What Personal Data Do You Collect?

We process personal information about our:

  • patients
  • customers and clients
  • staff
  • suppliers
  • business contacts
  • professional advisers

We may collect some or all of the following personal data, if relevant:

  • Personal and contact details, such as title, full name, contact details (including address, email address and telephone number), and contact details history
  • Your date of birth, gender and/or age
  • Your nationality, if needed
  • Family members
  • Records of your contact with us such as via our phone number and, if you get in touch with us online using our online services or smartphone apps, details such as your mobile phone location data, IP address and MAC address
  • Products and services you hold with us, as well as have been interested in and have held and the associated payment methods used
  • The usage of our products and services
  • Marketing to you and analysing data, including history of those communications, whether you open them or click on links, and information about products or services we think you may be interested in, and analysing data to help target offers to you that we think are of interest or relevance to you
  • Information about your use of products or services held with our business partners
  • Information we obtained from third parties
  • Personal information which we obtain from Credit Reference Agencies and Fraud Prevention Agencies, including public and shared credit history, financial situation and financial history
  • Fraud, debt and theft information, including details of money you owe, suspected instances of fraud or theft, and details of any devices used for fraud
  • Criminal records information, including offences and alleged offences
  • Information about your health, including physical or mental health details, and information about sexual life
  • Financial details about you
  • Information about your employment status, profession, professional registration status, and trade union membership
  • Your residency and/or citizenship status, if relevant, such as your nationality, your length of residence in the UK and/or whether you have the permanent right to reside in UK
  • Your marital status, family, lifestyle or social circumstances
  • Your racial or ethnic origin
  • Your religious or other beliefs of a similar nature
  • Information we buy or rent from third parties, including demographic information, marketing lists, publicly available information, and information to help improve the relevance of our products and services
  • Insights about you and our customers gained from analysis or profiling of customers
  • Information about any guarantor or insurance details, where relevant
  • Third party transactions; such as where a person other than you uses the service, information about that person and the transaction
  • Tax information, if relevant

6. What is the Source of My Personal Data?

We’ll collect personal information from the following general sources:

  • From you directly, and any information from family members, associates or beneficiaries of products and services
  • Information generated about you when you use our products and services
  • From a broker or other intermediary who we work with to provide products or services or quote to you
  • Business partners, account beneficiaries or others who are a part of providing your products and services or operating our business
  • From other sources such as Fraud Prevention Agencies, Credit Reference Agencies, HMRC, DWP, publicly available directories and information, debt recovery and/or tracing agents, other organisations to assist in prevention and detection of crime, police and law enforcement agencies; and
  • We buy or rent information about you or customers generally from third parties, including demographic information, fraud information, marketing lists, publicly available information, and other information to help improve our products and services or our business

7. What are the legal grounds for processing My Personal Data?

Under the DPA and GDPR, we must always have a lawful basis for using personal data. This may be because the data is necessary for our performance of a contract with you, because you have consented to our use of your personal data, or because it is in our legitimate business interests to use it.

We rely on the following legal bases to use your personal data:

1  Where it is needed to provide you with our products or services, such as:

  • Managing products and services you hold with us, or an application for one
  • Updating your records, tracing your whereabouts to contact you about your account and doing this for recovering debt
  • Sharing your personal information with business partners and services providers when you apply for a product
  • All stages and activities relevant to managing the product or service including enquiry, applicatoin, administration and management of accounts, illustrations, setting up/changing/removing guarantors

2  Where it is in our legitimate interests to do so, such as:

  • Managing your products and services relating to that, updating your records, tracing your whereabout to contact you about your account and doing this for recovering debt
  • To perform, and test the performance of, our products, services and internal processes
  • To follow guidance and recommended best practice of government and regulatory bodies
  • For management and audit of our business operations including accounting
  • To carry out searches at Credit Reference Agencies
  • To carry out monitoring and to keep records of our communications with you and our staff
  • To administer our good governance requirements, such as internal reporting and compliance obligations
  • For market research and analysis and developing statistics
  • For direct marketing communications and related profiling to help us to offer you relevant products and services. We’ll send marketing to you by SMS (text message), MMS (multimedia message), email, phone, post, social media and digital channels.
  • Subject to the appropriate controls, to provide insight and analysis of our customers to business partners either as part of providing products or services, helping us to improve products or services, or to assess or to improve the operating of our businesses
  • When we share your personal information with these other people or organisiations other than for providing products and services to you, as necessary for running our business or comply with legal or regulatory obligations

3  To comply with our legal obligations

4  With your consent

  • For some direct marketing communications
  • For some of our processing of special categories of personal data such as about your health or some criminal records information

Where we’re relying upon your consent to process personal data, you can withdraw this at any time by contacting us.

8. How Do You Use My Personal Data?

Your personal data will be used for the following purposes:

  • Supplying our products and services to you
  • Managing any aspect of the product or service.
  • Updating your records, tracing your whereabouts, and recovering debt
  • Testing the performance of our products, services and internal processes
  • Improving the operation of our business and that of our business partners.
  • To follow guidance and best practice under changes to rules of governmental and regulatory bodies
  • For management and auditing of our business operations including accounting
  • To carry out checks at Credit Reference and Fraud Prevention Agencies
  • To monitor and keep records of our communications with you and our staff.
  • To administer our good governance requirements, such as internal reporting and compliance obligations
  • For market research and analysis and developing statistics
  • For direct marketing communications and related profiling to help us to offer you relevant products and services. We’ll send marketing to you by SMS (text message), MMS (multimedia message), email, phone, post, social media and digital channels. Offers may relate to any of our products and services as well as to any other offers and advice we think may be of interest.
  • To provide personalised content and services to you, such as tailoring or products and services, our digital customer experience and offerings, and deciding which offers or promotions to show you on our digital channels.
  • Communicating with you. This may include responding to emails or calls from you.
  • Supplying you with information by email or post that you have opted-in to by agreeing to our Terms and Conditions of service (you may unsubscribe or opt-out at any time by contacting us directly).
  • With your permission and/or where permitted by law, we may also use your personal data for purposes relating only to our business, which may include contacting you by email, telephone or post with information or news.
  • You will not be sent any unlawful marketing or spam. We will always work to fully protect your rights and comply with our obligations under the DPA, GDPR and the Privacy and Electronic Communications (EC Directive) Regulations 2003, and you will always have the opportunity to opt out.
  • To develop new products and services and to review and improve current products and services
  • To comply with legal and regulatory obligations, requirements and guidance
  • To provide insight and analysis of our customers both for ourselves and for the benefit of business partners either as part of providing products or services, helping us improve products or services, or assess or improve the operating of our business
  • To share information, as needed, with business partners, account beneficiaries, service providers or as part of providing and administering our products and services or operating our business
  • To facilitate the sale of one or more parts of our business

9. How Long Will You Keep My Personal Data?

We will not keep your personal data for any longer than is necessary in light of the reason(s) for which it was first collected.

Unless we explain otherwise to you, we’ll hold your personal information based on the following criteria:

  • For as long as we have reasonable business needs, such as managing our relationship with you and managing our operations;
  • For as long as we provide products and/or services to you and then for as long as someone could bring a claim against us; and/or
  • Retention periods in line with legal and regulatory requirements or guidance.

10. How and Where Do You Store or Transfer My Personal Data?

We’re based in the UK, but sometimes your personal information may be transferred outside the European Economic Area. If we do so, we’ll make sure that suitable safeguards are in place, for example by using approved contractual agreements.

We have appropriate security measures in place to protect against the loss, misuse or alteration of information that we have collected from you. Some or all of your personal data may be stored electronically.

We use unencrypted emails to send confirmations and information regarding your forthcoming appointments. For other email correspondence, we may use unencrypted or encrypted messages. We cannot guarantee the security of information transmitted over the internet. Please do not provide us with your email address if you do not wish to receive correspondence by email.

11. Do You Share My Personal Data?

We will not share any of your personal data with any third parties for any purposes except under the following limited circumstances.

  1. We may be legally required to share certain personal data, which might include yours, if we are involved in legal proceedings or complying with legal obligations, a court order, or the instructions of a government authority.
  2. We may contract with third parties to supply services on our behalf. These may include payment processing, delivery, and marketing. In some cases, those third parties may require access to some of your personal data that we hold. We may disclose information to others, including debt collection agencies, for the purposes of recovering any unpaid debts or preventing fraudulent or improper activity.
  3. Where necessary or required we share information with healthcare professionals; social and welfare organisations; central government; business associates; family, associates and representatives of the person whose personal data we are processing; financial organisations; current, past and prospective employers; employment agencies and examining bodies. We may disclose your medical information to those involved with your treatment or care, or their agents, and, if applicable, to any person or organisation who may be responsible for meeting your treatment expenses, or their agents. We may share your medical information with others not involved in your treatment or care in the course of investigating or responding to any complaint. We are regulated by the Care Quality Commission, which may access care records and other personal data as part of its regulatory activity and in accordance with its own privacy statement.
  4. If any of your personal data is required by a third party, as described above, we will take steps to ensure that your personal data is handled safely, securely and in accordance with your rights, our obligations, and the third party’s obligations under the law, as described above in Part 10.
  5. If any personal data is transferred outside of the UK or EEA, we will take suitable steps in order to ensure that your personal data is treated just as safely and securely as it would be within the UK and under the DPA and GDPR, as explained above in Part 10.

12. How Can I Access My Personal Data?

  1. If you want to know what personal data we have about you, you can ask us for details of that personal data and for a copy of it (where any such personal data is held). This is known as a “subject access request”.
  2. All subject access requests should be made in writing and sent to the email or postal addresses shown.
  3. In most cases there is no charge for a subject access request. If your request is ‘manifestly unfounded or excessive’ (for example, if you make repetitive requests) we may not comply with your request or will charge fees to cover our administrative costs in responding. We also charge administrative fees if you request further copies of your data following a request. We will inform you promptly if we require a fee before complying with your request.
  4. We will respond to your subject access request within one month of receiving it or (if later) within one month of receipt of: information required to confirm your identity; or a fee. Normally, we aim to provide a complete response, including a copy of your personal data within that time. In some cases, however, particularly if your request is more complex, more time may be required up to a maximum of three months from the date we receive your request. You will be kept fully informed of progress.

13. What should I do if my personal information changes?

You should tell us so we can update our records.

14. Do I have to provide personal information?

We’re unable to provide you with our products or services if you do not provide certain information to us. In cases where providing some personal information is optional, we’ll make this clear.

15. Is there any monitoring involving processing of my personal information?

In this section, monitoring means any: listening to, recording of, viewing of, intercepting of, or taking and keeping records (as the case may be) of calls, email, text messages, social media messages, in person face to face meetings and other communications.

We may monitor where permitted by law and we’ll do this where the law requires it, or to comply with regulatory rules, to prevent or detect crime, in the interests of protecting the security of our communications systems and procedures, and for quality control and staff training purposes. This information may be shared for the purpose described above.

16. How Do I Contact You?

To contact us about anything to do with your personal data and data protection, including to make a subject access request, please use the following details (for the attention of Kuang Hu, Registered Manager):

Email address: info@infinityeyeclinic.com
Telephone number: 0800 880 3300

Postal Address: Infinity Eye Clinic, 10 Harley Street, London, W1G 9PF

17. Changes to this Privacy Notice

We may change this Privacy Notice from time to time. This may be necessary, for example, if the law changes, or if we change our business in a way that affects personal data protection.
Information relating to any changes will be made available via email, where possible. We encourage you to check this privacy notice for changes whenever you revisit our website.

Privacy Notice: Infinity Eye Clinic CCTV & surveillance systems

This privacy notice tells you what to expect when Infinity Eye Clinic Ltd (IEC) collects personal information about you, in this case, static or moving imagery and audio via CCTV or surveillance systems as you pass through the clinic. IEC is committed to protecting your personal information, safety and security when you use IEC services. We are legally obliged to use your information in line with all applicable laws concerning the protection of personal data, including the Data Protection Act 2018 (DPA) and General Data Protection Regulation (GDPR).

What information will we collect about you?

When you use IEC we may collect static or moving imagery and audio via CCTV or surveillance systems. IEC collects imagery and audio via CCTV cameras and surveillance devices located throughout the clinic, in both public and restricted access locations.

How will IEC use the information it collects about me?

IEC may use CCTV/surveillance imagery and audio for a number of purposes including but not limited to the following:

  • To maintain the safety and security of the clinic for our patients, colleagues and stakeholders
  • To support the effective management of the clinic operation and any incidents
  • For investigative purposes or as evidence to support any formal follow-up to clinic incidents
  • To provide evidence of regulatory compliance to Care Quality Commission
  • In response to a subject access request

The lawful justification for collecting and using CCTV/surveillance imagery and audio is that there are legitimate interests to do so. CCTV and surveillance imagery and audio may be handled and used by the following recipients to maintain a safe, secure and efficient clinic operation:

  • IEC personnel
  • Customer service personnel (third parties)
  • Other IEC service providers

We will keep your information within IEC and our trusted third parties except where disclosure is required by law, for example to government bodies, law enforcement agencies or in response to a subject access request. Your information may be processed outside of the UK for the purposes of system maintenance and support or for the purposes of international security and crime prevention.

How long will IEC keep my information?

Under normal circumstances your information could be retained for up to 30 calendar days after which point it will be deleted. Imagery required for investigative or evidential purposes may be retained beyond 30 days and is securely disposed of upon completion/conclusion of the purpose for which it has been retained.

Imagery is retained in a secure environment and is only accessible by authorised personnel who have a legitimate reason to do so.

What rights do I have over my personal data?

Under the DPA or GDPR, you will have the right to, where appropriate:

  • Access your personal data by making a subject access request
  • Rectification, erasure or restriction of your information
  • Object to the processing of your information

To contact us about anything to do with your personal data and data protection, including to make a subject access request, please use the following details (for the attention of Kuang Hu, Registered Manager):

Email address: info@infinityeyeclinic.com
Telephone number: 0800 880 3300

Postal Address: Infinity Eye Clinic, 10 Harley Street, London, W1G 9PF

Changes to this Privacy Notice

We may change this Privacy Notice from time to time. This may be necessary, for example, if the law changes, or if we change our business in a way that affects personal data protection. Information relating to any changes will be made available via email, where possible. We encourage you to check this privacy notice for changes whenever you revisit our website – https://www.infinityeyeclinic.com/privacy-policy/

CQC