0203 968 2040

Privacy Policy

The Harley Street Eye Centre 22a Harley Street, London W1G 9BP

Last updated: June 10th, 2026

1. Introduction

The Harley Street Eye Centre (“we”, “us”, “our”) is committed to protecting and respecting your privacy. We are an ophthalmology clinic providing eye care, diagnostic and surgical services. Because of the nature of our work, we handle sensitive information about your health, and we take our responsibilities under data protection law very seriously.

This Privacy Policy explains what personal information we collect about you, how we use it, who we share it with, how long we keep it, and the rights you have over your information. It applies to visitors to our website, enquirers, patients and anyone else whose personal data we hold.

We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Who we are (Data Controller)

The Harley Street Eye Centre is the “data controller” responsible for your personal data.

  • Address: 22a Harley Street, London W1G 9BP
  • Email: frontdesk@eyesat22a.com
  • Telephone: 020 3835 2731

If you have any questions about this policy or about how we handle your information, please contact us using the details above. [If you appoint a Data Protection Officer or privacy lead, name them and give their contact details here.]

3. The information we collect

Depending on how you interact with us, we may collect and process the following categories of information.

Information you give us directly:

  • Identity and contact details — your name, date of birth, postal address, email address and telephone number.
  • Enquiry details — the information you provide when you contact us by phone, email, our website contact form, or WhatsApp, including the symptoms or concerns you describe.
  • Appointment and booking details.
  • Payment and billing information, and details of any private medical insurer.

Health information (special category data):

  • Your medical and ophthalmic history, symptoms, examination findings and diagnoses.
  • Results of vision tests and diagnostic scans (for example OCT, topography and biometry).
  • Details of treatments, procedures, medications and aftercare.
  • Correspondence and records shared with us by your GP, optometrist, or other healthcare providers.

Health information is treated as “special category data” under UK GDPR and is given a higher level of protection.

Information we collect automatically when you use our website:

  • Technical data such as your IP address, browser type, device information and operating system.
  • Information about how you use our site, collected through cookies and similar technologies (see Section 11).

4. How we collect your information

We collect information:

  • Directly from you — when you enquire, book or attend an appointment, complete forms, or correspond with us by phone, email, WhatsApp or in person.
  • From third parties — such as your GP, optometrist, referring clinician, or your medical insurer.
  • Automatically — through cookies and analytics tools when you visit our website.

5. Why we use your information and our lawful bases

Under data protection law we must have a “lawful basis” for using your personal data. For special category (health) data we must also satisfy an additional condition. The table below summarises how and why we use your information.

Why we use your informationLawful basis (UK GDPR Article 6)Additional condition for health data (Article 9)
To respond to enquiries and arrange appointmentsLegitimate interests; steps to enter into a contractExplicit consent / provision of health care
To provide eye care, diagnosis, treatment and aftercarePerformance of a contractArticle 9(2)(h) — provision of medical care and treatment
To maintain accurate clinical recordsLegal obligation; legitimate interestsArticle 9(2)(h) — provision of medical care and treatment
To process payments and manage billing/insurancePerformance of a contract; legal obligationNot applicable (no health data required)
To comply with legal, regulatory and professional duties (e.g. CQC, GMC, indemnity)Legal obligation; legitimate interestsArticle 9(2)(h); Article 9(2)(g) — substantial public interest
To send appointment reminders and clinical follow-upsLegitimate interests / contractArticle 9(2)(h) — provision of medical care
To send marketing about our services (where you have agreed)ConsentNot applicable
To run and secure our website and improve our servicesLegitimate interests; consent (for non-essential cookies)Not applicable

Our “legitimate interests” include running our clinic efficiently, communicating with patients, keeping our services and website secure, and meeting our professional obligations. We only rely on legitimate interests where your rights and interests do not override those interests.

Where we rely on your consent (for example, for marketing or non-essential cookies), you can withdraw it at any time.

6. Who we share your information with

We do not sell your personal information. We may share it with the following, only where necessary and with appropriate safeguards in place:

  • Healthcare providers involved in your care, such as your GP, optometrist, referring or onward clinicians, hospitals, laboratories and diagnostic services.
  • Our consultants and clinical staff who are involved in your care.
  • Service providers who support our clinic, for example our practice management/booking software, IT and hosting providers, secure communication tools, and payment processors. These providers act as our “data processors” and may only use your data on our instructions.
  • Medical insurers where you are using private medical insurance to pay for treatment.
  • Regulators and professional bodies such as the Care Quality Commission (CQC) or the General Medical Council (GMC), where we are required to do so.
  • Legal and regulatory authorities where we are required by law, or to establish, exercise or defend legal claims.

7. International transfers

We aim to keep your personal data within the UK. Where any of our service providers store or process data outside the UK, we will ensure appropriate safeguards are in place — such as an adequacy decision or the International Data Transfer Agreement (IDTA) / UK Addendum to the EU Standard Contractual Clauses — so that your data continues to receive a level of protection equivalent to that under UK law.

8. How long we keep your information

We keep your personal data only for as long as necessary for the purposes set out in this policy, and to meet our legal and professional obligations.

  • Clinical records are retained in line with professional guidance for the retention of healthcare records. For adults, this is generally a minimum of 8 years after your last treatment; records relating to children are generally retained until the patient’s 25th or 26th birthday, or longer where required. [Confirm your specific retention schedule.]
  • Enquiry and website data is kept for a shorter period where it is not part of a clinical record.

When we no longer need your information, we will securely delete or anonymise it.

9. How we protect your information

We have appropriate technical and organisational measures in place to protect your personal data against unauthorised access, loss, misuse or alteration. These include access controls, staff confidentiality obligations, secure storage of records, and secure handling of communications. Where we use third-party providers, we require them to apply appropriate security standards.

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner’s Office and, where required, affected individuals.

10. Your rights

Under UK data protection law, you have the following rights over your personal data:

  • The right to be informed about how we use your data (this policy).
  • The right of access — to request a copy of the personal data we hold about you.
  • The right to rectification — to have inaccurate or incomplete data corrected.
  • The right to erasure — to ask us to delete your data in certain circumstances (note: this is limited where we are legally required to retain clinical records).
  • The right to restrict processing in certain circumstances.
  • The right to data portability in certain circumstances.
  • The right to object to certain types of processing, including direct marketing.
  • Rights relating to automated decision-making and profiling — we do not make decisions about you based solely on automated processing.

To exercise any of these rights, please contact us using the details in Section 2. We will respond within one month. We do not usually charge a fee, and we may need to verify your identity before releasing information.

11. Cookies and website analytics

Our website uses cookies and similar technologies to function properly and to help us understand how visitors use the site. Cookies are small text files placed on your device.

We use:

  • Essential cookies that are necessary for the website to work.
  • Analytics cookies that help us understand how the site is used so we can improve it. [Specify if you use Google Analytics or similar.]
  • Functional/marketing cookies [include only if applicable].

Non-essential cookies are only set with your consent, which you can give or withdraw via our cookie banner. You can also control cookies through your browser settings, although disabling some cookies may affect how the website works.

12. Marketing communications

We will only send you marketing communications where you have agreed to receive them, or where otherwise permitted by law. Every marketing message will give you the option to opt out, and you can unsubscribe at any time by contacting us. Opting out of marketing will not affect communications relating to your care.

13. Third-party links

Our website may contain links to other websites, including social media and messaging platforms such as WhatsApp. We are not responsible for the privacy practices of those third parties, and we encourage you to read their privacy policies.

14. Children’s information

Where we provide care to children (for example, paediatric ophthalmology), we collect and process their information with the involvement and consent of a parent or guardian, as appropriate, and handle it with the same care as all health data.

15. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. The latest version will always be available on our website, and the “Last updated” date at the top will show when it was last revised.

16. How to contact us and how to complain

If you have any questions, requests or concerns about how we handle your personal data, please contact us first:

  • The Harley Street Eye Centre, 22a Harley Street, London W1G 9BP
  • Email: frontdesk@eyesat22a.com
  • Telephone: 020 3835 2731

You also have the right to lodge a complaint with the UK supervisory authority for data protection:

  • Information Commissioner’s Office (ICO)
  • Website: ico.org.uk
  • Helpline: 0303 123 1113

We would, however, appreciate the chance to address your concerns before you approach the ICO, so please do contact us first.