Data protection

We are a Data Controller (registered with the Information Commissioner’s Office, number Z5718812) and are responsible for determining the purpose of data that is collected and the means by which it is processed.

At present the UK is governed by the General Data Protection Regulation 2016 (GDPR) soon to be amended as the UK General Data Protection Regulation (UK GDPR) following the UK’s exit from the EU and the Data Protection Act 2018 (DPA 2018).

The GDPR and Data Protection Act (DPA) has two aims:

  • To protect the individuals’ fundamental rights and freedoms, notably privacy rights, in respect of personal data processing; and
  • To enable organisations to process personal information in the course of legitimate business

The GDPR and DPA 2018 stipulate how we collect and process personal data in a lawful way, which is fair to the individuals the information is about (the data subjects) and meets their reasonable expectations. Processing includes virtually anything that can be done to information, including acquisition, storage and destruction.

We are committed to complying with the Principles of both acts. These Principles (which are set out in Article 5 (1) of the GDPR and Part 4 Chapter 2 of the DPA 2018) require that personal information is handled as follows:

  • Principle 1 – It shall be processed lawfully, fairly and transparently.
  • Principle 2 – It shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes with the purpose for which it is collected.
  • Principle 3 – It shall be adequate, relevant and not excessive in relation to the purpose for which it is processed.  
  • Principle 4 – It shall be accurate and, where necessary, kept up to date.
  • Principle 5 – It shall be kept for no longer than is necessary for the purpose for which it is processed.
  • Principle 6 – It shall be processed in a manner that includes taking appropriate security measures as regards risks that arise from processing personal data. This includes but is not limited to protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage.

The GDPR also contains an additional principle (‘the Accountability Principle’), which requires controllers to be responsible for, and be able to demonstrate compliance with (the above principles).

Your rights under the GDPR and DPA 2018

Under the GDPR and DPA 2018 individuals now have the following rights:

  1. The right to be informed - Individuals have the right to be informed about the collection and use of their personal data. Please refer to our Privacy Notice for more details.
  2. The right of access - Individuals have the right to access their personal data and supplementary information.
  3. The right to rectification - Individuals have a right to have inaccurate personal data rectified, or completed if it is incomplete.
  4. The right to erasure - Individuals have a right to have personal data erased.
  5. The right to restrict processing - Individuals have the right to request the restriction or suppression of their personal data.
  6. The right to data portability - Individuals have a right to obtain and reuse their personal data for their own purposes across different services.
  7. The right to object – Individuals have a right to object to the processing of their data for direct marketing purposes. Individuals also have the right to object to the processing of their data for historical or research purposes unless the processing is necessary for the performance of a task carried out for reasons of public interest.
  8. Rights in relation to automated decision making and profiling – Individuals have the right not to be subject to a decision based solely on automated processing, including profiling.

If you require further advice or guidance about any of your individual rights, please contact:

Subject Access Requests (SAR)

If you want to make a request to see your personal data, this is called a subject access request (SAR). This can be made free of charge however, a reasonable fee can be charged when a request is manifestly unfounded or excessive, particularly if it is repetitive.

There are a number of exemptions under the DPA which may mean we are unable to disclose some of the information you want. Some examples of these exemptions are:

  • Personal data about somebody else or information that would identify somebody else
  • Information that may prejudice the way we carry out our regulatory activities
  • Information that attracts legal professional privilege
  • Examination scripts
  • Crime and Taxation (if disclosure could prejudice matters such as the prevention or detection of crime)

If your personal data has other information amongst it that would not be appropriate to release to you (for example, other people’s information), we will blank out or “redact” this. This means that you might receive documents that have blanked-out sections.

If we are unable to give you your personal data we will tell you why it has been withheld unless the DPA also exempts us from having to confirm or deny its existence.

Please send your request in writing to us describing the information you want. It would be helpful if you could clearly mark your mail “Subject Access Request”. We will inform you if the £10 fee is applicable to your request and provide instructions on how to make payment for this.

Requests should be sent to:

Information Governance
General Optical Council
10 Old Bailey
or by email to:

We will deal with your request as quickly as possible, normally within one calendar month as set by the GDPR and DPA 2018.  You may also be asked to supply proof of your identity.