Privacy policy

Privacy Policy – How Vision healthcare Protects Your Data

The protection of your personal data is an issue we take very seriously. Therefore, your personal data is always treated with due care and confidentiality and processed in accordance with legal data protection regulations, as well as this data protection declaration.

 
1. Identity and Contact Information of the Data Controller

This privacy policy applies to all personal data processed by the Vision Healthcare Group on Grote Markt 41, 8500 Kortrijk, company registration number BE 0685.849.188 acting as data controller under the GDPR (hereafter called ‘Data Controller’).

The Data Controller places great importance on your privacy and processes your personal data in accordance with the European General Data Protection Regulation regarding the protection of natural persons concerning the processing of personal data (hereafter referred to as "GDPR"), as well as any future or additional legislation implementing it, where applicable.

For further questions or comments regarding how we handle your personal data, you can always contact us, either by email at privacy@visionhealthcare.eu or by mail to the aforementioned postal address.

Our Data Protection Officer (DPO) can also be reached using the same contact information (please specify "Attention: DPO").

 
2. What does ‘processing of personal data’ mean?

The processing of personal data (hereinafter referred to as ‘data’) includes any handling of data that can identify you as a natural person. You can find information about the specific data involved in this Privacy Policy. The term ‘processing’ is very broad and encompasses activities such as collecting, storing, using your data, or sharing it with third parties.

 
3. What data do we process?

Below, we clarify the types of data that we may process from you. We may receive the following data either directly or indirectly from you.

We receive personal data directly from you when you make a purchase from one of the companies belonging to the Vision Healthcare Group, when you contact one of these companies, or when you contract as a service provider/supplier with one of the companies within the group.

It is also possible that we receive your personal data indirectly, through third parties. In such cases, these personal data are not provided directly by you to one of the companies belonging to the Vision Healthcare group. You may have given a third-party permission to further disclose your personal data to other parties, including one of the companies within the Vision Healthcare group.

 

3.1. Customer data

3.1.1. Data customer account

It is possible to create a personal customer on our commercial sites, which allows for placing orders, making purchases, and keeping track of purchase history. By creating a customer account on our commercial sites, you provide the data controller with the following information:

  • General identification data (name, first name, date of birth);
  • Contact information (name, first name, email address, address, telephone number);
  • Payment card details (account number, expiration date, cardholder name);
  • Order history;
  • Company number and other company-related data insofar as they can lead to identification of a natural person;
  • Delivery addresses (in case they differ from the provided residential address);
  • Shopping cart;
  • Gender (optional);
  • Account details (username, password).

 

3.1.2. Data when placing an order without an account

For inquiries, complaints, comments, etc., you can always contact the customer service of the company where you placed your order. When you contact our customer service, we process the following data:

  • General identification data (name, first name);
  • Contact information (name, first name, email address, and address if the reason for contacting customer service is related to it);
  • Payment card details (to the extent that the reason for contacting customer service is related to it)
  • Ordered products/services and order number/customer number.

 

3.1.4. Data in the context of after-sales services, contests, and other promotional activities

Customer friendliness, optimal customer experience, and service are highly valued by Vision Healthcare Group. In the context of these activities, the data controller processes the following data:

  • General identification data (name, first name);
  • Contact information (name, first name, email address, and address if relevant);
  • Ordered products/services and order number/customer number;
  • Feedback on the products sold and, more generally, on the services provided.  

 

3.2. Suppliers’ data

The Vision Healthcare group and all companies belonging to this group engage external service providers and suppliers for various services/products. In this context, the data controller processes the following personal data from these suppliers/service providers:

  • Contact information of the contact person within the supplier/service provider's company (name, first name, email address, telephone number);
  • Company number and other company-related data insofar as they can lead to identification of a natural person;
  • Contractual data (e.g., company name, address, VAT number, agreement, etc.);
  • Payment and billing data (e.g., payment card information, invoices, etc.);
  • Account information for the platform (e.g., account registration data);
  • Feedback, testimonials, quotes, promotional content such as photos and videos (e.g., reviews and experiences related to our collaboration, testimonials, quotes, presence at events, etc.).

 

3.3. Candidate-employees

We may process the following additional data from prospective employees, which will largely depend on the data you choose to provide to us in the context of your job application:

  • Personal particulars (motivation letter, CV, diplomas)
    • Processing is necessary to assess the candidate’s qualifications, identity, and motivation for the position applied for.
  • Work-related data (previous professional experience, CV, ...); 
    • Processing is necessary to evaluate the candidate’s professional experience and suitability for the role.
  • Personality data 
    • Processing is based on the candidate’s freely given and explicit consent for personality or behavioral assessments as part of the recruitment process.
  • Photos
    • Processing of photographs is based on the candidate’s consent and is used solely for identification during the recruitment process.

 

3.4. Visitors of the website 

When you visit our website as a customer or non-customer, the following personal data may be processed, depending on your own personal preferences:

  • IP address, browser type, location data, how the individual arrived at the website, interests, and the way the individual navigates the web page (through strictly necessary, analytical, and marketing cookies).
  • Name, first name, email address, telephone number, subject of contact, and contact message (via the online contact form).
  • Email address (via the online newsletter subscription form). 

More information about the use of cookies and similar technologies can be found in our Cookie Policy, available on our website.

 
4. For what purposes do we process your data?

Personal data is processed exclusively within the framework of the company, specifically for the following purposes:

  • Within the scope of our main activities and webshops;
  • Aftersales service;
  • Marketing and promotional activities;
  • Compliance with administrative and tax obligations;
  • Communication with customers and prospects;
  • Employee recruitment procedures. 
 
5. On what legal grounds do we process your data?

Vision Healthcare processes personal data solely for the purposes described in Chapter 4 and only on the basis of one or more of the legal grounds set out in Article 6 GDPR, as described below.

 

5.1 Performance of a contract or pre-contractual measures

(Article 6(1)(b) GDPR)

Personal data are processed where this is necessary for entering into, performing, or terminating a contract with you, including in particular for the following purposes:

  • operating our webshops and core business activities;
  • creating and managing customer accounts;
  • processing orders, payments, and deliveries;
  • providing customer service and after-sales services;
  • communicating with customers and prospects in the context of a contractual relationship;
  • managing relationships with suppliers and service providers;
  • carrying out employee recruitment and selection procedures, insofar as processing is necessary to take steps at the request of the data subject prior to entering into an employment contract.

This legal basis applies in particular to the customer data, supplier data, and candidate data described in Chapter 3.

 

5.2 Compliance with legal obligations

(Article 6(1)(c) GDPR)

Certain personal data are processed in order to comply with legal or regulatory obligations imposed on Vision Healthcare, including:

  • accounting and tax obligations;
  • administrative obligations;
  • statutory retention obligations.

This legal basis applies in particular to invoicing, payment, contractual, and company-related data as described in Chapter 3.

 

5.3 Legitimate interests

(Article 6(1)(f) GDPR)

Certain personal data are processed based on the legitimate interests of the Vision Healthcare group, provided that these interests do not override the fundamental rights and freedoms of the data subjects. These legitimate interests include:

  • marketing and promotional activities directed at existing customers;
  • improving the quality of our products and services;
  • maintaining customer relationships and ensuring customer satisfaction;
  • training employees and evaluating our activities;
  • compiling statistics and internal reporting related to our activities;
  • preserving and using evidence in the context of liability, disputes, or legal proceedings;
  • ensuring the security of our websites, IT systems, and company premises.

This legal basis applies in particular to after-sales data, customer service data, feedback, website usage data, and certain supplier data as described in Chapter 3.

 

5.4 Consent

(Article 6(1)(a) GDPR)

In certain cases, personal data are processed on the basis of your prior consent, including for the following purposes:

  • marketing activities that do not fall under legitimate interest;
  • the use of analytical and marketing cookies;
  • the use of photos, videos, testimonials, or other media on our website or social media channels;
  • participation in contests and promotional campaigns;
  • retention of job applicant data after the recruitment process for future vacancies.
 
6. Data source

Most of the data we process from you has been obtained directly from you. Within the scope of our services. It is possible that we obtain data from you through external service providers or public sources. You can always contact us for more information about the sources of our data about you.

 
7. Who do we share your data with?

We do not share your data with third parties unless it is strictly necessary for the purposes mentioned above or if we are legally obliged to do so.

The Vision Healthcare Group and each enterprise that forms part of the Vision Healthcare Group act as joint data controllers within the meaning of the General Data Protection Regulation (GDPR). The Vision Healthcare Group has entered into an internal arrangement determining the respective responsibilities of the joint data controllers in accordance with Article 26 GDPR. The essence of this arrangement is available upon request. Personal data processed by the entities within the Vision Healthcare Group may be shared internally, insofar as such sharing is based on a valid legal basis pursuant to Article 6 GDPR and is necessary for the purposes of processing as described in this privacy policy.

Where necessary, we rely on external service providers (processors) to support our operational purposes such as the management of our websites and IT systems. These external service providers may, where applicable, perform certain data processing on our behalf. We will only share your data with these external service providers to the extent necessary for the respective purpose. They are not allowed to use the data for other purposes. Furthermore, these service providers are contractually bound to ensure the confidentiality of your data through a 'data processing agreement' concluded with these parties.

Specifically, this means that we share your data, as relevant in your situation, with the following third parties for the following purposes, where these third parties, in certain cases, act as processors on our behalf: 

  • Postal companies, transport and delivery companies if we need to send you something by mail;  
  • Payment service providers if we receive payments from you, or vice versa;  
  • External representatives and consultants or any other parties involved in the context of our main or ancillary activities;  
  • Processors who assist us in the field of IT in operating our organization, with a view to secure and efficient digital data management within our organization;  
  • Government authorities, judicial bodies, and practitioners of regulated professions such as accountants and lawyers, in order to comply with our legal obligations and defend our interests, as required. 
 
8. For how long do we store your data?

We do not retain your data for longer than necessary for the purpose for which the data was collected or processed. Since the duration for which data may be retained depends on the purposes for which the data was collected, the storage period may vary in each situation. Sometimes, specific legislation may require us to retain data for a certain period. Our retention periods are always based on legal requirements and a balance of your rights and expectations with what is useful and necessary for fulfilling the purposes. After the retention period expires, your data will be deleted or anonymized.

 
9. Where do we store your data and how is your data protected?

We implement appropriate security measures on a technical and organizational level to prevent, within the scope of our activities, the destruction, loss, falsification, alteration, unauthorized access, or unlawful disclosure to third parties, as well as any other unauthorized processing of this data. 

Furthermore, we also ensure that the processors we engage with also implement appropriate security measures to minimize the risks of incidents as much as possible. 

If your personal data is processed outside the European Economic Area (EEA), this will only take place in countries for which the European Commission has decided that they ensure an adequate level of protection, or where appropriate safeguards are in place in accordance with the GDPR.

In particular, transfers of personal data to recipients in the United States will only take place where such recipients are certified under the EU–US Data Privacy Framework or, where this is not the case, where appropriate safeguards such as the European Commission’s Standard Contractual Clauses have been implemented, together with any additional measures required under applicable data protection law.

 
10. Technical and Organisational Measures (TOMs)

We implement appropriate technical and organizational security measures to prevent the destruction, loss, falsification, alteration, unauthorized access, or unlawful disclosure of your data, as well as any other unauthorized processing.

These include the use of SSL encryption across the entire website, where personal data is encrypted with up to 2048-bit SSL before transmission; automatic deletion of session cookies and controlled use of other cookies; asymmetric encryption of passwords, ensuring they cannot be read or retrieved; and secure transmission of payment card data via trusted payment providers, where sensitive information is not stored by us. Our software automatically stores certain server log files to ensure smooth operation and security, such as browser information, referrer URL, IP address, and server request time.

Organizationally, we ensure that external service providers who support us—for example in IT, parcel delivery, customer service, email delivery, catalogue printing, and payment processing—are contractually bound to ensure confidentiality and process data only as necessary for their tasks. We retain data only as long as necessary for the purposes described and delete or anonymize it after the retention period. If data is processed outside the EEA, this only occurs in countries with an adequate level of protection or with measures ensuring lawful processing. Furthermore, we have processes in place to allow customers to exercise their rights, and we ensure that data is not shared with third parties unless necessary for the stated purposes or required by law.

 
11. What are your rights? 

You have various rights concerning the data we process about you. If you wish to exercise any of the following rights, please contact our GDPR representative using the contact details provided in the first section of this Privacy Policy. 

Right of Access and Copy:

You have the right to access your data and obtain a copy of it. This right also includes the ability to request further information about the processing of your data, including the categories of data processed about you and the purposes for which this is done. 

Right of Rectification:

You have the right to have your data rectified if you believe that we hold inaccurate data.

Right to Erasure (Right to Be Forgotten):

You have the right to request that we erase your data without undue delay. However, we may not always be able to fulfill such a request, particularly when we still need the data for an ongoing contract or when keeping certain data for a specified period is legally required. 

Right to Restriction of Processing:

You have the right to restrict the processing of your data. This temporarily suspends the processing until, for example, its accuracy is confirmed. 

Right to Withdraw Your Consent:

When processing is based on your consent, you have the right to withdraw this consent at any time by contacting us. For marketing messages you receive from us via email based on your consent, you can easily withdraw this consent by clicking on the unsubscribe link at the bottom of such a message. 

Right to Object:

You have the right to object to the processing of your data based on legitimate interest. This must be done based on specific reasons related to your situation. You can also object to the use of your data for direct marketing. In marketing emails, there will always be an opt-out option provided. 

Right to Data Portability:

You have the right to obtain your data, which you provided to us with your consent or in the performance of a contract, in electronic form. This allows them to be easily transferred to another organization. You also have the right to request us to transmit your data directly to another organization, where technically feasible. 

Right to Lodge a Complaint with Your Supervisory Authority:

If you believe that we are processing your data in an incorrect manner, you always have the right to lodge a complaint with your data protection supervisory authority of the country you are residing, this can be either from your local supervisory authorities for data protection. 

 
12. How to exercise your rights

You can exercise your rights by contacting us, either by email at privacy@visionhealthcare.eu. It is possible that we will ask you to provide us some documentation to prove your identity. Those documents will only be used to comply to your request in accordance with the GDPR.

May children use our website?

The Vision Healthcare Group and each of its subsidiaries does not offer or sell any products to minors. Products intended for children may only be purchased by adults. If you are not yet 18 years old, you may only buy products from us, together with a parent or guardian.

Questions Regarding Data Protection

If you have any questions about any of the privacy or data protection issues, please contact us via our privacy@visionhealthcare.eu. / privacynordics@visionhealthcare.eu