Data Protection Declaration

Data Protection Declaration

1    Who We Are

HOYA Surgical Optics (“we”, “our”, or “HSO”) is a global manufacturer of ophthalmic medical devices, specialising in intraocular lenses and related surgical products used in cataract and refractive surgery. We are committed to protecting personal information across all of our operations. This Privacy Notice explains how we collect, use, share, and protect personal information during the course of our business activities.

Depending on where you are located and the products or services you engage with, the controller of your personal information will be the relevant local HOYA Surgical Optics legal entity in your country. This means that different HSO entities act as controllers in different jurisdictions.  HOYA Surgical Optics GMBH may act as controller for certain activities within Europe, and as a central contact point for certain group-level matters.

This Privacy Policy applies to all personal information we process except employee data, which is covered under a separate internal privacy notice. It applies to personal information collected through our websites, in connection with our products and services, during business interactions, in relation to job applications and recruitment, and across our internal business operations.

We operate globally, and this Privacy Policy is intended to apply consistently across jurisdictions. Where local privacy laws provide additional rights or impose additional requirements, we comply with those local obligations.

This Privacy Notice reflects the requirements of the key data protection laws in the countries where HSO operates, including:

• Austria, France, Germany, Italy, United Kingdom, European Economic Area: General Data Protection Regulation (GDPR) and, in the UK, the UK GDPR and Data Protection Act 2018

• China: Personal Information Protection Law (PIPL)

• India: Digital Personal Data Protection Act 2023

• Japan: Act on the Protection of Personal Information (APPI)

• Singapore: Personal Data Protection Act 2012 (PDPA)

• South Korea: Personal Information Protection Act (PIPA)

• Thailand: Personal Data Protection Act 2019 (PDPA)

• United States: Health Insurance Portability and Accountability Act (HIPAA), California Consumer Privacy Act (CCPA), and other applicable state privacy laws currently in force

Where local law provides additional rights or obligations, HSO applies those rules in that jurisdiction.

If you have questions about the controller responsible for your personal information, please refer to the Contact Us section below.
 

2    Information We Collect

We collect personal information in the course of our business activities with customers, vendors, contractors, business partners, prospects, medical professionals, research participants, visitors, and other stakeholders. The categories of personal information we may collect include the following.

2.1    Information you provide to us

• Contact and identification details (name, email, phone, company, job title, role, professional address, professional identification number)

• Professional information of healthcare professionals and researchers (specialty, institution, qualifications, training records)

• Contract and transaction information (agreements, purchase orders, invoices, payments and other transactions)

• Financial and remuneration information relating to contracts with healthcare professionals (fees, honoraria, consultancy agreements, and related records required for transparency reporting)

• Login and account credentials where you create an account (e.g. username/email and password)

• Communications and correspondence (emails, calls, meeting notes, enquiries, feedback, complaints)

• Recruitment and candidate information (CVs/resumes, cover letters, application forms, qualifications, employment history, references, interview notes, assessment results)

• Event and marketing data (registrations, preferences, survey responses, participation records, testimonials)

• Media content (photos, video and audio recordings from events, interviews, testimonials, or training sessions)

• Images and other media of healthcare professionals, where collected and published with appropriate consent for use on our websites, publications, or promotional materials

• Consent records and preference management information

• Product and training data (service requests, feedback forms, training attendance)

• Information provided during due diligence, onboarding, or compliance checks

• Information provided in support of audits, litigation, regulatory filings, or dispute resolution
   

2.2    Information we collect automatically

When you use our websites, platforms, or facilities, we may collect certain information automatically, including:
 

• Digital identity and activity data (IP address, browser type, device information, operating system, log-in events, session logs)

• Website usage information including pages visited, links clicked, cookie data, heatmaps and surveys

• Access records for systems, platforms, or facilities including log-in events, visitor Wi-Fi usage, CCTV footage, security badge data, and audit trails

• Online identifiers for profiling, conversion tracking, advertising networks, or remarketing activities (subject to applicable consent requirements)
   

2.3    Information we may receive from third parties

We may also receive information from third parties where lawful to do so. This may include:

• Business contact information from distributors, partners, or public sources

• Compliance or verification information from regulators, industry databases, or screening providers

• Professional information about healthcare providers or researchers involved in our collaborations

• Candidate background check results and references from recruitment agencies, educational institutions, or former employers (where permitted by law)

• Data shared by third parties in the context of collaborations, audits, clinical studies, or regulatory obligations
   

2.4    Special categories of information (only where necessary and permitted by law)

We do not routinely collect patient information. However, health data may be processed incidentally or directly in limited circumstances, such as:

• When handling complaints, vigilance reporting, recalls, or adverse event notifications

• In post-market surveillance or clinical research activities involving participants

• In regulatory submissions where required to demonstrate safety and performance

Such processing is strictly limited to what is necessary to meet our regulatory and legal obligations as a medical device manufacturer.
 

3    How and Why, We Use Your Information

The table below explains the purposes for which we use personal information, the categories of data involved, and the legal basis for processing. Where we rely on legitimate interests, these are identified.

Note: Where legitimate interest is not available as a legal basis under local law, we will rely on another lawful ground. For example:

• Japan: processing must remain within the “specified purpose of use” disclosed at the time of collection. See Annex A.

• Canada, China, India, Singapore, South Korea, Thailand, United States: processing will rely on consent, or another ground permitted under local law (such as contract performance, compliance with a legal obligation, protection of life or health, or other statutory exceptions).
   

4    Sensitive Data Use

Some of the personal information we collect and use is considered sensitive under applicable laws. This may include, for example, health-related information connected to the use of our medical devices.
We only collect and use sensitive personal information where it is strictly necessary, such as:

• To comply with medical device safety and regulatory reporting obligations (including vigilance reporting, adverse event management, post-market surveillance, or product recalls), or

• To support clinical studies and research, where HOYA Surgical Optics acts as the controller of participant data. In such cases, data is typically collected and managed on our behalf by authorised clinical research organisations, healthcare professionals, or research partners, and processed in line with ethical and legal requirements.

• For other specific purposes where you have provided your explicit consent.

You may choose to withhold or withdraw your consent at any time. However, if sensitive personal information is required in order to provide you with a service, meet regulatory obligations, or support research participation, we may not be able to proceed without it.
 

5    Protected Health Information under HIPAA

In the United States, some of the information we process may be classified as Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA). HOYA Surgical Optics is not a HIPAA covered entity; however, when we act as a business associate of healthcare providers or otherwise receive PHI in connection with regulatory reporting, vigilance activities, or clinical research, we handle such information in compliance with HIPAA requirements and applicable contractual obligations.
 

6    Use of AI and Automated Technologies

We use artificial intelligence (AI) tools : 

AI in Business Tools
We use AI features in internal applications (e.g. Microsoft Copilot) to support tasks such as document creation, summarization, and communication. These tools may process business contact data or content contextually.

No automated decision-making
We do not use AI systems to make decisions about you that produce legal or similarly significant effects without human oversight.

7    Sharing of Information

We do not sell or rent your personal information. We may share it with:

• Group companies – for internal administration, business continuity, and to deliver group-level services.

• Trusted service providers – such as IT hosting and cloud providers, analytics platforms, customer relationship management tools, marketing support partners, event organisers, survey tool providers, payment or accounts payable providers, and contract management platforms. These parties act on our instructions and are bound by strict confidentiality and data protection obligations.

• Healthcare providers, regulators, and transparency registers – where required to coordinate or manage product safety, recalls, complaints, clinical studies, vigilance reporting, or required transparency disclosures regarding healthcare professional engagements.

• Professional advisers and specialists – including lawyers, auditors, consultants, insurers, tax advisers, and other external experts engaged to support our business or defend legal claims.

• Research and collaboration partners – where we work jointly with academic institutions, hospitals, or industry partners in clinical studies or research activities.

• Corporate transactions – third parties involved in a merger, acquisition, joint venture, divestiture, restructuring, or sale of business or assets.

• Regulatory bodies, law enforcement, or other public authorities – where required by law, legal process, or to protect the safety, rights, or property of individuals or the business.

• Third-party platforms and embedded content providers – such as mapping, video, or social media services where you interact with their content on our websites.

• Others at your request – where you ask us to share your information with another party, such as a healthcare provider or collaborator.
   

All parties receiving data are bound by strict confidentiality and data protection obligations.
 

8    International Data Transfers

Your personal information may be transferred outside of your country of residence. When we do so, we apply safeguards that are consistent with the requirements of applicable law.

Internal transfers
All internal transfers within the HOYA Group are governed by the HOYA Data Sharing Framework. This framework incorporates the European Commission’s Standard Contractual Clauses (SCCs) and equivalent protections to ensure that personal information is safeguarded when shared across countries.

External transfers
When we use external service providers or partners located outside your country, we apply safeguards such as:

• Standard Contractual Clauses (SCCs) approved by the European Commission or UK authorities

• Adequacy decisions (where recognised by the European Commission, UK, or other regulators)

• Supplementary contractual, organisational, or technical safeguards

8.1    Country-specific rules

• European Union/EEA and United Kingdom: Transfers are made in compliance with the GDPR or UK GDPR, using SCCs, UK Addenda, or adequacy decisions where available.

• China: Cross-border transfers of personal information are subject to the Personal Information Protection Law (PIPL). Where required, we obtain consent, conduct security assessments or filings, and use standard contracts or other mechanisms approved by the Cyberspace Administration of China (CAC).

• India: Cross-border transfers are permitted under the Digital Personal Data Protection Act 2023 (DPDPA) unless restricted by the government. We apply contractual and technical safeguards to ensure adequate protection.

• Singapore: Transfers outside Singapore are carried out in accordance with the Personal Data Protection Act 2012 (PDPA), which requires that transferred information continues to receive comparable protection.

• South Korea: International transfers are regulated under the Personal Information Protection Act (PIPA). Where required, we obtain consent or apply other legal transfer mechanisms permitted under Korean law.

• Thailand: Cross-border transfers are governed by the Personal Data Protection Act 2019 (PDPA). Transfers are permitted where the receiving country has adequate protections, consent is obtained, or other legal bases apply.

• United States: Where US service providers are used, we require contractual safeguards and, where relevant, rely on frameworks such as the EU–US Data Privacy Framework and UK Extension (if applicable).

• Canada: International transfers are carried out in line with the Personal Information Protection and Electronic Documents Act (PIPEDA). Safeguards include contractual clauses ensuring adequate protection of transferred information.
   

9    How Long We Keep Your Information

We keep your personal information only for as long as necessary to fulfil the purposes described in this Privacy Notice, or as required by law. This means retention periods may vary depending on the type of information and the legal, regulatory, and contractual requirements that apply.

For example:

• Information collected for regulatory, product safety, or vigilance purposes may be retained for the periods required under medical device regulations.

• Contractual and financial records may be retained to comply with tax, accounting, and commercial law obligations.

• Recruitment information may be retained for the duration of the recruitment process and for a period afterwards where required by law or where you have consented to further retention.

• Marketing information is kept until you withdraw your consent or object to our use of your information.

When personal information is no longer required, we will securely delete it or anonymise it so that it can no longer be linked to you.
 

10    Your Rights

Your privacy rights depend on where you live. For example:

• If you are in the EEA or UK, you have rights under GDPR (e.g. access, rectification, erasure, objection, restriction, portability, and withdrawal of consent).

• If you are in Japan, your rights are governed by the Act on the Protection of Personal Information (APPI).

• If you are in another country, your rights may vary depending on local law.

We will respect and apply the rights available under your local law, wherever you are located. For a full overview of rights by country, visit: www.hoya.com/Privacyrights

To exercise your rights, contact us using the details below.
 

11    Security of Your Information

We apply appropriate technical and organisational measures to protect your personal information. These include:

• Encryption of data in transit and at rest where appropriate

• Access controls to limit data to authorised users

• Multi-layered security architecture, including firewalls and intrusion prevention

• Regular security audits, risk assessments, and vulnerability testing

• Monitoring of threats and response procedures for incident handling
   

These measures reflect global information security standards and aim to safeguard your data from loss, misuse, or unauthorised access.

12    Cookies and analytics tools

We use cookies and similar technologies to ensure site functionality, security, and to enhance your experience. Some cookies are strictly necessary; others, such as analytics and marketing cookies, require your consent. Analytics tools we use include Google Analytics, Google Tag Manager, Microsoft Clarity, and LinkedIn Insight Tag. These tools help us understand visitor behaviour, improve our Website, and measure the effectiveness of our marketing. You can manage or withdraw your consent at any time via the Consent Manager or through your browser settings.
 

13    Contact Us

If you have any questions about this Privacy Notice or how your personal information is handled, you can contact us at:

HSO Privacy Office
Email: [email protected]

Your enquiry will be directed to the relevant HOYA Surgical Optics entity in your country, which will act as the controller of your personal information for local activities (such as recruitment, customer or vendor relationships, and product services).

14    Changes to This Policy

We may update this policy to reflect changes in our data practices or legal obligations. When we do, we’ll revise the “Effective Date” at the top of this page and highlight material updates where appropriate.

Annex A – Specified Purpose of Use (Japan)

In accordance with the Act on the Protection of Personal Information (APPI), when we collect personal information in Japan we must specify the purpose of use at the time of collection. The purposes of use for HOYA Surgical Optics are set out below. These purposes apply unless otherwise notified or agreed at the time your information is collected.