ALCON – GENERAL WEB PRIVACY NOTICE

November 2018

 

You are receiving this Privacy Notice because you are visiting a website from one of the companies of the Novartis group. As a result, this company is processing information about you which constitutes “personal data” and Novartis considers the protection of your personal data and privacy a very important matter.

 

In this Privacy Notice, “ we ” or “ us ” refers to Alcon Eye Care UK Limited.

 

This Privacy Notice is divided into two parts. Part I contains practical information about the specific personal data processing when you visit the website www.wearlenses.co.uk (the “Website”), why and how those data are processing. Part II contains more general information about the standard technical or transactional personal data processing about visitors of our websites, the legal basis for using your personal data, as well as your rights in respect to all personal data collected about you.

 

We invite you to carefully read this Privacy Notice, as it contains important information for you. For any further question in relation to the processing of your personal data, we invite you to contact [email protected].

 

PART I – KEY INFORMATION

Alcon Eye Care UK Limited is processing personal data about you when you are visiting our Website. The Website is designed to provide general information about Alcon and its products and services and give you access to and ability to purchase goods and services from your selected eye care professional (“ ECP ”).

 

Specific personal data to be collected

With regard to each of your visits to the Website, we may automatically collect the following information:

  • technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform;
  • information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from the Website (including date and time);
  • products/services you viewed or searched for;
  • page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page and any phone number used to call our customer service number.

 

We may receive information about you if you use any of the other websites we operate or the other products or services we provide. We wish to inform you that when we collect that data that may be shared internally and combined with data collected on this Website.

 

We are also working closely with third parties (including participating opticians selected by you from the Website, location services, delivery services, printers and mailing houses) and will receive information including Personal Data about you from them for example your prescription details.

 

Please note that we also rely on the usual cookies and other technologies for the standard purposes set out in Part II below.

 

Specific purposes for which we require your personal data

The collected information will be used by us for the following specific purposes:

  • Manage an internet session;
  • Provide information about products, services, your account and notices;
  • Manage and improve the Website.

Please note that the collected data may also be used by us for a number of other standard purposes (e.g. to measure the usage of our website), as set out in Part II below.

 

Specific third parties with whom we share your personal data

We may disclose your personal information to third parties:

  • Your selected ECP, should you choose to purchase lenses on this site. Your ECP acts as data controller for personal data processed for the purposes of ordering products and subscribing to services, managing your account, and providing you with information about products, services, your account and notices.
  • In the event that we sell or buy any business or assets, in which case we may disclose your Personal Data to the prospective seller or buyer of such business or assets.
  • If Alcon or substantially all of our assets are acquired by a third party, in which case Personal Data held by us about our visitors/customers will be one of the transferred assets.
  • If we are under a duty to disclose or share your Personal Data in order to comply with any legal obligation, or in order to enforce or apply our terms of use and other agreements; or to protect the rights, property, or safety of Alcon, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection or product recalls, for example.

Please note that we may also have to share your data with a number of other recipients (e.g. another entity of the Novartis Group if the entity collecting the data is not the same as the one using it) but always under strict conditions, as further explained in Part II.

 

Duration of storage

We will only store the above personal data and the personal data listed in Part II for a period of duration of the Website or until you unsubscribe/request the deletion of your account.

Dedicated point of contact

Should you have any question in relation to the processing of your personal data in the above context, please contact [email protected]

 

PART II – GENERAL INFORMATION

The second part of this Privacy Notice sets out in more detail in which context we are processing your personal data and explains your rights and our obligations when doing so.

 

1 For which purposes do we use your personal data and why is this justified?

1.1. Legal basis for the processing We will not process your personal data if we do not have a proper justification foreseen in the law for that purpose. Therefore, we will only process your personal data if:

☒ We have obtained your prior consent;

☐ The processing is necessary to perform our contractual obligations towards you or to take pre-contractual steps at your request;

☐ The processing is necessary to comply with our legal or regulatory obligations;

☐ The processing is necessary to protect your vital interests or those of another person; or

☒ The processing is necessary for our legitimate interests and does not unduly affect your interests or fundamental rights and freedoms.

Please note that, when processing your personal data on this last basis, we always seek to maintain a balance between our legitimate interests and your privacy. Examples of such ‘legitimate interests’ are data processing activities performed:

  • to benefit from cost-effective services (e.g. we may opt to use certain platforms offered by suppliers to process data);
  • to offer products and services to customers;
  • to prevent fraud or criminal activity, misuses of services and products as well as the security of IT systems, architecture and networks;
  • to sell any part of our business or its assets or to enable the acquisition of all or part of our business or assets by a third party.

 

1.2. Purposes of the processing

We always process your personal data for a specific purpose and only process the personal data which is relevant to achieve that purpose. In addition to the specific purposes identified in Part I above, we also process your personal data for the following general purposes:

  • improve our products and services as well as those of our partners;
  • commercialization of products;
  • provide you with adequate and updated information about disease, drugs, as well as product and services;
  • answer any questions or requests you may have;
  • archiving and record-keeping; and
  • any other purposes imposed by law and authorities (such as product safety purposes).

 

2. Who has access to your personal data and to whom are they transferred?

We will not sell, share, or otherwise transfer your personal data to third parties other than those indicated in this Privacy Notice.

In the course of our activities and for the same purposes as those listed in this Privacy Notice, your personal data can be accessed by or transferred to the specific third parties identified in Part I of this Privacy Notice and the following categories of recipients, on a need to know basis to achieve such purposes:

  • our personnel (including personnel, departments or other companies of the Novartis group);
  • our other suppliers and services providers that provide products and services to us;
  • our IT systems providers, cloud service providers, database providers and consultants;
  • our business partners who offer products or services jointly with us;
  • any third party to whom we assign or novate any of our rights or obligations;
  • our advisors and external lawyers in the context of the sale or transfer of any part of our business or its assets

 

The above third parties are contractually obliged to protect the confidentiality and security of your personal data, in compliance with applicable law.

 

Your personal data can also be accessed by or transferred to any national and/or international regulatory, enforcement, public body or court, where we are required to do so by applicable law or regulation or at their request.

 

The personal data we collect from you may also be processed, accessed or stored in a country outside the country where Alcon Eye Care UK Limited is located, which may not offer the same level of protection of personal data.

 

If we transfer your personal data to external companies in other jurisdictions, we will make sure to protect your personal data by (i) applying the level of protection required under the local data protection/privacy laws applicable to the UK, (ii) acting in accordance with our policies and standards and, (iii) for entities located in the European Economic Area (i.e. the EU Member States plus Iceland, Liechtenstein and Norway, the " EEA "), unless otherwise specified, only transferring your personal data on the basis of standard contractual clauses approved by the European Commission. You may request additional information in relation to international transfers of personal data and obtain a copy of the adequate safeguard put in place by exercising your rights as set out in Section 6 below.

For intra-group transfers of personal data, the Novartis Group has adopted Binding Corporate Rules, a system of principles, rules and tools, provided by European law, in an effort to ensure effective levels of data protection relating to transfers of personal data outside the EEA and Switzerland. Read more about the Novartis Binding Corporate Rules at https://www.novartis.com/our-company/corporate-responsibility/doing-business-responsibly/ethics-compliance/data-privacy.

 

3. How do we protect your personal data?

We have implemented appropriate technical and organisational measures to provide a level of security and confidentiality to your personal data. These measures take into account:
(i) the state of the art of the technology (ii) the costs of its implementation; (iii) the nature of the data; and (iv) the risk of the processing.

 

The purpose thereof is to protect it against accidental or unlawful destruction or alteration, accidental loss, unauthorized disclosure or access and against other unlawful forms of processing.

Moreover, when handling your personal data, we comply with the following obligations:

 

  • we only collect and process personal data which is adequate, relevant and not excessive, as required to meet the above purposes;
  • we ensure that your personal data remains up to date and accurate (for the latter, we may request you to confirm the personal data we hold about you and you are also invited to spontaneously inform us whenever there is a change in your personal circumstances so we can ensure your personal data is kept up-to-date); and
  • we may process any sensitive data about yourself you voluntary provide in compliance with applicable data protection rules and strictly as required for the relevant purposes listed above, the data being accessed and processed solely by the relevant personnel, under the responsibility of one of our representatives who is subject to an obligation of professional secrecy or confidentiality.

 

4. How long do we store your personal data?

We will only retain your personal data for as long as necessary to fulfil the purpose for which it was collected see Part I or to comply with legal or regulatory requirements.

 

5. How do we use cookies and other similar technologies on our websites?

5.1. Cookies Cookies are small text files which are sent to your computer when you visit our websites. We use cookies for the purposes set out above and in accordance with this Privacy Notice.

We do not use cookies to track individual visitors or to identify you but to gain useful knowledge about how our websites are used so that we can keep improving them for our users. Personal data generated through cookies are collected in a pseudonymised form and subject to your right to object to such data processing, as set out below.

 

We use cookies on this Website to:

  1. direct you to the relevant sections on the Website;
  2. ensure the Website delivers a consistent look across different browsers and devices;
  3. enable complex areas of the Website to function; and
  4. track anonymised, aggregated statistics about visits to the Website to help us improve Website performance.

In doing this, we may install cookies that collect the domain name of the user, the internet service provider, the operating system and the date and time of access.

Below are explained the generic types of cookies we use and their purposes.

 

Cookies types & purpose

  • First party cookies: cookies set by the website being visited by the user (the website displayed in the URL window).
  • Session cookies: cookies that expire at the end of a browser session (starting with the time when a user opens the browser window, and finishing when the user exits the browser).
  • Persistent cookies: cookies that “persist” in the device after the end of a browser session and therefore can allow the preferences or actions of the user to be remembered when the Website is revisited.

 

Using your browser settings to control and delete cookies .

Most web browsers allow control of most cookies through the browser settings. You can set your browser to notify you when you receive a cookie - this will enable you to decide whether or not you want to accept it. However, if you do not accept a cookie, you may not be able to use all functionality of your browser software.

 

To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit http://www.allaboutcookies.org (link is external).

 

Internet tags

We may use internet tags (also known as web-beacons, action tags, single-pixel GIFs, clear GIFs, invisible GIFs and 1-by-1 GIFs) and cookies at this Website and may deploy these tags/cookies through a web analytical service partner which may be located, and store the respective information (including your IP-address), in a foreign country. These tags/cookies are placed on different pages of this Website. We use this technology to measure the user’s responses to our sites (including how many times a page is opened and which information is consulted) as well as to evaluate your use of this Website.

 

Our third party partners, hosting service provider and/or the web analytical service partner may collect data about your use of this Website because of these anonymised internet tags/cookies, and may compose reports regarding the Website’s activity for us and may provide further services which are related to the use of the Website and the internet. They may provide such information to other parties if there is a legal requirement that they do so, or if they hire other parties to process information on their behalf.

 

This Website uses Google Analytics, a web analysis service of Google Inc. ("Google"). Google Analytics uses so-called "cookies," text files stored on your computer, which make it possible to analyse the use of the Website by you. The information produced by the cookie about your use of this Website is generally transmitted to a Google server in the USA and stored there. In case of the activation of IP anonymization on this Website, your IP address is however abbreviated beforehand by Google inside the EU member states or other contracting states of the Agreement on the European Economic Area. Only in exceptional cases is the complete IP address transmitted to a Google server in the USA and abbreviated there. If assigned by the operator of this Website, Google will use this information to assess your use of the Website, in order to compile reports on the Website activities for the Website operators and to render further services associated with the Website usage and the use of the Internet. The IP address transmitted in the framework of Google Analytics by your browser is not combined with other data by Google. You can obstruct the installation of cookies through an appropriate setting of your browser software; however, we would like to point out that in this case, you may not be able to use all of the functions of this Website to their full extent.

 

You can find more detailed information on conditions of use and data protection at http://www.google.com/analytics/terms/en.html or at https://www.google.co.uk/intl/en/policies/ (links are external). We would like to point out that on this Website, Google Analytics has been expanded by the code "anonymizeIp" in order to guarantee anonymised collection of IP addresses (so-called IP masking).

 

If you would like more information about web tags and cookies associated with online advertising or to opt out of third party collection of this information, please visit the Network Advertising Initiative website at http://www.networkadvertising.org (link is external).

 

We may also use the following types of usual cookies:

  • user interface customization cookies (i.e. cookies memorizing your preferences);
  • authentication cookies (i.e. cookies allowing you to leave and return to our websites without having to re-authenticate yourself);
  • video player cookies (i.e. cookies storing data needed to play back video or audio content and storing your preferences).

5.2. Other technologies

We may also use other technologies on our websites to collect and process your personal data for the same purposes as set out above, including:

  • Adobe Flash technology (including Flash Local Shared Objects, unless you set your setting otherwise).

6. What are your rights and how can you exercise them?

You may exercise the following rights under the conditions and within the limits set forth in the law:

  • the right to access your personal data as processed by us and, if you believe that any information relating to you is incorrect, obsolete or incomplete, to request its correction or updating;
  • the right to request the erasure of your personal data or the restriction thereof to specific categories of processing;
  • the right to withdraw your consent at any time, without affecting the lawfulness of the processing before such withdrawal;
  • the right to object, in whole or in part, to the processing of your personal data;
  • the right to object to direct marketing communications; and
  • the right to request its portability, i.e. that the personal data you have provided to us be returned to you or transferred to the person of your choice, in a structured, commonly used and machine-readable format without hindrance from us and subject to your confidentiality obligations.

Please note however that, in certain circumstances, your refusal to accept cookies or your browser settings may affect your browsing experience and prevent you from using certain features on our websites.

 

If you have a question or want to exercise the above rights, you may send an email to [email protected] or a letter to Data Privacy Department, Park View, Riverside Way, Watchmoor Park, Camberley, Surrey, GU15 3YL, with a scan of your identity card for identification purpose, it being understood that we shall only use such data to verify your identity and shall not retain the scan after completion of the verification. When sending us such a scan, please make sure to redact your picture and national registry number or equivalent on the scan.

 

If you are not satisfied with how we process your personal data, please address your request to our Data Protection Officer [email protected], who will investigate your concern.

In any case, you also have the right to file a complaint with the competent data protection authorities, in addition to your rights above.

 

7 What technical and transactional data may we collect about you?

7.1. Categories of technical and transactional data In addition to any information collected about you under Part I of this Privacy Notice, we may collect various types of standard technical and transactional personal data about you during your use of our websites which are necessary to ensure a proper functioning of our websites, including:

  • information regarding your browser and device (e.g. internet service provider’s domain, browser’s type and version, operating system and platform, screen resolution, device manufacturer and model);
  • statistics in relation to your use of our website (e.g. information regarding the pages visited, information researched, time spent on our website);
  • usage data (i.e. date and time of access of our website, files downloaded);
  • your device’s location through Google Maps when using our website (unless you disabled this function by changing your device’s settings or refuse the location tracking by Google Maps entering your location by yourself); and
  • more generally, any information you provide to us when using our website.

 

Please note that we will not knowingly collect, use or disclose personal data from a minor under the age of 16 without obtaining prior consent from a parent or legal guardian.

 

7.2. Why are we collecting technical and transactional data? We always process your personal data for a specific purpose and only process the personal data which is relevant to achieve that purpose. In addition to any purposes already communicated to you in Part I of this Privacy Notice, we also process your personal data collected during your use of one of our websites for the following standard purposes:

  • manage our users (e.g. registration, account management, answer questions and provide technical support);
  • manage and improve our website (e.g. diagnose server problems, optimize traffic, integrate and optimize web pages where appropriate);
  • measure the usage of our website (e.g. by drawing up statistics about the traffic, by gathering information regarding the users’ behaviour and the pages they visit);
  • improve and personalize your experience and better tailor content to you (e.g. by remembering your selections and preferences, by using cookies);
  • send you personalized location-based services and content;
  • improve the quality of our products and services and expand our business activities;
  • monitor and prevent fraud, infringement and other potential misuse of our website;
  • reply to an official request from a public or judicial authority with the necessary authorisation;
  • manage our IT resources, including infrastructure management and business continuity;
  • preserve the company’s economic interests and ensure compliance and reporting (such as complying with our policies and local legal requirements, tax and deductions, managing alleged cases of misconduct fraud, conducting audits, defending litigation);
  • archiving and record keeping; and
  • any other purposes imposed by law and authorities.

 

8 How will you be informed of the changes to our Privacy Notice?

Any future changes or additions to the processing of your personal data as described in this Privacy Notice will be notified to you in advance through an individual notice using our usual communication channels (e.g. by email) as well as through the website (via banners, pop-ups or other notification mechanisms).

 

GB/VC/VCG/05/18/0078a