HOYA Corporation Privacy Notice

The HOYA Group operates the Life Care business and Information Technology business based on the concept of “Business Portfolio Management”. Each group has original privacy policy. Please click HERE to confirm privacy policies of each division and group company.

1. Introduction

HOYA Corporation (“HOYA,” “we,” “us,” or “our”) is committed to protecting the privacy of individuals. This Privacy Notice explains how we collect, use, share, and protect Personal Information obtained through our corporate activities (including our websites and the other interactions described in this Notice) in compliance with applicable data protection laws. This includes, where applicable, the Act on the Protection of Personal Information (APPI) in Japan, the General Data Protection Regulation (GDPR) in the European Economic Area(EEA), the Personal Information Protection Law (PIPL) in China, and Singapore’s Personal Information Protection Act (PDPA). We also comply with other applicable data protection laws in the countries where we do business, even if they are not named here.

For individuals in Japan, HOYA Corporation is the business operator handling personal information under APPI. For individuals in the EEA and UK, HOYA Corporation acts as the data controller responsible for processing Personal Information under this Notice.

This Privacy Notice applies to Personal Information processed by HOYA Corporation in connection with the activities described in this Notice. Other HOYA Group Companies may provide their own privacy notices tailored to their products or operations. Where applicable, please refer to those notices and any country or product specific supplements. If there is any conflict between this Notice and a local supplement, the supplement will control to the extent required by local law.

2. What Personal Information We Collect

Personal Information You Provide to Us

Communications & enquiries: name, business contact details, message content (web forms, email, phone, postal, social).
Marketing & events: subscriptions and preferences, registrations and attendance, survey responses, testimonials; photos/video/audio where you consent.
Shareholder & governance: shareholder identifiers and contact details; AGM participation; executive/board names and roles for corporate publications.
Contracting & due diligence: counterparty/partner contact details, onboarding forms and verification information.
Finance activities with customers and vendors: business contact details; invoicing and payment information; identity/authority details for directors or authorised signatories; transaction, approval and filing metadata.
Recruitment: CV/resume, cover letter, qualifications, employment history, references, interview notes, assessment results.
Visitor management: visitor name/company, time of entry/exit, escort/badge details.

Personal Information We Collect Automatically

Technical & usage data: IP address, device/OS and browser details, pages viewed and interactions, session duration, referrers.
Cookies & similar technologies: see our Cookie Notice for how to manage preferences.
Security & performance logs: server/application logs, fraud/spam signals.
Closed Circuit Television (CCTV) at HOYA sites (public areas): video images and timestamps for facility security.

Personal Information We Receive from Others

Event/webinar platform: attendance and participation data.
Distributors/partners: business contact information.
Banks and professional advisers: information shared in connection with treasury and corporate transactions.
Referees, former employers, and educational institutions: reference and qualification checks.
Background-screening providers: identity and right-to-work verification, sanctions/watchlist checks, and where permitted by law and with your authorisation—criminal record or credit checks for certain roles.
Regulators and public sources: due-diligence information.

3. How We Use Your Personal Information (Legal Basis)

Purpose	Description	Legal Basis
Communications & Enquiries (web forms, email, phone, postal, social)	Process and respond to queries; route to relevant teams; maintain follow-up records.	Legitimate interest: Contract (where you ask us to take steps or provide information)
Contracting, Vendor/Partner Due Diligence & Compliance Screening	Onboard and contract with partners/suppliers; perform verification/sanctions/export-control checks; manage orders, invoicing and payments.	Legal obligation; Legitimate interest
Finance & Corporate Reporting	Prepare statutory/group reports; maintain accounting and audit records that may reference external signatories and business contacts.	Legal obligation; Legitimate interest
Governance, Internal Audit & Compliance	Conduct internal reviews and audits; examine evidence that may include counterparty contact and signatory details; report to leadership and the Audit Committee.	Legitimate interest
Legal Advice, Dispute Management & Regulator Liaison	Obtain legal advice; manage or defend claims, investigations and disputes; comply with court orders and lawful requests.	Legal obligation; Legitimate interest
Marketing, Events & Engagement	Manage subscriptions and preferences; register and host events/webinars; conduct surveys; use testimonials/media with consent.	Consent; Legitimate interest
Physical Security & Visitor Management	Operate CCTV in public areas; maintain visitor/access logs to protect people, premises and assets; support incident investigations.	Legitimate interest; Legal obligation
Records Management	Archive business records to meet legal/operational needs; apply retention schedules and secure destruction when no longer required.	Legal obligation
Recruitment & Job Applications	Administer applications; assess suitability; conduct reference/background checks where permitted by law and with your authorisation; manage interviews, assessments and references; maintain a candidate pipeline where permitted.	Consent; Contract: Legal obligation
Shareholder Management, AGM & Corporate Publications	Communicate on shareholder matters; organise the AGM; maintain shareholder registers; publish required corporate governance information.	Legal obligation
Tax & Regulatory Compliance	Manage tax filings and audits; coordinate with authorities and advisers; maintain supporting records and correspondence.	Legal obligation; Legitimate interest
Treasury & Liquidity Management	Operate cash pooling and intercompany funding; maintain transaction/approval records and related audit trails.	Legal obligation; Legitimate interest (record keeping)
Website Operation, Analytics & Advertising	Deliver and secure the site; improve performance and user experience; measure reach; fraud/spam prevention.	Legitimate interest (essential operation & security); Consent (analytics/ads & other non-essential cookies)

Jurisdiction note: Where legitimate interest is not available as a legal basis under local law, another lawful ground will be used. Japan (APPI): processing remains within the “specified purpose of use” disclosed at collection (see Annex A). In some countries (e.g., Canada, China, India, Singapore, South Korea, Thailand, United States) consent or other local grounds may apply depending on activity and context.

4. How We Share Your Personal Information

We do not sell or rent Personal Information. We may share data with:

HOYA group companies (internal administration and group-level services).
Service providers (IT hosting/cloud, consent/tag managers, analytics/advertising platforms, CRM/collaboration tools, event platforms, survey tools, banks/treasury platforms, contract/document systems, background-screening providers) acting on our instructions under appropriate safeguards.
Professional advisers (lawyers, auditors, consultants, insurers, tax advisers).
Regulators and public authorities where required by law.
Corporate transaction participants (merger, acquisition, restructuring).
Others at your request (e.g., where you ask us to share information).

5. Joint Use of Personal Information

HOYA Corporation jointly uses certain personal information of healthcare professionals with Nihon Ultmarc Inc. and other authorised member companies. For details, please see our Joint Use of Personal Information with Nihon Ultmarc Inc.

6. Data Retention

We keep your personal information only for as long as necessary to fulfil the purposes described in this Privacy Notice, or as required by law. This means retention periods vary by information type and applicable legal, regulatory and contractual requirements. For example:

Contractual and financial records: retained to comply with tax, accounting and corporate-law obligations.
Recruitment information: retained for the recruitment process and, where allowed, for a period afterwards as required by law or with your consent.
Marketing information: kept until you withdraw consent or object to our use of your information.
CCTV footage: typically retained for a limited period and then automatically overwritten unless needed for an investigation.

When personal information is no longer required, we securely delete it or anonymise it.

7. Your Rights

Your privacy rights depend on where you live. We will respect and apply the rights available under your local law. For example:

Japan (APPI): right to be informed of purposes, access, correction, deletion, stop-use; right to complain to the PPC.
EEA/UK (GDPR/UK GDPR): access, rectification, erasure, restriction, portability, objection (including to direct marketing/legitimate interests), and withdraw consent where relied upon.
Other jurisdictions: rights may vary—contact dpo@hoya.com

8. Security Measures

We implement technical and organisational measures designed to protect Personal Information, including (where appropriate) encryption in transit and at rest, access controls and role-based permissions, a multi-layered security architecture, periodic risk assessments and audits (internal and/or external), and ongoing monitoring coupled with incident response capabilities.

9. International Data Transfers

Your personal information may be transferred outside of your country of residence. When we do so, we apply safeguards consistent with applicable law.

Internal transfers. All internal transfers within the HOYA Group are governed by the HOYA Data Sharing Framework.
External transfers. When we use external service providers or partners located outside your country, we apply safeguards such as:

Japan: assessment of the recipient country’s framework and contractual/equivalent safeguards under APPI.
EEA/UK: Standard Contractual Clauses (SCCs), UK addenda/IDTA, adequacy decisions, or other lawful mechanisms.
Other jurisdictions: adequacy decisions (where available), standard contractual terms, and supplementary contractual, organisational or technical measures.

Where relevant, we may also rely on recognised frameworks (e.g., EU-US Data Privacy Framework participation by a vendor).

10. Changes to This Privacy Notice

We may update this Privacy Notice from time to time to reflect changes in our practices or legal requirements. We will post updates here with an updated effective date.

11. Contact Information

HOYA Corporation
20F Nittochi Nishishinjuku Building, 6-10-1 Nishi-Shinjuku
Shinjuku-ku, Tokyo 160-8347 Japan
Email: dpo@hoya.com

Annex A – Specified Purposes of Use (Japan – APPI)

Information subject	Purposes of use
Website users and visitors who contact HOYA or register for HOYA events (including those who leave details at exhibitions or complete questionnaires)	To provide website functionality and security (including essential cookies), respond to enquiries, introduce HOYA’s activities and provide information, manage subscriptions and event/webinar registrations and follow-up, and conduct permissible marketing activities.
Job applicants (including those not hired)	To screen applicants, conduct reference and background checks where permitted by law and with your authorisation, manage interviews and assessments, and complete hiring procedures for successful applicants.
Individual shareholders and registered pledgees listed in HOYA’s shareholder registry	1) To exercise rights and perform obligations under the Companies Act; 2) To provide benefits to shareholders; 3) To take measures that promote a smooth relationship between HOYA and its shareholders (including AGM organisation and communications); 4) To manage shareholders in accordance with laws and regulations (e.g., preparation and maintenance of shareholder data).
Directors, officers and employees of customers, business partners and suppliers (including financial institutions and professional advisers)	To contact for business purposes, negotiate and execute contracts, manage orders, invoicing and payments, introduce HOYA’s activities and provide information, conduct permissible marketing, and perform necessary due-diligence and compliance screening (e.g., sanctions/export-control checks).
Authorised signatories and counterparties involved in corporate administration (e.g., entity or bank-account setup; treasury and intercompany funding)	To verify identity and authority of signatories, establish and administer entities and bank accounts, operate intercompany funding and liquidity, and maintain related approvals and records for governance, audit and legal compliance.
Visitors to HOYA offices and facilities	To manage facility security and safety, including visitor registration, access badges/escort records, access logs and CCTV in public areas, and to investigate incidents and comply with health and safety requirements.
Public authorities, courts and regulators; and counterparties/counsel in legal matters	To prepare and submit filings, handle inspections and correspondence, respond to lawful requests, obtain legal advice, and manage or defend claims, investigations and disputes.

Note (records management): For the categories above, HOYA archives business records to meet legal and operational needs and applies retention schedules with secure deletion or anonymisation when no longer required.