Privacy Notice

Like many companies, Hereford Vision Surgical Group Limited takes personal data security very seriously. If, after reading this privacy notice, you have any further questions, please feel free to contact us directly at


This privacy notice provides readers with details of how we collect and process your personal data through your use of our website and Hereford Vision Surgical Group Limited.

By providing us with your data, you should ensure that you either: have the permission of your parent / guardian; or ensure that you are over 18 years old.

Hereford Vision Surgical Group Limited is the data controller and hence we are responsible for your personal data.

Contact Details

Full name of business / legal entity: Hereford Vision Surgical Group Limited

Email address:

Postal address: Suite 1a, Shire Business Park, Wainwright road, Worcester, WR4 9FA

If you have any comments regarding any aspect of how we process your data, you do have the right to complain to the ICO (Information Commissioner’s Office), the supervisory authority in the UK for data protection issues (, however, it would be preferable from our perspective if you would contact us to discuss any issues / complaints first so that we can try to address them for you.

It is very important that the information we hold about you is accurate and contemporaneous so please do let us know if your personal information changes at any time by emailing us at


As you probably expect, this can be from several sources. For example, we may collect data about you by your provision of data directly, e.g. from examinations / consultations / biometry machines, or by your completion of forms on our website, or by sending us emails, texts or letters. We may also automatically collect certain data from you as you use our website by using cookies and similar technologies. Please see our cookie policy for more details: Cookie Policy.

We may receive data from third parties such as:

•      analytics providers such as Google (based outside the EU)
•      providers of technical, payment and delivery services

We also receive sensitive data from optometrists, for example, relating to post-operative treatment results, or initial referrals. Before this is shared with us you should be requested to provide explicit consent to your optometrist.


We use the term ‘personal data’ to mean any information capable of identifying an individual. This may include your contact details, data related to IT, and information regarding your health (special category data), which you provide us as part of your interaction with our services. The following categories of personal data about you may be collected / processed:

Special Category Data

In order for our consultants / clinicians to deliver the healthcare services that we provide, we need to collect the following sensitive data about you:

·      information about your health
·      biometric data

This data is collected under section 9(2)h of the general data protection regulations, which states: ‘processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3.’

Paragraph 3 states: ‘Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.’

Where we are legally required to collect personal data, or under the terms of the contract between us and you do not provide us with that data when requested, we may understandably not be able to perform the contract (e.g. to carry out healthcare treatments). If you do not provide us with the requested data, we may therefore have to cancel the treatment you have requested.

Data regarding communications

This includes any communication that you send to our website / business, for example, via the contact form on our website, via email, text, or any other communication that you send us. This data is processed for the purposes of communicating with you, for documentation and for the pursuance or defence of legal claims. The legal grounds for this data processing are our ‘legitimate interests’, which, in this case, are to reply to communications, to maintain clinical and demographic records and to establish, pursue or defend legal claims.

‘Customer’ Data

This includes data relating to any services our business provides, including your name, health information (including special category data), invoicing and payment information, and contact details. The legal grounds for this processing is contractual, the processing allowing us to supply the services you have requested, as well as to keep your treatment records.

‘User’ Data

This includes data about website use. The legal grounds for this processing are our ‘legitimate interests’, which, in this case, are to enable us to properly administer our business and website. We process this data to operate the website and to try to ensure relevant content is provided for you, to ensure security, and to enable website administration, other online services and business.

Technical Data

Our legal grounds for this processing is our ‘legitimate interests’, which are to allow us to properly administer the website and our business. Data collected includes your use of our website and online services including information such as your IP address, details about your browser, length of visit to pages on our website, page views, clicks/navigation paths, details about the number of times you use our website, and other technology on the devices you use to access our website. The source of this data is from proprietary analytics tracking systems, such as Google analytics.


We will only use your personal data for a purpose it was collected for. For more information on this please email us at In the event that we need to use your details for an unrelated new purpose we will let you know and will explain the legitimate grounds for processing of such information. Where required or permitted by law, we may process your personal data without your knowledge or consent.


On occasion, it may be necessary to transfer your data to another country. Countries outside the European Economic Area do not always offer the same levels of protection to data and European law has prohibited transfers of personal data outside of the EEA unless the transfer meets certain criteria. Some of our third-party service providers are based outside the European Economic Area (EEA) so their processing of your personal data will involve a transfer of data outside the EEA. When we transfer your personal data out of the EEA, we do do our upmost to ensure a similar degree of data security by ensuring that:

•      we will only transfer your data to countries that the European Commission have approved as providing an adequate level of protection for personal data by

and /or

•      with the use of certian service providers, we may use specific contracts or codes of conduct or certification mechanisms approved by the European Commission which give personal data the same protection it has in Europe

and /or

•       If we use US-based providers that are part of EU-US Privacy Shield, we may transfer data to them, as the safeguards are equivalent

If none of the above are available, we should request your explicit consent to the data transfer. You may of course withdraw this consent at any time.


On occasion, your personal data may need to be shared with some of the parties mentioned below:

•      Professional advisers including lawyers and accountants
•      IT and system administration providers
•      Government bodies
•       Video production companies (only with your explicit consent in advance).
•      Third parties to whom we sell, transfer, or merge parts of our business or our assets in the future.

We only allow such third parties to process your personal data for specified purposes, within the GDPR legal framework and in accordance with our instructions.


We believe that our security measures to prevent your personal data from being accidentally lost, used, altered, disclosed, or accessed without authorization are compliant with the GDPR legislation. Access to your personal data is only for those employees and contractors who have a legitimate need to know such data. They will only process your personal data as directed, must keep the data confidential and are contractually obliged to do so. We do have procedures in place to deal with actual / suspected personal data breaches and will notify you and the regulator of a breach if legally required to.


Your personal data will be retained for as long as necessary to fulfil the purposes it has been collected for, including for legal, accounting, or reporting requirements. Generally speaking, medical records will be kept for 30 years. In deciding what the correct time is to keep the data for we consider its amount, nature and sensitivity, potential risk of harm from unauthorised use or disclosure, the purposes of processing, and if these can be achieved by other means and legal requirements. For tax purposes, we understand that the law requires us to keep basic information about our customers (including Contact, Identity, Financial and Transaction Data) for seven years after they stop being customers. In some circumstances, anonymised data for research or statistical purposes may be used indefinitely without further notice to you.


Under GDPR data protection laws you have rights in relation to your personal data, including the right to correction, erasure, to object to processing, to portability of data request access, restriction, transfer, and (where the lawful ground of processing is consent) to withdraw consent.

You can see more about these rights at:

If you wish to exercise any of the rights set out above, please email us at

As a result of the GDPR legislation, you will not have to pay a fee to access your personal data, however, we may charge a reasonable fee if your request is repetitive or excessive, clearly unfounded, or simply refuse to comply with your request under these circumstances. We may need to request specific information from you to help confirm your identity and ensure your right to access your personal data.

We try to respond to all legitimate requests within one month, but occasionally it may take us longer than a month if your request is especially complex or you have made numerous requests. In this case, we will notify you.

If you are not happy with any aspect of how we collect and use your data, you have the right to complain to the Information Commissioner’s Office (ICO,, however, it would be preferable if you would contact us in the first instance if you do have a complaint in order that we can try to address this for you.


You can set your browser to refuse all - or some browser cookies - or to alert you when websites set or access cookies. If you refuse or disable cookies, please note that some parts of this website may become inoperable or not function properly. For more information about the cookies we use, please see our Cookie Policy