This Privacy Policy explains how personal data is collected and used by The Norfolk and Norwich Association for the Blind (referred to as the “NNAB”, “we”, “us”, “our” throughout this Privacy Policy).

The NNAB is a registered charity under number 207060, and registered with the Information Commissioner’s Office as a data controller under registration number Z6295944.

At the NNAB, we respect your privacy and are committed to protecting your personal data. We recognise that, as a charitable organisation, and in light of the wide-ranging work that we carry out, we will collect and use personal data about various categories of individuals. We take data protection very seriously and will ensure that we uphold the trust that our service users, donors, supporters and customers place in us when they provide us with their personal information.

This Privacy Policy will inform you as to how we collect, use, handle and disclose your personal data, as well as telling you about your privacy rights and how the law protects you. If you need any more information about our data protection practices, please contact us using the details below.

This Privacy Policy covers the specific areas set out below. Please also use the Glossary to understand the meaning of some of the terms used in this Privacy Policy, including “personal data” and “personal information”.

1 – Important information
2 – Data protection principles
3 – How we collect information about you
4 – What information we collect and how we use it
5 – Disclosures of your personal data
6 – International transfers
7 – Data security
8 – Data retention
9 – Your legal rights
10 – Glossary

1 – Important information

Purpose of this Privacy Policy

This Privacy Policy aims to give you information on how the NNAB collects and processes your personal data, including any data you may provide when you purchase equipment from us, attend one of our equipment or information centres (including the MEIC), attend an appointment with one of our Eye Clinic Liaison Officers at a Hospital Eye Clinic as part of our Eye Clinic Service, participate in an activity run by us (including in the Bradbury Activity Centre or in the community), participate in a youth activity or event, we provide support services to you, you make a donation, become a corporate sponsor or attend a fundraising event, sign-up to Gift Aid, you are recorded on CCTV on our premises or any data that you provide through this website when you submit an enquiry or sign up to our newsletter.

Unless expressly stated otherwise (for example, in relation to youth events), this website is not intended for children and we do not knowingly collect data relating to children.

It is important that you read this Privacy Policy together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you, so that you are fully aware of how and why we are using your data. This Privacy Policy supplements the other notices and is not intended to override them.


The NNAB is the “controller” for the purposes of data protection legislation, and is therefore responsible for your personal data.

As part of our commitment to you, we have appointed a data compliance manager who is responsible for overseeing questions in relation to this Privacy Policy and NNAB’s data protection compliance in general. If you have any questions about this Privacy Policy, including any requests to exercise your legal rights (see section 9 below), please contact the data compliance manager using the following details:

Contact details

E-mail address:

Postal address: The Norfolk and Norwich Association for the Blind, 106 Magpie Road, Norwich NR3 1JH (FAO: Data Compliance Manager)

You have the right to make a complaint at any time to the Information Commissioner’s Office (“ICO”), the UK supervisory authority for data protection issues ( We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

Changes to the Privacy Policy and your duty to inform us of changes

This version was last updated on 25 May 2018.

We keep this Privacy Policy under regular review and may amend it from time to time. Please check back regularly to view the latest version. Hard copies and braille copies of this Privacy Policy are available from us on request. We will soon be adding an audio version to the web site.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

Third-party links

This website may include links to third-party websites, plug-ins and applications, such as links to other charities and Virgin Money Giving. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.

2 – Data Protection Principles

The NNAB adheres to the principles set out in data protection legislation when handling personal data. These principles require personal data to be:

(a) Processed lawfully, fairly and in a transparent manner.

(b) Collected only for specified, explicit and legitimate purposes.

(c) Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.

(d) Accurate and where necessary kept up to date.

(e) Not kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the data is processed.

(f) Processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage.

(g) Not transferred to another country without appropriate safeguards being in place.

(h) Made available to data subjects and allow data subjects to exercise certain rights in relation to their personal data.

We are also responsible and accountable for ensuring that we can demonstrate compliance with the data protection principles listed above.

3 – How we collect information about you

We may collect, use, store and transfer different kinds of personal data about you. We collect and process personal data about you when:

  • you purchase equipment from us;
  • you attend one of our equipment or information centres (including the MEIC);
  • you attend an appointment with one of our Eye Clinic Liaison Officers at a Hospital Eye Clinic as part of our Eye Clinic Service;
  • you participate in an activity run by us (including in the Bradbury Activity Centre or in the community);
  • you participate in a youth activity or event;
  • we provide support services to you;
  • you make a donation, become a corporate sponsor or attend a fundraising event;
  • you sign up to Gift Aid;
  • you are recorded on CCTV on our premises;
  • you submit an enquiry to us; and
  • you sign up to our newsletter.

Personal data is collected from you through direct interaction with us (either in person, by phone, by e-mail, by post or through this website). For example, you will provide your personal information when you sign up for an activity or event, purchase equipment, submit an enquiry or make a donation.

We also collect personal data from our partners or third parties, such as Social Services, eye clinics or Norfolk County Council Sensory Support who make referrals to the NNAB, our booking agents, local authorities, safeguarding agents or other businesses or sub-contractors that collect personal data about you, who have provided your personal information to us, either with your consent or on some other lawful basis.

We will collect personal data from visual recording equipment, such as CCTV cameras, when you visit our premises. We have CCTV cameras at Thomas Tawell House, the Bradbury Activity Centre and Hammond Court. We operate CCTV cameras on our premises for health and safety purposes and in order to ensure security at the site.

We may also collect personal data when you use this website, through automated technologies, analytics providers or search engine providers. We use cookies to assist the site running as effectively as possible. For further details, please see the Cookies Policy on our website.

If you fail to provide personal data

Where we need to collect personal data by law, or under the terms of our contract with you, and you fail to provide that data when requested, we may not be able to provide our services to you. If so, we may have to terminate our contract with you but we will notify you if this is the case at the time.

4 – What information we collect and how we use it

The personal data that we collect will include:

  • Contact details, including your name, address, telephone number and e-mail address;
  • Information about your identity such as your date of birth and your gender;
  • Emergency contact details, including the name, address, telephone number and e-mail address of your next of kin;
  • Payment information, including credit/debit card details and bank account details (for example, if you purchase equipment from us);
  • Contact history, such as any communications with us by telephone, e-mail, post, through our website or via social media (including personal data collected as a result of security incident or accident);
  • Transaction history, including information about the events and activities that you have attended and equipment that you have purchased;
  • CCTV recording when you visit our premises;
  • Responses to surveys, competitions and promotions;
  • Marketing preferences; and
  • Technical data such as internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, session replay data and other technology on the devices you use to access the website.

We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data under data protection law, as this data does not directly or indirectly reveal your identity. For example, we may aggregate data about your use of the website to calculate the percentage of users accessing a specific feature. Likewise, we may aggregate data that we collect through providing our services in order to produce funding reports or applications. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this Privacy Policy.

Given the nature of our organisation, we will collect and process Sensitive Personal Data (as defined in the Glossary) about you from time to time. For example, we will collect your medical information when providing our services to you, or if we need it to assess the correct equipment for you to use. You may also decide to provide us with Sensitive Personal Data during your participation in our support programmes or community work. If we collect Sensitive Personal Data from you, we will use it as permitted under data protection legislation and will treat that information with extra care and confidentiality.

We will generally use your personal data to:

  • Provide you with the information, equipment and services that you request from us;
  • Provide our support programmes and community work;
  • Contact you by post, e-mail and telephone regarding our activities, events, products and services that you have requested from us;
  • Process financial transactions (including collection of payments for equipment, management of any additional charges and fees and administration of any refunds);
  • Generally administer our relationship with you and assess your support and other relevant needs;
  • Respond to any enquiries that you submit to us;
  • Send you information by post or e-mail about new events, offers, updates and news (see the “Marketing” section below for further details);
  • Process your donation or claim Gift Aid on your donations and verify any financial transactions;
  • Comply with our legal and regulatory obligations, including the recommendations of the Charity Commission;
  • Keep a record of your relationship with us;
  • Prevent and detect fraud;
  • Provide customer service and support (including investigating complaints);
  • Train our staff and carry out quality control;
  • Verify your identity and, where applicable, any Disclosure and Barring Services check;
  • Review and improve our service;
  • Use CCTV recording to comply with our health and safety duties and ensure the security of our premises;
  • Use data analytics to improve this website, marketing, customer relationships, user experience and our organisation in general;
  • Administer and protect the website and our organisation (including troubleshooting, data analysis, testing and system maintenance and network security); and
  • Allow you to participate in any interactive features on the website.

Lawful basis for using your information

In some cases, we will only use your personal information where we have your consent or because we need to use it in order to fulfil a contract with you (for example, because you have signed-up for an activity with us).

However, there are other lawful reasons that allow us to process your personal information, including where we have a “legitimate interest”. This means that the reason that we are processing information is because there is a legitimate interest for the NNAB to process your information to help us to achieve our charitable objectives in providing support to visually impaired and blind people (for example, seeking funding from charitable trusts).

Whenever we process your personal data on the basis of a “legitimate interest”, we make sure that we take into account your rights and interests and will not process your personal information if we feel that there is a disproportionate privacy impact on you.


If you are a consumer, we will only contact you by e-mail for marketing purposes if you have given us your opt-in consent to do so. Please note that we will continue contacting you about information that is connected to the contract that you have with us, including an event that you have signed-up to or our other services. We will also continue to contact you to provide you with our newsletter if you have previously requested to receive it.

We will not share your information for marketing purposes with any company or other entity outside of the NNAB group, unless we have your opt-in consent to do so.

You can ask us or third parties to stop sending you marketing messages by contacting us at any time or by clicking the “unsubscribe” button in the relevant e-mail.

Change of purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

5 – Disclosures of your personal data

We may have to share your personal data with the parties set out below for the purposes set out in paragraph 4 above.

  • Third party activity and course providers, for the purposes for providing the activity or course that you have booked with us.
  • Hospitals, eye clinics and Norfolk County Council Sensory Support, for the purposes of obtaining information about you to assess the most suitable services or equipment to provide.
  • Any other suppliers and sub-contractors we work with to provide you with the products or services that you have requested from us.
  • Fundraising platform providers, such as Virgin Money Giving, for the purposes of collecting donations and claiming Gift Aid.
  • Local authorities, the police and other social care organisations for safeguarding purposes (for example, where required by law).
  • Service providers who provide IT, security, software, marketing, advertising and system administration services.
  • Third party agencies, such as credit reference agencies, for identification verification purposes.
  • Professional advisers acting as processors or joint controllers including lawyers, bankers, experts, accountants, insurers and other third parties who provide legal, banking, consultancy, accounting, insurance and other related services.
  • HM Revenue & Customs, regulators and other authorities acting as processors or joint controllers based in the United Kingdom who require reporting of processing activities in certain circumstances.
  • Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this Privacy Policy.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

We do not and will not sell your personal data to any third party.

6 – International transfers

Some of our external third party service providers or partners may be based outside the European Economic Area (EEA), in which case, their processing of your personal data may involve a transfer outside the EEA.

Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring that at least one of the following safeguards is implemented:

  • We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission (such as New Zealand or Switzerland).
  • Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection as it has under EU data protection law.
  • Where we use service providers based in the US, we may transfer personal data to them if they are part of the Privacy Shield which requires the service provider to apply a similar standard of protection to personal data shared between the EU and the US.

Alternatively, we may transfer your personal data outside the EEA where data protection law allows or requires us to do so.

Please contact us if you would like further information on the specific mechanism used by us when transferring your personal data outside the EEA.

7 – Data security

We are putting, and have put, in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

8 – Data retention

How long will you use my personal data for?

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Details of retention periods for different aspects of your personal data are available on request by contacting

9 – Your legal rights

Under certain circumstances, you have rights under data protection laws in relation to your personal data. Please click on the links below to find out more about these rights:

  • Request access to your personal data.
  • Request correction of your personal data.
  • Request erasure of your personal data.
  • Object to processing of your personal data.
  • Request restriction of processing your personal data.
  • Request transfer of your personal data.
  • Right to withdraw consent.

If you wish to exercise any of the rights set out above, please email fee usually required

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time limit to respond

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.


“Personal data”, or “personal information”, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

“Sensitive Personal Data” means information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data, and personal data relating to criminal offences and convictions.LAWFUL BASIS

Legitimate interest” means the interest of our business in conducting and managing our business to enable us to give you the best service and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the privacy impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.

Performance of contract” means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.

Comply with a legal or regulatory obligation” means processing your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to.YOUR LEGAL RIGHTS

You have the right to:

Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.

Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.

Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.

Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.

Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

Privacy Policy

This policy explains how personal data we collect from you, or that you provide to us, will be processed.

Please read the following carefully to understand how we will treat your personal data.

What information we collect

  • Any personal information that you provide to us by filling in forms on our website. This includes information provided at the time of registering an account, purchasing services from us or requesting further services. We may also ask you for information when you report a problem with our site or the services you have purchased.
  • If you contact us by letter or email, records of the correspondence may be kept.
  • Telephone conversations may be recorded for training purposes.
  • Details of transactions you carry out through our site and of the fulfilment and administration of your orders.
  • We also record technical data such as your operating system, browser type, referring / exit pages and URLs, number of clicks, domain names and pages viewed in our server logs. This information is used for marketing and security purposes.

How we use personal data

  • To register a customer account.
  • To handle customer service enquiries.
  • To process orders that you have placed with us.
  • To ensure that content from our site is presented in the most effective manner.
  • To provide you with information, products or services that you request from us or which we feel may interest you, where you have consented to be contacted for such purposes.
  • To carry out our obligations arising from any contracts entered-into between you and us.
  • To notify you about changes to our service.
  • To carry out marketing and statistical analysis.

We will never sell your personal data to third parties.

Data retention

We only retain your personal data for as long as we need it to fulfil the purposes for which we have initially collected it, unless otherwise required by law. We will retain and use information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements as follows:

  • Invoice data is kept for a minimum of 6 years as required under UK Law

Your rights

Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data:

  • The right to request a copy of your personal data which we hold about you.
  • The right to request that we correct any personal data if it is found to be inaccurate or out of date.
  • The right to object to our use of your personal data and request your personal data is erased where it is no longer necessary for us to retain such data. This is known as your right to be forgotten. Please note that there may be legal reasons as to why we will need to keep your data, but please do inform us if you think we are retaining or using your personal data incorrectly.
  • You have the right to ask us not to process your personal data for marketing purposes. We will usually inform you (before collecting your data) if we intend to use your data for such purposes or if we intend to disclose your information to any third party for such purposes.
  • The right to lodge a complaint with the Information Commissioners Office. Please see for further information.

Data breaches

In the event of a data breach, the affected individuals will be contacted within the timescales specified in the GDPR, and a full report - highlighting any risks - will be provided.

How we use cookies

We may obtain information about your general Internet usage by using a cookie file which is stored on the hard drive of your computer. Cookies contain information that is transferred to your computer’s hard drive. They help us to improve our site and to deliver a better and more personalised service. They enable us:

  • To estimate our audience size and usage pattern;
  • To store information about your preferences, and so allow us to customise our site according to your individual interests;
  • To speed up your searches;
  • To recognise you when you return to our site.
  • Remarketing - For example, once you have visited our website you may see adverts to remind you of our services or products. We also use cookies to exclude existing customers from seeing our adverts.

You may refuse to accept cookies by activating the setting on your browser which allows you to refuse the setting of cookies. However, if you select this setting you may be unable to access certain parts of our site. Unless you have adjusted your browser setting so that it will refuse cookies, our system will issue cookies when you log on to our site.

Third party links

Our site may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.

Changes to this policy

We keep our privacy policy under regular review and we will place any updates on this web page.

This website uses cookies to improve your experience. By continuing to use this website, you agree to our use of cookies as described in our Privacy Policy.