United Kingdom | English

VSP Privacy Notice

Effective Aug, 2018

1. SCOPE OF THIS PRIVACY NOTICE

This website including the user portal (this “Site”) is operated by Vision Service Plan, a corporation registered in California whose principal place of business is at 3333 Quality Drive, Rancho Cordova, CA, 95670 (“Vision Service Plan”).

VSP Vision Care – UK LTD is a wholly owned subsidiary of Vision Service Plan through which it provides the vision benefit services in the UK, Ireland and France (and such other European countries VSP may elect from time to time) (the “Services”).

VSP Vision Care – UK LTD, is registered in the UK under company number 07000582 with its registered office at The Broadgate Tower, Third Floor, 20 Primrose Street, London, EC2A 2RS, United Kingdom and its principal place of business at The Dairy Stonor Estate Henley on Thames Oxon RG9 6HF, United Kingdom (“VSP UK”).

Vision Service Plan and VSP UK are hereinafter collectively referred to as the “Company”, “we” or “VSP”.

VSP’s mission is to help people see. In line with this philosophy, we also wish to be transparent to you about the way we process your personal data.

We respect your rights to privacy and to the protection of your personal data. The purpose of this Privacy Notice is to explain how we collect and use your personal data when you visit this Site or when we offer you the Services.

References to “you” and “your” in this Privacy Notice refer to the individual about whom VSP collects personal data (e.g. member, member’s dependent, eye-care professional or non-registered visitor).

When you interact with this Site or receive our Services, your personal data is processed as described in this Privacy Notice. When processing your personal data, both Vision Service Plan and VSP UK shall be regarded the “data controllers” and your personal data shall be processed in accordance with Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “General Data Protection Regulation” or “GDPR”).

VSP UK is regulated by the Information Commissioner’s Office or ICO (www.ico.org.uk) and registered under Z2027437.

More information on VSP UK is available at the ICO at https://ico.org.uk/ESDWebPages/Entry/Z2027437.

2. HOW WE OBTAIN YOUR PERSONAL DATA

(a) We may obtain your personal data from a variety of sources, including information you give to us, or that we gather or learn from how you use this Site or our Services and the technology you use (for example location data from an Internet Protocol (IP) address).

(b) We may also receive your personal data from third parties (including other VSP companies), third parties who provide services to you or us (for example the eye-care professional that submits the benefits claim to VSP on your behalf) or the bank(s) involved to reimburse the benefit claims.

(c) We also gather information from public sources, such as the press and online search engines.

3. TYPES OF PERSONAL DATA COLLECTED

(a) Personal Data You Provide To Us. When you wish to register an account on this Site or receive our Services, we may ask that you provide us with certain (sensitive) personal data to facilitate your use of the Site or our Services.

Members: We collect and process various categories of personal data you provide to us throughout your relationship with us, including basic personal data such as your name, personal or work-related email address, postal address, contact details, date of birth, gender, VSP user ID, employer’s name, benefit entitlements, bank account details, name and relationship of other persons with benefit entitlements such as your spouse, partner or children (“member dependents”). VSP may receive a part of this data directly from your employer upon enrolment to our Services.

Sensitive Personal Data. In those cases where you have obtained Services from an eye care professional that is not affiliated with VSP’s network of eye care professionals, you will have to submit your claim for reimbursement of the Services yourself using the member portal on this Site.

As a means for VSP to establish eligibility for reimbursement of such “out of network” claim, you will be required to upload the corresponding invoice that provides proof of receipt and payment of the Services as part of the claims submission.

This invoice may on occasion contain sensitive personal data concerning your or your dependent’s health such as your eye care diagnosis, details about the treatment received and/or details about the services or products purchased.

Where you have elected to obtain Services from an eye care professional that is affiliated to VSP, your eye care professional will submit such “in-network claim” with VSP on your behalf.

As we have other means of establishing eligibility of in-network claims, we do not require receipt of a corresponding invoice and we therefore do not process any health-related data as may be the case for out of network claims.

Your personal data shall not be processed in any other way as described in this Privacy Notice. In some cases, though, VSP may be obligated to disclose your personal data as described in 5(v) (“Required Disclosures”).

Unless you are a registered member (or a member dependent) receiving the Services, VSP does not process any sensitive data about you.

Please note that some information we ask you to provide is identified as mandatory, and some as voluntary.

If you do not agree with us processing your personal data – including providing us your explicit consent to process data concerning your health - as described in this Privacy Notice or otherwise choose not to provide us with the mandatory data, it may not be possible for us to continue to operate your account and/or provide the Services to you.

Eye-Care Professionals: Personal data we collect about you may include your name, practice name, business address and contact information (incl. email address), professional details such as your certification/qualification, VSP user ID, bank account details, billing information, details of the services and products you provided to our members and foreign language capability (if applicable).

Non-Registered Users and Visitors: Any visitor of our Site can access the publicly available areas of our Site without the need to login or provide any personal data. Some features may allow us to collect personal data relating to your use of the Site (see “Cookies and other Technologies”) and information provided by you in comments and feedback regarding the Site. If you want to access the restricted non-public area of the Site, you will also be required to create a username and password to establish an account.

(b) Cookies and other Technologies. In addition to the information you provide to us, we and our service providers may use cookies, web beacons – also referred to as single-pixel gifs – and other technologies. Cookies are identifiers that the Site stores on your computer's hard drive or your mobile device to facilitate the interaction between your computer or mobile device and the Site. Our cookies mainly serve the purpose of making the Site run more smoothly and to maintain a secure online environment by tracking your access to and use of our Site, including recognizing log files, your VSP user ID and password, the domain from which you access the Site, the date and time you access the Site, what areas of the Site you access, the IP address, unique device identifier, and the type of device and/or web browser you use to access the Site. For more information on our use of cookies and how you can adjust your browser settings to disable our cookies, please read our Cookie Policy.

4. USE OF YOUR PERSONAL DATA BY VSP

We collect, use, store and share your personal data to facilitate your use of the Site and our Services and for the purposes more particularly described below:

  • User Registration and Account Management: To register your account and to authenticate you so that we know it is you and not someone else. To communicate with you about our services (for example, if you lose your VSP user ID or password), identity and credential management, verification and access control.

  • It is in our legitimate interest to use your personal data in this way to ensure that we provide the very best client service we can to you or others.

  • Member Service Delivery: Processing your personal data - including sensitive data concerning your or your dependent’s health - is necessary for us to perform our contractual obligations we have with you when providing you the Services, including allowing you to operate your online account to manage, administer, coordinate and review the enrolment and provision of your entitlements under the Services, verify your eligibility and coverage, process, administer your claims or to receive payments associated with a claim and to respond to your inquiries and requests or complaints.

  • Any data concerning your or your dependent’s health is processed for the purpose of performing our contractual obligations to you (to assess eligibility of your claim and reimbursement of covered Services).

  • Eye-Care Professionals Service Delivery: To manage, administer, coordinate and review the provision of our member’s entitlements and related services and to process and administer claims you submit on our member’s behalf and to reimburse you in relation to covered services and/or products subject of such a claim. Further purposes may include quality assessment and improvement, performance evaluations and conducting claim- and payments audits and to review and resolve issues and complaints raised by you.

  • It is necessary for us to process your personal data in this way to perform our obligations in accordance with any contract that we may have with you. It is in our legitimate interest to use your personal data in such a way to ensure that we provide the very best service we can to you or our members.

  • System and Network Security: It is in our legitimate interest to use your personal data to offer you the best service possible and to process it for system and network administration and security, including infrastructure monitoring, participate in cybersecurity, anti-fraud and anti-money laundering initiatives or programs, data de-identification and aggregation of de-identified data for data minimization and analysis of our Services, hosting, storage, and other processing needed for business continuity and disaster recovery, including making back-up and archive copies of personal data.

  • Improvement of our Services: It is in our legitimate interest to use your personal data to offer you the best service possible and to understand your preferences and expectations to help us improve or develop new products or services and the relevance of offers from VSP and that we continually develop and improve as an organization.

  • Marketing & Surveys: If you are an eye care provider affiliated with VSP or actively enrolled to receive our Services, it is in our legitimate interest to make use of your personal data that we collect for marketing purposes or to ask you to participate in surveys about our Services. We may for instance send you information about our Services that we feel might be of particular interest to you.
    • You can opt out from receiving future marketing messages or survey requests at any time by contacting us here or use the opt-out function in our messages you receive.

    • VSP will not share your personal data with third parties for their own marketing purposes without your permission.
  • Internal Business processes and Management:

  • We may incidentally process your personal data (including sensitive data concerning your or your dependent’s health) for the legitimate interest of internal business process execution and management functions including prevention and detection of fraud/attempted fraud, underwriting, (internal) auditing, record retention, legal, financial, accounting, fraud, risk assessment compliance and reporting.

5. SHARING WITH THIRD PARTIES

  • Third Party Services: For any of the purposes listed in paragraph 4, we sometimes hire or partner with other companies to provide part of the Services on our behalf. We will only provide those companies with your personal data that they need to perform their obligations to us. We shall require them to process your personal data in strict accordance with our instructions and implement adequate technical and organizational security measures to prevent unauthorized access to or disclosure of your personal data.

  • Affiliate Sharing: Subject to the terms of this Privacy Notice, in the normal course of performing our Services, for the day to day running of our business, to manage the security of our properties and to protect our business and as otherwise permitted by applicable law, we may share your personal data with any of our affiliates or subsidiaries.

  • Sharing of De-Identified Personal Data: Personal data that is collected by VSP may be shared in a de-identified and/or aggregated format as part of statistics before being disclosed to such third parties.

  • Other Sharing: Where required for a sale, reorganisation, transfer, financial arrangement, sub-participation, asset disposal or other transaction relating to VSP’s business, your personal data may also be disclosed to third parties.

  • Required Disclosures: We reserve the right to disclose your personal data, without notice, if required to do so by law or in the good faith belief that such action is necessary to: (1) comply with laws, legal process, or government or regulatory requests; (2) protect and defend our rights, property or business and, (3) protect the safety and security of our users, this Site, or the public.

Except as mentioned above, we will not sell, distribute or lease your personal data to third parties.

6. TRANSFER OF YOUR INFORMATION OUTSIDE THE EEA

Because VSP UK is a wholly-owned subsidiary company of Vision Service Plan, a US corporation that operates the Site and ancillary IT systems in the US, your personal data will be processed for the purposes set out in this Privacy Notice, transferred to and stored by Vision Service Plan in the United States. It may be accessed and processed by VSP staff in the United States. The United States has not sought nor received a finding of “adequacy” from the European Union. For the transfer of personal data between VSP UK and Vision Service Plan, we rely on standard data protection clauses (“model clauses”) adopted by the European Commission. In addition, in those cases where we collect and transfer personal data from you that are not covered by latter mentioned model clauses, VSP relies on derogations for specific situations as set forth in Article 49 of the GDPR, such as (i) VSP’s obligation to perform a contract with you or to allow you the benefit of the Services; (ii) or to fulfill a compelling legitimate interest of VSP in a manner that does not outweigh your rights and freedoms; (iii) the establishment, exercise or defence of legal claims. Should you wish to obtain a copy of the model clauses, you may contact us at gdpr@vsp.com.

7. STORAGE AND CONTROL YOUR PERSONAL INFORMATION

In the course of providing the Services, we create records including your personal data that can be held on a variety of media (physical or electronic). Records help us serve you well, to demonstrate that we are meeting our obligations and to keep as evidence of our business activities.

In the normal course of business, we retain your personal data for up to ten years after your relationship ends with us, unless we have an obligation to keep it longer (for example due to a court order or investigation by law enforcement agencies or regulators).

8. CORRECTION, UPDATE, OBJECTION AND DELETION OF PERSONAL DATA

You have certain legal rights to control your personal data and the manner in which we process it. These rights include the possibility to request us to give you access to all personal data we have about you, request us to correct inaccurate or update incomplete information, object to or restrict the processing on legitimate grounds, withdraw your consent for certain processing at any time where previously we have asked for your permission or to delete the data we have about you if one of the grounds of article 17 GDPR applies, specifically where the personal data we have about you is no longer necessary in relation to the purposes for which they were collected by us or where you withdraw your previously granted consent and there is no other legal ground to process your personal data.

Please send your request to gdpr@vsp.com and we will use reasonable efforts to respond to you in a timely manner.

To process such a request, we may ask you to verify your identity and cooperate with us in our effort.

9. SECURITY OF INFORMATION

We are committed to ensuring that your personal data is secure. In order to prevent unauthorised access or disclosure, we have put in place appropriate technical, physical and managerial procedures to safeguard and secure the information we collect about you. Access by you to your personal data is available through the Site after you provide your unique VSP Login ID (username and password) selected by you. We recommend that you do not divulge your password to anyone. We employ internal policies pursuant to which only selected individuals have access to your personal data.

10. THIRD-PARTY WEBSITES

This Privacy Notice only applies to this Site provided by the Company, and does not apply to any third parties or their products, services or websites. If other websites are accessible through our Site, they will have their own privacy policies and practices, and the use of any personal data provided by you to such a third party will be governed by that party’s privacy policy. Please consult each website's privacy policy. We are not responsible for the policies or practices of third parties, and we do not control, operate, or endorse any information, products, or services of any third-party or third-party web sites that may be accessed through links from this Site.

11. CHILDREN’S PRIVACY

You must be at least 18 years old to access and use this Site. We shall not knowingly collect personal data from visitors that are under 18 years of age, unless parental consent has been given.

12. CHANGES TO THIS PRIVACY NOTICE

We may change this Privacy Notice from time to time, and if we do we’ll post any changes on this Site. If you continue to use the Site after those changes are in effect, you agree to the revised Privacy Notice, provided, that we will not retroactively change how we handle your personal data without your consent. If the changes are significant, we may provide more prominent notice or get your consent as required by law.

13. CONTACT INFORMATION

If you are concerned that we have breached a privacy law or code binding on us, please contact us at gdpr@vsp.com or send your concern by regular mail to VSP’s registered address at:

VSP Vision Care – UK LTD
Attn: Data Protection Officer
The Broadgate Tower Third Floor
20 Primrose Street
London EC2A 2RS

Our Data Protection Officer or a designated representative will manage your complaint and will give you additional information about how it will be handled.

We hope that we can address any concerns you may have, but you can always contact the Information Commissioner's Office (ICO) or the local Supervisory Authority in the country you live in. For information on contacting the ICO please see their website (www.ico.org.uk).

Archive