LloydsPharmacy Stores Privacy Notice
This Privacy Notice explains what information we collect about you, how we, and our Group, may use it, and the steps we take to ensure that it is kept secure. We also explain your rights and how to contact us.
Changes to this Privacy Notice
LloydsPharmacy Ltd keeps its privacy notice under regular review and we may make changes to this notice at any time and will either contact you with the modified terms or by posting a copy of them on our website. Any changes will take effect 3 days after the date on which we post the updated terms. Your continued use of our services after that period expires means that you agree to be bound by the modified notice.
At LloydsPharmacy, we are committed to ensuring your personal data is appropriately protected and only used for the reasons we explain in this privacy notice.
This notice outlines the circumstances in which we will process your personal data to provide our services to you, from dispensing your medication to administering a flu vaccine, the measures we take to ensure your data is kept secure.
LloydsPharmacy Limited (“we”, “us”, “our”) are a member of the Admenta UK Group of companies (“Group”) whose principal operating companies are:
AAH PHARMACEUTICALS LIMITED
BARCLAY PHARMACEUTICALS LIMITED
EXPERT HEALTH LIMITED
JOHN BELL & CROYDEN LIMITED
LLOYDS PHARMACY LIMITED
LLOYDS PHARMACY CLINICAL HOMECARE LIMITED
METABOLIC HEALTHCARE LTD
SANGERS (NORTHERN IRELAND) LIMITED
STEPHEN SMITH LIMITED
SAVORY & MOORE (JERSEY) LIMITED
G J MALEY LIMITED
When we say ‘we’, ‘us’, or ‘group’ we mean these companies.
The personal information we collect and how is it used
The personal data we collect and how we use it depends on the services we provide you with.
- To dispense your prescription - we collect and process your name, address, date of birth, NHS number and details of the medication that has been prescribed (this includes the name of the medication and the dosage instructions). Capturing this information is necessary to provide the service to you, and we cannot provide you with the medication prescribed without this information. Additionally, we may also need to obtain or share information with your healthcare provider including your GP to provide the best care for you.
- Home delivery service - As part of our home delivery service, we use your address to deliver your medication to you, and to improve the efficiency of our delivery service, for example how many times a day/week we deliver to the same street, how many drivers we use, the efficiency of the route added.
If you are an online customer - Using our Click and Collect service, then we share your personal and prescription details with your selected LloydsPharmacy, so that they can supply or transfer your medication or purchase to you.
- Processing card details - If you pay by debit or with credit card in one of our Pharmacies, we process your payment card details complete the payment transaction we do not store these details. Payments are processed by a Third-Party company who securely hold your payment card details and provide us with a unique token that represents that particular card; this token is only valid for payment to us.
To deliver additional healthcare services - Our pharmacists may need to understand wider information about your health, including any family history or medical conditions. If someone books such an appointment on your behalf for example your GP, GP practice nurse or NHS, then we will collect this information from them and verify it with you during the appointment. If you receive an NHS service, we may also need to share information with them as required and to receive payment for the service.
Accessing NHS records - If it is clinically necessary, and you have provided your consent to do so, we will collect your data from NHS organisations, for example your GP/surgery or hospital and view your care records to provide the service you have requested. For example, we may seek your consent to view your care records to ensure medication or services we are providing is appropriate for you.
- SMS notifications - If you sign-up in one of our pharmacies, we will send you SMS messages as part of our prescription collection service to let you know when your medication is ready to collect. We may use your mobile phone number for carefully considered and specific purposes which are in our Legitimate Interests, and help us to enhance our products and services, but which we believe also beneﬁt our customers. For example, to send you an SMS message about our in-pharmacy services like flu vaccinations. Legitimate Interests means the interests of our company in conducting and managing our business. When we process your personal information for our Legitimate Interests, we thoroughly consider and balance any potential impacts on you, both positive and negative, and your rights under data protection laws. Our legitimate business interests do not automatically override your interests.
- Buying a pharmacy - If you are a customer of a pharmacy business that has been bought by us, we receive your personal information as part of the business handover process. Where this happens, we will ensure a notice is placed in the pharmacy to tell you that your personal information is being transferred to us.
- Selling one of our pharmacies - If we sell one of our pharmacies, then we will need to share your personal data with the new owner. We will place a notice in pharmacy, or notify you directly, to tell you that your personal information is being shared.
Telephoning customer services - If you call our customer services centre, we may record or monitor the call. We do this for regulatory purposes, for training, to ensure and improve quality of service delivery, to ensure safety of our staff and customers, and to resolve queries or issues. Doing so is a legal obligation.
Where we analyse calls to improve our service, we do so as a legitimate business interest.
- NHS contracted services - To fulfil our contractual requirements with the NHS, we are required to share your personal information with your GP and other NHS organisations, and sometimes Local Authorities to provide you with NHS or Local Authority funded services. We also have to provide your personal information to NHS organisations to negotiate and check the accuracy of our prescription and service payments, and to ensure that we maintain appropriate professional and service standards and that your declarations and ours are accurate, for example where you are not required to pay for your NHS prescription (you have an exemption). This is necessary to perform the service and is a legal requirement.
- CCTV monitoring - When in one of our LloydsPharmacies, we may capture you on CCTV. We use CCTV to ensure the safety and security of our staff and customers. The images captured by CCTV may be used to prevent and detect crime, and therefore may be shared with law enforcement agencies.
- If you become ill in one of our pharmacies, we will share your personal information, if we have it, with relevant medical professionals to allow them to deliver appropriate treatment to you. This will be done in your vital interests.
Disclosure of your personal information
There are a number of instances where we may need to share your data with third parties: This may include with; law enforcement to support investigations or for detection and prevention of crime including for public safety; to safeguard the vulnerable such as children. We thoroughly consider and balance any potential impacts on you, both positive and negative, and your rights under data protection laws.
International processing of personal information?
We may need to transfer your personal data outside the UK to service providers and subcontractors in countries where data protection laws may not provide the same level of protection as those in the European Economic Area, such as the USA. These data transfers are covered by an adequacy decision of the European Commission (Article 45 GDPR). Where this is not the case e.g., when it comes to transfers to the USA, the data transfers are especially based on standard data protection clauses/standard contractual clauses in line with the templates adopted by the European Commission (Article 46 Para. 2.lit. c, Para. 5 S. 2 GDPR) or by an exemption according to Article 49 GDPR.
The same applies to external service providers who work on behalf of us (for example IT service providers or data centres) or third parties, insofar as they come into contact with your personal data and are based in third countries.
Otherwise, we do not transfer your personal data to countries outside the EU or the EEA or to international organisations.
Retention of your personal information?
We will retain your personal information for as long as we are legally or contractually required to do so, or for a period which is justifiable to meet our business needs. The exact retention period varies depending on the type of information and purpose for use, set out in this Privacy Notice. The retention of your personal data will be subject to periodic review. If you require any further information on retention periods, please contact us at firstname.lastname@example.org
Marketing and profiling
If you have given your consent, we will contact you about the products and services we offer.
Legitimate Interests means the interests of our company in conducting and managing our business. When we process your personal information for our Legitimate Interests, we thoroughly consider and balance any potential impacts on you, both positive and negative, and your rights under data protection laws. Our legitimate business interests do not automatically override your interests.
How to exercise your rights?
Data protection law provides data subjects with numerous rights, including the right to: access, rectify, erase, restrict, transport, and object to the processing of, their personal data. Data subjects also have the right to lodge a complaint with the relevant data protection authority if they believe that their personal data is not being processed in accordance with applicable data protection law.
Right to make subject access request (SAR). Data subjects may, where permitted by applicable law, request copies of their personal data. If you would like to make a SAR, i.e., a request for copies of the personal data we hold about you, you may do so by writing to Data Protection Officer, Legal & Compliance, LloydsPharmacy Limited, Sapphire Court, Walsgrave Triangle, Coventry, CV2 2TX or emailing Data Protection Officer email@example.com The request should make clear that a SAR is being made. You may also be required to submit a proof of your identity.
Right to rectification. You may request that we rectify any inaccurate and/or complete any incomplete personal data.
Right to withdraw consent. You may, as permitted by applicable law, withdraw your consent to the processing of your personal data at any time. Such withdrawal will not affect the lawfulness of processing based on your previous consent. Please note that if you withdraw your consent, you may not be able to benefit certain service features for which the processing of your personal data is essential.
Right to object to processing. Including automated processing and profiling. You may, as permitted by applicable law, request that we stop processing your personal data. In relation to automated processing and profiling, you may object to the processing, and you will have the right to obtain human intervention.
Right to erasure. You may request that we erase your personal data, and we will comply, unless there is a lawful reason for not doing so. For example, there may be an overriding legitimate ground for keeping your personal data, such as, a legal obligation that we have to comply with, or if retention is necessary for us to comply with our legal obligations.
Right to data portability. In certain circumstances, you may request that we provide your personal data to you in a structured, commonly used, and machine-readable format and have it transferred to another provider of the same or similar services. We will comply with such transfer as far as it is technically feasible. Please note that a transfer to another provider does not imply erasure of your personal data which may still be required for legitimate and lawful purposes.
Your right to lodge a complaint with the supervisory authority. We suggest that you contact us about any questions or if you have a complaint in relation to how we process your personal data. However, you do have the right to contact the relevant supervisory authority directly. To contact the Information Commissioner’s Office, the supervisory authority in the United Kingdom, please visit the ICO website for instructions. https://ico.org.uk
For more information on how to exercise your rights, you can email our Data Protection Officer at firstname.lastname@example.org or by post to:
Data Protection Officer
Exercising your rights is free and we will respond to any request as quickly as we can. Under current law, we have up to a calendar month to respond to any request. If we are not able to meet this, we’ll contact you to explain why and confirm when your request will be processed.
If you have any questions or concerns about how we have used your personal information you can contact us for more information
By email at email@example.com
By post to: