PERSONAL INFORMATION PROTECTION POLICY

Updated: April 16, 2020

Shanghai Essilor Vision Foundation (“Essilor”, “we” or “us”) is committed to the responsible collection, use, commissioned processing, sharing, disclosure, assignment, transfer, storage and protection of personal information in accordance with the principles of “legitimacy, justice and necessity” and other personal information protection requirements under applicable laws.
This Personal Information Protection Policy (hereinafter this “Policy”) applies to products and/or services provided by Essilor, including websites, mobile and Internet applications, WeChat public platforms and WeChat applets operated by Essilor that display or prov ide links to this Policy as well as future service forms which may emerge from technical development (collectively, the “Services”).
Please take the time to read this Policy carefully before using our Services. You may start using our Services after confirming your full understanding of and consent to this Policy, especially those terms relating to disclaimer or limitation of liability, which may be bolded or underlined for your attention. If you purchase, use, access and/or browse the Services Essilor offers in the People’s Republic of China (“PRC”), it will be deemed that you fully understand and consent to this Policy.
This Policy will help you understand the following:

How we collect and use your personal information
How we share, transfer, and publicly disclose your personal information
How we protect your personal information
Your rights
How we handle children’s personal information
How your personal information is stored and transferred globally
How this Policy is updated
How to contact us

1. How We Collect and Use Your Personal Information
1.1 Definitions
Personal information refers to various information, which is recorded in electronic or other forms and used alone or in combination with other information to recognize the identity of a particular natural person or reflect the activities of a particular natural person.
Personal sensitive information refers to personal information that once disclosed, illegally provided, or abused, might endanger personal and property security, can easily lead to harms to personal reputation, physical and psychological health, or discriminatory treatment, and so forth.
Please be aware that some of the personal information that we collect from you may be considered personal sensitive information, which may include without limitation your unique identifiers (e.g. identity card numbers, passport numbers, etc.). Any personal sensitive information will be administered in accordance with this Policy and applicable laws.

1.2 Collection of Personal Information
The provision of your personal information is necessary for us to provide you with the Services. We thank you to provide us with complete and accurate information, and also to inform us if your information needs to be updated. If you do not provide us with complete and accurate information, or if you do not inform us that your information needs to be updated, we may not be able to provide you with the relevant Services.
Essilor will collect your personal information for the purposes stated below in this Policy:

Become A Registered Member of Essilor

We may use your personal information to establish, maintain, and administer your member account or membership with Essilor, including sending any updates of this Policy to you.
If you choose to become our registered member, you are required to voluntarily provide us with your mobile phone number. We will verify if the number is valid by sending a verification code to it via text message.

Delivery of the Services

We may use your personal information to develop, produce, sell, and deliver our Services that are ordered by you, including without limitation product information search, anti-counterfeiting search, optometry appointment, eye health test, management of user profile, management of orders and provision of after-sales support.
You understand and agree that based on our adjustment to business strategies, we may change the content of the Services, or discontinue, suspend or terminate a Service.

Participation in Events

If you participate in our promotional events, in order to facilitate our contact with you or confirm your identity, we may collect and record your contact information, including your name, phone number and mailing address. If you refuse to provide the above information, we will not be able to follow up on your needs or send gifts (if any) to you.

1.3 Use of Personal Information
Essilor may process and use your personal information for the following purposes:

Creating an account.
Fulfilling your transaction or service requests, including fulfilling orders; delivering, activating, or verifying the Service.
Providing you with customized user experience and content.
Internal research and development

We may use your personal information for internal research and development purposes, including improving existing Services and developing new Services.

Market Research and Analysis

We may use your personal information to conduct market and business research and analysis with respect to the products and/or services of Essilor and/or our business partners.

Marketing and Promotional Materials

We may use personal information to develop, produce, and deliver to you marketing, promotional, and advertising materials that are tailored for you with respect to the Services of Essilor and/or our business partners. You agree that we and/or Essilor Group Members and/or our partners, and/or the third parties authorized by us and/or Essilor Group Members and/or our partners, may send or inform you of advertising, promotional and other marketing information of the products and services of us or of Essilor Group Members by email, telephone, text message, multimedia message, instant message, and/or other available online and offline communication tool to your account or the mobile phone number and email address, etc. you provide when registering with us, and invite you to participate in release testing, user experience, call back and other commercial events. If you do not agree to receive relevant commercial information, you may unsubscribe by using the corresponding subscription cancellation function or following the relevant tips.

1.4 Exceptions to Acquiring Authorization
You fully understand and agree that our collection and use of your personal information does not require your authorization to in the following circumstances:

Where it is related to the personal information controller’s performance of its obligations under laws and regulations;
Where it is directly related to national security or national defense;
Where it is directly related to public safety, public health, or major public interests;
Where it is directly related to criminal investigations, prosecutions, trials, enforcement of judgments, etc.;
Where the purpose of it is to preserve the life, property, or major legitimate rights and interests of the personal information owners or other persons, and it is very difficult to obtain their authorization;
Where the personal information concerned is made public by the personal information owner on its own;
Where it is required by the personal information owner for the conclusion and performance of contracts;
Where the personal information is collected from legally publicly disclosed information, such as legitimate news reports, government information disclosure and other channels.
Where it is required for the maintenance of the safe and stable operation of the products or services provided, such as the discovery or disposal of product or service breakdown;
Where the personal information controller is a news agency which needs the personal information for legitimate news reporting;
Where the personal information controller is an academic research institution which conducts statistical or academic research for public interests and provides academic research or description results, with the personal information contained in the results being de-identified;

1.5 Personal Information from Third Parties
We may also collect your personal information from third parties, including our business partners and service providers. We require any business partners and service providers that may disclose your personal information to us to obtain your consent for such sharing.
When you use our WeChat applets, your public information (WeChat avatar and nickname) will, upon your authorization, be shared with us. 

1.6 Matching of Personal Information
In order to fulfill or better provide the Services to you, we may, upon your consent and confirmation, match your personal information with the information you voluntarily provide to Essilor Group Members or our partners.

2. How We Commission the Processing of, Share, Transfer and Publicly Disclose Your Personal Information
2.1 Commissioned Processing
Some modules or features of our Services may be provided by external suppliers. For example, we may engage service providers to assist us in providing customer service and data processing support.
For companies, organizations and individuals we commission to process personal information, we will sign relevant agreements with them and require them to process the personal information in accordance with our requirements, this Policy and any other relevant confidentiality and security measures.

2.2 Sharing

Sharing within Essilor Group Members

Essilor Group Members means various legal entities, including wholly-owned subsidiaries and joint ventures directly or indirectly owned by Essilor International.
Any personal information collected by Essilor may be shared globally with Essilor Group Members for the purposes described in this Policy. We may share your personal information within Essilor Group Members, for the purposes of, among others, facilitating the sharing within Essilor Group Members and administration of personal information and monitoring the access, use, and transfer of personal information.

Sharing with Business Partners

We may cooperate with our business partners for various purposes, including without limitation delivery of Essilor or co-branded products and/or services, host of marketing and promotional events, and conduct of market research and analysis. Our business partners are mainly located in the PRC. Our Services may also be provided through third party platforms. In connection with such arrangements, we may share your personal information with our business partners.

Sharing with Service Providers

We use various third party service providers in our business operations. Our service providers are mainly located in the PRC. We may appoint third party service providers to manage and/or operate certain features or services on our behalf, and proper performance of such features or services (including without limitation logistics services, IT services, online or mobile platform services, marketing, promotional, and advertising services, and market research and analysis services) may require sharing the information you submit. Such service providers have limited access to your information in order to perform these tasks on our behalf, and we will also procure that they comply with the terms of this Policy.

SDK or Other Similar Applications of Authorized Partners

To enable your use of our services and features, our WeChat public platforms may embed SDKs or other similar applications of authorized partners. We will perform strict security testing on the application program interfaces (APIs) and software tool development kits (SDKs) used by authorized partners to acquire the relevant information, and agree on strict data protection measures with the authorized partners, to ensure that they process personal information in accordance with our commissioned purposes, service descriptions, this Policy and any other relevant confidentiality and security measures.

2.3 Transfer
We will not transfer your personal information to any company, organization, or individual, except in the following circumstances:

Transfer upon your explicit consent: With your explicit consent, we will transfer your personal information to other parties;
In case of a merger, acquisition or liquidation that involves the transfer of personal information, we will request that the new company or organization that has your personal information continue to be bound by this Policy, otherwise we will require the company or organization to get your authorization again.

2.4 Public Disclosure
We will publicly disclose your personal information only in the following circumstances:

With your explicit consent;
As required by law: We may publicly disclose your personal information if mandatorily required by laws, legal proceedings, lawsuits or government authorities.

2.5 Exceptions to Prior Authorization for Sharing, Transferring, and Public Disclosure of Personal Information
Sharing, transferring, and publicly disclosing your personal information does not require prior authorization from you under the following circumstances:

Where it is related to the performance of our obligations under laws and regulations;
Where it is directly related to national security or national defense;
Where it is directly related to public safety, public health, or major public interests;
Where it is directly related to criminal investigations, prosecutions, trials, or enforcement of judgments;
Where the purpose of it is to preserve the life, property, or major legitimate rights and interests of the personal information owners or other persons, and it is very difficult to obtain their authorization or consent;
Where the personal information is made public by the personal information owner on its own;
Where the personal information is collected from legally publicly disclosed information, such as legitimate news reports, government information disclosure and other channels.

3. How We Protect Your Personal Information
We have measures in place to protect your personal information against unauthorized access, use, or disclosure, including without limitation:

We have a dedicated organizational function within Essilor, which is responsible for maintaining and administering your personal information;
We have adopted industry-standardized security measures to protect the personal information you provide and to protect your data from unauthorized access, public disclosure, use, modification, damage, or loss. We will take all reasonable and practicable steps to protect your personal information. For example, when you exchange data (such as credit card information) between your browser and the “Service”, you are protected by SSL encryption; we also provide https secure browsing for Essilor websites; we will use encryption technology to ensure data confidentiality;
We place appropriate restrictions on access to your personal information, and we monitor the access, use, and transfer of personal information;
All of our employees who have access to your personal information are required to enter into non-disclosure or similar agreements, which impose obligations on them to comply with our personal information protection and confidentiality requirements;
We require any business partners and third party service providers with whom we may share your personal information to comply with any applicable personal information protection and confidentiality requirements;
We provide personal information protection training on a regular basis to our employees and third parties who have access to personal information;
Should there be any personal information security event, we would promptly notify you and take all possible measures to dispose of the event; meanwhile, we would voluntarily report the event and disposition to the supervision department;
We will only retain your personal information within the time limit required to achieve the purposes stated in this Policy, unless there are mandatory legal requirements for retention. After your personal information exceeds the retention period, we will delete or anonymize your personal information according to the applicable law.

4. Your Rights
We guarantee your exercise of the following rights in and to your personal information under relevant PRC laws, regulations, standards, and common practices of other countries or territories. Meanwhile, we are optimizing our features to make it easier for you to access, correct and delete your personal information and exercise your right to withdraw your consent and cancel your account:
4.1 Access to Your Personal Information
You are entitled to access your personal information, unless otherwise provided by laws and regulations. If you intend to exercise your right of data access, you may contact us via the method described in Article 8 “How to Contact Us” of this Policy, and we will respond to your request for access within 30 days after verifying your identity.

4.2 Correction of Your Personal Information
If you find an error in your personal information we process, you are entitled to request us to correct the same. You may submit the request for correction by contacting us via the method described in Article 8 “How to Contact Us” of this Policy, and we will respond to your request for correction within 30 days after verifying your identity.

4.3 Deletion of Your Personal Information
Under the following circumstances, you may request that we delete your personal information by contacting us via the method described in Article 8 “How to Contact Us” of this Policy:

If our processing of your personal information violates laws or regulations:
If we collect and use your personal information without your consent;
If our processing of your personal information violates our agreements with you.
If you no longer use our Services, or you de-register your account:
If we no longer provide Services to you.

4.4 Change of Your Authorization Scope
Some of your personal information is needed before our Services can be fulfilled. You may give or withdraw your authorization for our collection and use of additional information at any time.
You may withdraw your authorization by contacting us via the method described in Article 8 “How to Contact Us” of this Policy.
When you withdraw your consent, we will no longer process the corresponding personal information. However, your decision to withdraw your consent will not affect the processing of your personal information that was previously performed based on your authorization.

4.5 Deregistration of Your Account
You may deregister your account at any time by contacting us via the method described in Article 8 “How to Contact Us” of this Policy.
After your account is deregistered, we will stop providing you with our products or services, and delete your personal information at your request, unless otherwise stipulated by laws and regulations.

4.6 Constraint on Information System Automatic Decision-making
In some business features, we may make decisions based solely on non-manual automatic decision-making mechanisms such as information systems and algorithms. If these decisions significantly harm your legitimate rights and interests, you have the right to ask us for an explanation and we will provide appropriate remedies.

4.7 Respond to Your Requests Above
To ensure security, you may need to provide a written request or otherwise to prove your identity.
We may ask you to verify your identity before processing your request.
We will respond within thirty days. If you are not satisfied, you can also complain by contacting us via the method described in Article 8 “How to Contact Us” of this Policy.
In principle, we do not charge a fee for your reasonable request, but we will charge a certain amount of fee for the repeated requests that exceed the reasonable limit. For those which are unreasonably repetitive, need excessive technical means (for example, need to develop new systems or fundamentally change existing practices), pose risks to the legitimate rights and interests of others, or are very impractical (for example, involving information stored on backup tapes), we may reject them.
Under the following circumstances, we will not be able to respond to your requests:

Where the request is related to the personal information controller’s performance of its obligations under laws and regulations;
Where it is directly related to national security or national defense;
Where it is directly related to public safety, public health, or major public interests;
Where it is directly related to criminal investigations, prosecutions, trials, or enforcement of judgments;
Where the personal information controller has sufficient evidence of your subjective malice or abuse of rights;
Where the purpose of it is to preserve the life, property, or major legitimate rights and interests of the personal information owners or other persons, and it is very difficult to obtain their authorization or consent.
Where a response to the personal information owner’s request will result in serious damages to the legitimate rights and interests of the personal information owners or other individuals or organizations; and
Where trade secrets are involved.

5. How We Handle Children’s Personal Information
Our products, websites and services are primarily offered to adults. Without the consent of their parents or guardians, children must not create their own accounts as personal information owners.
Where parents have consented to the collection of their children’s personal information, we will only use or publicly disclose this information as allowed by law, with the explicit consent of parents or guardians or as necessary to protect the children.
Although local laws and customs define children differently, we consider anyone under 14 to be a child.
If we find that personal information of any child is collected without any verified prior consent of parents or guardians, we will endeavor to delete the relevant data as soon as possible.

6. How Your Personal Information Is Stored and Transferred Globally
In principle, we will store within the territory of the PRC personal information collected and generated during our operation within the territory of the PRC.
We provide products or services through resources and servers located around the world, this means that, with your authorization, your personal information may be transferred to jurisdictions outside of the country/territory where you use our products or services, or be accessed from these jurisdictions.
Such jurisdictions may have different or even no data protection laws. In such cases, we will ensure that your personal information is adequately and equally protected as it is in the PRC. For example, we will require your consent for cross-border data transfer, or take data de-identification and other security measures before making any cross-border data transfer.

7. How This Policy Is Updated
This Policy is subject to changes.
We will not reduce your rights under this Policy without your explicit consent. We will post any changes to this Policy on this page.
Regarding any material changes, we will also provide more noticeable notices (including for certain businesses, we will inform you the same by phone, email, push notification, etc.).
Material changes referred to in this Policy include but are not limited to:

There are major changes to our service model. Such as changes in the purpose of processing your personal information, the types of personal information processed, the methods of using personal information, and so forth;
There are major changes in our ownership structure, organizational structure, or other respects. Such as changes in ownership caused by operation adjustments, bankruptcy, mergers and acquisitions, etc.;
There are changes in the primary targets of personal information sharing, transfer, or public disclosure;
There are major changes in your right to participate in information processing or the means of exercising such right;
There are changes in the department responsible for handling personal information security, its contact information, or complaint channels;
When personal information security impact assessment reports indicate the presence of high risk.

8. How to Contact Us
If you have any questions, comments or suggestions about this Policy, please send an email to evf@essilorchina.com.
Under normal circumstances, we will respond within 30 days.
If you are not satisfied with our response, especially where our processing of your personal information harms your legitimate rights and interests, you may also file a lawsuit to the court with jurisdiction at the defendant’s domicile.