Effective 14th May, 2018
VSP Privacy Notice
1. SCOPE OF THIS PRIVACY NOTICE
This website including the user portal (the "Site") is operated by Vision Service Plan, a not-for-profit corporation registered in California whose principal place of business is at 3333 Quality Drive, Rancho Cordova, CA, 95670 ("Vision Service Plan").
VSP Vision Care - UK LTD and VSP Asia Private Ltd. are both wholly owned subsidiaries of Vision Service Plan through which it provides the Global Access Plan services in Europe and the European Economic Area ("EEA") respectively Hong Kong, Singapore and other countries in the Asia-Pacific.
VSP Vision Care - UK LTD, is registered in the UK under company number 07000582 with its registered office at The Broadgate Tower, Third Floor, 20 Primrose Street, London, EC2A 2RS, United Kingdom and its principal place of business at The Dairy Stonor Estate Henley on Thames Oxon RG9 6HF, United Kingdom ("VSP UK").
VSP Asia Private Ltd., is registered in Hong Kong under company number 2406859 with its registered office at Room 1901, 19/F, Lee Garden One, 33 Hysan Avenue, Causeway Bay, Hong Kong and its principal place of business at 6/F Block A, Vita Tower, 29 Wong Chuk Hang Road, Aberdeen, Hong Kong ("VSP Asia").
Vision Service Plan, VSP UK and VSP Asia are hereinafter collectively referred to as the "Company", "we" or "VSP".
This Privacy Notice describes how the Company collects, uses, stores, transfers and shares your personal data when you use the Site. References to "you" and "your" in this Privacy Notice refer to the individual about whom personal data is collected (e.g. a registered member or a registered member's dependent).
If you receive VSP's Global Access Plan services through VSP UK in jurisdictions such as but not including a European Union Member State, the EEA or such other jurisdictions as may be defined by VSP from time to time, Vision Service Plan and VSP UK shall for this purpose be regarded the "data controllers" and your personal data shall be processed in accordance with the UK Data Protection Act, as well as, upon its entry into force, Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing the UK Data Protection Act (the "General Data Protection Regulation" or "GDPR").
VSP UK is regulated by the Information Commissioner's Office or ICO (www.ico.org.uk) and registered under Z2027437.
More information on VSP UK is available at the ICO at https://ico.org.uk/ESDWebPages/Entry/Z2027437.
If you receive VSP's Global Access Plan services through VSP Asia in Hong Kong, Singapore or such other countries in the Asian Pacific region as may be defined by VSP from time to time, Vision Service Plan and VSP Asia shall for this purpose be regarded as "data users" and your personal data shall be processed in accordance with the Hong Kong Personal Data (Privacy) Ordinance.
VSP Asia is regulated by the Office of the Privacy Commissioner for Personal Data. More information is available at https://www.pcpd.org.hk
If you receive VSP's Global Access Plan services in other jurisdictions, including but not limited to Latin America or Africa, Vision Service Plan shall for this purpose be regarded as the "data controller" and your personal data shall - unless expressly determined otherwise - be processed in accordance with GDPR.
If you do not agree with this Privacy Notice, please do not use the Site.
2. TYPES OF PERSONAL DATA COLLECTED
(a) Personal Data You Provide : When you wish to register to the Site, we ask that you provide us with certain personal data to facilitate your use of the Site.
Restricted Access for Members : Personal data we collect may include your name, personal or work-related email address, postal address, contact information, date of birth, gender, VSP user ID, employer's name, benefit entitlements, bank account details, name and relationship of other persons with benefit entitlements such as your partner or children ("dependents"). In addition, as part of submitting your benefit claims, you may be required to provide us with sensitive personal data related to your or your dependent's health, such as your eye-care diagnosis and details about the eye-care treatment received and products purchased.
Some of the information we ask you to provide is identified as mandatory, and some as voluntary. If you do not provide the mandatory data where requested, we may not be able to provide you with the products and services you require or you may not be able to fully utilize and view the Site.
(b) Cookies and Other Technologies : We may use cookies, web beacons - also referred to as single-pixel gifs - and other technologies. Cookies are identifiers that the Site automatically stores on your computer's hard drive or your mobile device to facilitate the interaction between your computer or mobile device and the Site. For more information on our use of cookies, what information is collected through the use thereof and how you can adjust your browser settings to disable our cookies, please read our cookie policy.
(c) Public Access : You can visit or browse the Site without giving us your personal data. Much of the information on our Site is available even to those who are not registered users.
3. USE AND SHARING OF YOUR PERSONAL DATA
(a)Use by the Company : We collect, use, store and share your personal data (as further specified in paragraph 2) to facilitate the use of the Site and for the purposes more particularly described below:
User Registration and Account Management : To register your account and to authenticate you so that we know it is you and not someone else. To communicate with you about our services (for example, if you lose your VSP user ID or password), identity and credential management, verification and access control.
Member Services : Some personal information is necessary so that we can supply you with the services you have purchased or are entitled to, including manage, administer, coordinate and review the enrolment and provision of your entitlements and related services, verify your eligibility and coverage, process and administer your claims, review and resolve issues, complaints and grievances raised by our members or eye-care professionals or for other legitimate business interests of VSP, such as the prevention and detection of fraud/attempted fraud, occupational health, rehabilitation, underwriting, internal auditing, consolidated reporting, legal compliance, including mandatory filings.
System and Network Security : System and network administration and security, including infrastructure monitoring, participate in cybersecurity, anti-fraud and anti-money laundering initiatives or programs, data de-identification and aggregation of de-identified data for data minimization and analysis of our services, hosting, storage, and other processing needed for business continuity and disaster recovery, including making back-up and archive copies of personal data.
(b) Third Party Service Providers : We sometimes hire or partner with other companies to provide part of the services on our behalf, such as sending communications, customer service, hosting our software, performing analytics, conducting research and surveys or maintaining, delivering or hosting the Site. We will only provide those companies with your personal data that they need to perform their obligations to us. We shall require them to process your personal data in strict accordance with our instructions and implement adequate technical and organizational security measures to prevent unauthorized access to or disclosure of your personal data.
(c) Affiliate Sharing : Subject to the terms of this Privacy Notice, in the normal course of performing our services, and as permitted by applicable law, the Company may share your personal data with any of its affiliates or subsidiaries.
(d) Other Sharing :Your personal data may also be disclosed to third parties during negotiations for a transfer of all or part of our business and may be transferred by us as part of that business.
(e) Sharing of De-Identified Personal Data: Personal data that is collected by our Company may be shared with unaffiliated third parties for their own research and publication, product enhancement, or product development purposes or to conduct research and publish reports on our behalf, to help improve and expand our product and service offerings, to provide general statistics and analysis regarding the consumption or delivery of our products and services, and to help improve or maintain our service quality. Personal data shared as described in this paragraph shall be de-identified and/or aggregated before being disclosed to such third parties.
(f) Marketing & Surveys: We may on occasion make use of personal data that we collect for marketing purposes or to ask you to participate in surveys about our services. We may for instance send you information about our services that we feel might be of particular interest to you or ask you to participate in surveys about our Global Access Plan services.
If you do not wish us to make use of your personal data in this way, please let us know here. You can opt out from receiving future marketing messages or survey requests at any time by contacting us or use the opt-out function in our messages you receive.
The foregoing shall not apply if you are in Hong Kong, Singapore or such other countries in the Asian Pacific. You will be properly notified in advance in case VSP plans to deploy direct marketing.
(g) Required Disclosures : We reserve the right to disclose your personal data, without notice, if required to do so by law or in the good faith belief that such action is necessary to: (1) comply with laws, legal process, or government or regulatory requests; (2) protect and defend our rights or property or one the Site; and, (3) protect the safety and security of our users, this Site, or the public.
Except as mentioned above, we will not sell, distribute or lease your personal data to third parties.
4. TRANSFER OF YOUR INFORMATION OUTSIDE THE EEA
As both VSP UK and VSP Asia are wholly-owned subsidiary companies of Vision Service Plan, a US not for profit-corporation, operating the Site and ancillary IT systems, your personal data will be processed for the purposes set out in this Privacy Notice, transferred to and stored by Vision Service Plan in the United States. It may be accessed and processed by VSP staff in the United States. The United States has not sought nor received a finding of "adequacy" from the European Union. For the transfer of personal data between VSP UK and Vision Service Plan, we rely on standard data protection clauses ("model clauses") adopted by the European Commission. In addition, in those case where we collect and transfer personal data from you that are not covered by latter mentioned model clauses, VSP relies on derogations for specific situations as set forth in Article 49 of the GDPR. In particular, VSP collects and transfers to the U.S. personal data only: to perform a contract with you or to allow you to utilise your vision benefit; or to fulfill a compelling legitimate interest of VSP in a manner that does not outweigh your rights and freedoms. Should you wish to obtain a copy of the model clauses, you may Contact Us.
5. STORAGE AND CONTROL YOUR PERSONAL INFORMATION
We retain your personal data for the duration of your member relationship with VSP and for as long as required for supporting VSP's legitimate business interests.
If you would like a copy of your personal data, believe that any personal data we are holding on you is incorrect or incomplete or have any other data protection related issues or queries, please Contact Us.
6. CORRECTION, UPDATE, OBJECTION AND DELETION OF PERSONAL DATA
We will provide you with a possibility to ensure that the personal data you provided to us is accurate and up to date. You can request correction, update and deletion of your personal data or object to the processing on legitimate grounds Contact Us, and we will use reasonable efforts to contact you regarding your request.
To process such a request, we may ask you to verify your identity and cooperate with us in our effort.
7. SECURITY OF INFORMATION
We are committed to ensuring that your personal data is secure. In order to prevent unauthorised access or disclosure, we have put in place appropriate technical, physical and managerial procedures to safeguard and secure the information we collect online. Access by you to your personal data is available through the Site after you provide your unique VSP Login ID (username and password) selected by you. We recommend that you do not divulge your password to anyone. We employ internal policies pursuant to which only selected individuals have access to the data on the server. Your personal data is encrypted at rest and the Site encrypts all communications transmitted over the internet to you using secured socket layer (SSL) technology.
8. THIRD-PARTY WEBSITES
This Privacy Notice only applies to this Site provided by the Company, and does not apply to any third parties or their products, services or websites. If other websites are accessible through our Site, they will have their own privacy policies and practices, and the use of any personal data provided by you to such a third party will be governed by that party's privacy policy. Please consult each website's privacy policy. We are not responsible for the policies or practices of third parties, and we do not control, operate, or endorse any information, products, or services of any third-party or third-party web sites that may be accessed through links from this Site.
9. CHILDREN'S PRIVACY
You must be at least 18 years old to access and use this Site. We shall not knowingly collect personal information from visitors that are under 13 years of age.
10. CHANGES TO THIS PRIVACY NOTICE
We may change this Privacy Notice from time to time, and if we do we'll post any changes on this Site. If you continue to use the Site after those changes are in effect, you agree to the revised Privacy Notice, provided, that we will not retroactively change how we handle your personal data without your consent. If the changes are significant, we may provide more prominent notice or get your consent as required by law.
11. CONTACT INFORMATION
If you are concerned that we have breached a privacy law or code binding on us, please Contact Us. We aim to respond in a reasonable time (normally 30 days). Our Data Protection Officer will manage your complaint and will give you additional information about how it will be handled.
If you are in European Union Member State or the EEA you have the right to complain to the Information Commissioner's Office (ICO) if you believe we do have not handled your request in an appropriate manner. For information on contacting the ICO please see their website (www.ico.org.uk).
If you are in Hong Kong, Singapore or such other countries in the Asian Pacific region you have the right to complain to the Office of the Privacy Commissioner for Personal Data if you believe we do have not handled your request in an appropriate manner. For information on contacting the Office of the Privacy Commissioner for Personal Data please see their website (https://www.pcpd.org.hk ).
If you are in other jurisdictions, including but not limited to Latin America or Africa, you have the right to address your complaint to the Data Protection Authority competent in your country if you believe we do have not handled your request in an appropriate manner.