Definitions:

In this document ‘the Company’ means Eyeplan Ltd.

‘Services’ means all or any of the periodic goods and or fee collection schemes, care schemes, marketing, intellectual property, strategic business models and advice, product replacement schemes or such other business supporting schemes and packages produced by the Company from time to time.

‘Associates’ means those businesses or professional practices or organisations in contract with the Company for the provision some or all of its Services.

‘Members’ means those individuals who have provided their personal information to the Company or to the Company via the Associate for the purposes of joining care schemes and or other products managed by the Company.

‘Membership information’ is the personal information collected about Members that the Company uses to conduct is lawful business activities.

‘Associate information’ means information relating to the Company’s Associates.

‘Potential Associate information’ means information relating to those organisations that might become Associates.

‘GDPR’ means General Data Protection Regulation.

Section 1: General

1.1 Introduction

The Company collects and processes personal data to allow us to provide our Services and meet our contractual and legal obligations. The Company’s processes and storage methods are compliant with GDPR. There are a number of circumstances under which the Company collects personal data and these circumstances are dealt with in the individual sections of this privacy statement.

The paragraphs contained within this section of the privacy statement apply to all information held by the Company.

1.2 General Principles

All data processing is fair, lawful and transparent
Data is collected for specific, explicit, and legitimate purposes
The data collected is adequate, relevant and limited to what is necessary for the purposes of providing the contracted Services
Data is kept accurate and up to date. Data which is found to be inaccurate will be rectified or erased without delay
Data is not kept for longer than is necessary for its given purpose
Data is processed in a manner that ensures appropriate security of personal data including protection against unauthorised or unlawful processing, accidental loss, destruction or damage by using appropriate technical or organisational measures

1.3 The Company’s business

The Company’s business is to provide its Services to its Associates and Members.

1.4 Data obligations

As part of the Company’s business it has contractual obligations towards its Associates and Members to store personal information and communicate with them regarding collections arrangements. Similarly, there are legal and compliance obligations the Company has regarding how and when Associates and Members are communicated with.

The obligations and communication circumstances are dealt with in more detail in the relevant sections of this statement.

In meeting these obligations the Company acts as Data Controller.

1.5 Security

The Company will hold all personal data provided to it in a secure fashion.

Electronic records are stored within secure management software on Company owned secure servers. Individual devices (computers, laptops, tablets and phones) are password protected. Similarly accounts within the Company’s various management systems are secure and are password protected.

Paper records are kept within secure locked cabinets in locked rooms in an anonymous, secure and alarmed building. Only members of staff and escorted guests are permitted access to the Company offices.

1.6 Cyber Essentials

The Company’s electronic systems will carry Cyber Essentials certification once the process is complete.

1.7 Transparency and the ‘right to be forgotten’

People who have their information stored by the Company are entitled to view, amend or delete personal information held by the Company.

Under certain circumstances, particularly in light of financial obligations, the right to be forgotten does not apply. If a request for deletion is denied by the Company, the Company will inform the individual of the reasons why the request has been denied in writing within the time limit specified in the GDPR.

To amend or delete personal information email: info@eyeplan.co.uk

Or write to:

Eyeplan Ltd
The Old Surgery
St Chads Avenue
Midsomer Norton
BA3 2HG

For the attention of: The Data Manager

1.8 Training

All staff employed by the Company are trained in matters relating to data security, confidentiality and GDPR as well as the operation of the Company’s secure electronic systems.

1.9 Use and sharing

The Company only uses and shares personal information where it is necessary for the Company to carry out its lawful business activities.

The Company will not share personal information with other organisations (third parties) without the individual’s permission.

The exception to this statement is where the Company might have a legal obligation and contractual obligation to share information, such as the BACS organisation or when information is shared in pursuit of a legal claim. This may include but not be limited to legal advisors or debt collection agencies.

1.10 Opt in and opt out

The Company does not operate an opt in database for communications. The Company relies upon (variously) Legal Obligation, Contractual Obligation and Legitimate Interest as its authority to communicate. Where Legitimate Interest is stated as the authority, correspondents may ‘opt out’ from receiving further communications.

With regards specifically to the Membership information and Additional Communications to Members the Company will not maintain an opt in or opt out database; this will be the responsibility of the Associate. On receiving instructions from an Associate to communicate with Members the Company will confirm with the Associate the justification to make the communication.

1.11 Complaints

If an Associate or Member has a complaint about the way the Company handles their information then they may write to the Data Manager at this address:

Eyeplan Ltd
The Old Surgery
St Chads Avenue
Midsomer Norton
BA3 2HG

If a member or Associate thinks their data rights have been breached, they are able to raise a complaint with the Information Commissioner (ICO). You can contact the ICO at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF or by telephone on 0303 123 1113 (local rate) or 01625 545 745.

1.12 Review

This privacy statement was last reviewed on 24/05/2018

Section 2: Membership Information

2.1 What information is collected and stored

The Company collects certain personal information in order for it to conduct its lawful business.

Information collected is:

Name and address, telephone and email details
Bank account information and/or other payment information
Contract information including payment instructions, payment amendments
Details of the organisation to which the member belongs

2.2 How the information is collected

Membership information is collected by Associates on behalf of the Company or by the Company either via paper forms or secure electronic systems.

2.3 What the information is used for

The information collected by the Company and on the Company’s behalf by Associates is used to manage financial collections (Membership fees and goods payments) on behalf of Associates and the Company. As part of the collection process some personal information is shared with the BACS organisation in order to effect the collection.

2.4 How we communicate

The Company will communicate with Members by post, email and by telephone. The basis on which the Company will communicate with Members is the contractual obligation that the Company has with its Associates and Members. There is a further legal obligation to make certain communications in order that the Company remains compliant with the various regulations that govern its business.

2.5 Additional communications

From time to time the Company will be asked by Associates to communicate with Members on matters other than their payments or Membership contracts. These matters might include invitations to events, gift raffles or seasonal promotions for example.

In such cases the Company will be acting on behalf of the Associate and under their instruction. The Company will assume that it is in the Associates’ legitimate interest to inform their Members of matters relating to their organisation.

2.6 Cookies

Cookies are used on the websites in accordance with the cookie control notice on the sites.

Section 3: Associate Information

3.1 What information is collected and stored

The Company collects and stores certain information in order for it to conduct its lawful business.

Information collected is:

Name and address, telephone and email details of individuals within the Associate organisation
Bank account and/or other payment information
Contract information including payment instructions, payment amendments
Records of communications and interactions between the Associate and the Company
Payment and invoice records

3.2 How the information is collected

Information is collected through:

The Associate Application Form
Records of conversations and interactions in the CRM system(s)
Meetings

3.3 What the information is used for

The information collected by the Company is used to manage financial collections and payments on behalf of Associates. In addition, the Company provides certain support services such as marketing advice and projects and information is used to support these.

3.4 How we communicate

The Company will communicate with Associates by post, email and by telephone and social media. The basis on which the Company will communicate with Associates is the contractual obligation that the Company has with its Associates. There is a further legitimate interest justification as there is an interest on the Company’s behalf to make Associates aware of new Services and developments within the Company.

3.5 Electronic and online systems

In addition to the information discussed above the Company also collects information in its online systems and website systems.

3.5.1 Online systems:

The Company’s online system consists of the ‘Express’ series of Membership management information interfaces. Information relating to Associates is limited to username and password and organisational configuration details needed to provide the contracted Service(s). Information collected and stored is used only for purposes of logging on, managing the security of the systems and in the provision of the contracted Service(s).

3.5.2 Websites:

The Company’s website holds password and log in details. These are stored and used only for this purpose.

3.5.3 Cookies

Cookies are used on the websites in accordance with the cookie control notice on the sites.

Section 4: Potential Associate Information

4.1 What information is collected and stored

The Company collects certain information in order for it to conduct its lawful business.

Information collected is:

Name and address, telephone and email details of individuals within the Potential Associate organisation
Records of communications and interactions between the Potential Associate and the Company

4.2 How the information is collected

Information is collected through:

Enquiry telephone calls and emails
Conversations at exhibitions and industry events
Records of conversations and interactions in the CRM system(s)
Meetings

4.3 What the information is used for

To communicate with those organisations who are considering using the Company’s Services
To inform and invite to conferences, exhibitions and events
To remind organisations of Eyeplan Services or inform of new Services

4.4 How we communicate

The Company will communicate with Associates by post, email and by telephone and social media.

The basis on which the Company will communicate with Members is the Legitimate Interest justification as there is an interest on the Company’s behalf to make potential Associates aware of new Services and developments within the Company.

4.5 Online systems

4.5.1 Websites:

The Company’s website holds password and log in details. These are stored and used only for this purpose.

4.5.2 Cookies

Cookies are used on the websites in accordance with the cookie control notice on the sites.

Section 5: The Accidental Damage Scheme (where offered)

5.1 What information is collected and stored

The Company collects certain information in order for it to conduct its lawful business in the operation of the Accidental Damage Scheme.

Information collected is:

Name and postcode of the Member entitled to Accidental Damage Cover
Associate practice with whom the Member is associated
Details of purchases made that are covered (within the rules of the scheme) by the Accidental Damage Scheme
Details of claims made

5.2 How the information is collected

Information is collected through the completion of the Accidental Damage Certificate for each purchase.

5.3 What the information is used for

To store purchase information in order to operate the Accidental Damage Scheme within its rules
To administer claims under the Accidental Damage Scheme

5.4 How we communicate

The Company will communicate with Associates and Members regarding the scheme by post, email and by telephone. The basis on which the Company will communicate with Members is the Contractual Obligation to the Member and the Associate.

Section 6: Processing Data for Third Parties

6.1 What information is collected and stored

The Company from time to time accepts personal data from Associates for processing.

Examples of this activity include:

Name and Address information for mailings
Email addresses for email campaigns
Names and other details for name badges for events
Other similar activities

6.2 How the information is collected

Information is collected by the Associate and is transferred securely to the Company for processing.

6.3 How the information is used

The Company will process the data as instructed by the Associate.

6.4 Authority under GDPR

Under the circumstances the Company is acting as Data Processor. The GDPR authority under which the data is being processed is the responsibility of the Associate.

6.5 Deletion

On completion of the task the Company will delete all copies of the data.