Sunshine Ophthalmic, as Data Controller, collects personal data from you for one or more of the following purposes:
- To provide you with information you have requested or which we think may be relevant to a subject in which you have demonstrated an interest;
- To initiate and complete commercial transactions with you, or the entity that you represent, for the sale and purchase of products and/or services;
- To fulfill a contract that we have entered into with you or with the entity you represent
When we ask for personal data we will keep to the law, including the General Data Protection Regulations as pertaining to Data Subjects within the European Union, and we will:
- Make sure you know why we need it;
- Only ask for the information we need;
- Protect it and ensure nobody has access to it who should not have access;
- Only share it with other trusted organizations in order to fulfill our obligations to you. We will not share your personal data with third parties for marketing purposes, and
- Make sure we don’t keep it for longer than is necessary
This policy sets out the commitments above in more detail.
|Data Controller||The body which determines the purposes and means of the processing of personal data.|
|Data Subject||Persons from whom Personal Data is collected by the Data Controller.|
|Personal Data||Any information relating to an identified or identifiable natural person.|
|GDPR||General Data Protection Regulations.|
1. Data protection principles
Article 5 of the GDPR requires that personal data for Data Subjects within the European Union shall be:
- processed lawfully, fairly and in a transparent manner in relation to individuals;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; and
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
2. Lawful basis
This section describes the data we collect, the retention period, the reasons for doing so and the GDPR lawful basis for processing.
- Name, address, email address, telephone number, bank account details; retained for 7 years
- To process purchase transactions /contractual performance
- For accounting and taxation purposes / statutory obligation
- Should a contractual dispute arise / legitimate interest
- Payment card data (account number, cardholder name, security code, expiration); shared with PCI compliant payment card companies; retained only while authorization is pending
- To fulfill purchase requests using payment cards / contractual performance
- Name, company name, address, email address, telephone number; retained for 7 years
- To provide information about products and services you have requested / contractual performance
- To provide further, related information and ongoing news updates in relation to the identified area of interest / legitimate interest
- Personal contact information provided through website forms, trade shows or any other means; retained for 7 years
- General mailing list subscription / consent
3. Data minimisation
We will ensure that personal data we request is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
We will take reasonable steps to ensure personal data is accurate and kept up to date.
- We ensure that personal data is stored securely using modern software and, when stored on paper, in locked drawers or filing cabinets.
- We limit access to personal data to personnel who need access and appropriate security is in place to avoid unauthorized sharing of information.
- When personal data is deleted, it is done safely to ensure that the data is irrecoverable.
- Appropriate back-up and disaster recovery solutions are in place to restore data in the event that this is necessary.
6. Rights of individuals
We ensure that individuals have the following rights in relation to their personal data: right to be informed; right of access; right to rectification; right to erasure; right to restriction; right to data portability; right to object; right to withdraw consent and rights in relation to automated decision making and profiling. The individual also has the right to lodge a complaint with the supervisory authority, the Information Commissioner’s Office (ICO).
In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data, the Data Controller will promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the ICO.
8. Special category data
Some of our products store health data, which under the GDPR is particularly sensitive personal data. We ensure a valid reason under GDPR Article 9 exists for the processing of this data and we ensure it is protected.
9. Further information
Further information is available by contacting the Data Controller at:
Sunshine Ophthalmic, 2711 Airport Road, Suite 7, Plant City, FL 33563