DATA PROCESSING AGREEMENT (DPA)

The parties agree that this Data Processing Agreement (“DPA”) sets forth their obligations relating to the Processing of Personal Data (as those terms are defined below) when the Customer makes use of a VisuReal system (“VR”), a service provided by Hoya Holdings N.V. (“Hoya”) to you (“Customer”) pursuant to the terms and conditions or agreement between the Parties (“Agreement”). By continuing to use VR, Customer agrees to abide by the terms of this DPA. In the event of a conflict between the terms set out in this DPA and any terms set out in the Agreement, this DPA shall prevail.

1. DEFINITIONS AND QUALIFICATIONS

Except where explicitly stated otherwise in this DPA, the following terms shall have the following meaning:

• “Controller”, “Personal Data Breach”, “Data Subjects”, “Data Supervisory Authority”, “Personal Data”, “Processing” and “Processor” shall have the same meaning as set out in the GDPR.
• “Applicable Data Protection Laws” means all applicable laws that relate to the processing of Personal Data under this DPA including without limitation the GDPR and CCPA.
• “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Protection Regulation).
• “CCPA” means the California Consumer Privacy Act of 2018 (as amended), Cal. Civ. Code §§ 1798.100-1798.199 as applicable to either party and as amended, repealed, consolidated or replaced from time to time.
• “Controller to Processor Clauses” means, as relevant, the standard contractual clauses for the transfer of Personal Data to data processors established in third countries set out in the Commission Decision of 5 February 2010, as amended, updated, replaced, and in force from time to time.
• “Processor to Processor Clauses” means, as relevant, the standard contractual clauses for the transfer of Personal Data to data processors established in third countries set out in the Commission Decision of 4 June 2021, as amended, updated or replaced from time to time.
• “Third Country” means any country outside of the scope of the data protection laws of the EEA, excluding countries approved as providing adequate protection for Personal Data by the European Commission from time to time.

2. ACCEPTABLE USE POLICY

Neither Customer nor their representatives may use VR:

• in a way prohibited by law, regulation, governmental order or decree;
• to violate the rights of others;
• to try to gain unauthorized access to or disrupt any service, device, data, account or network;
• to spam or distribute malware;
• in a way that could harm Hoya’s or VR’s IT systems or impair anyone else’s use of them;
• in any other objectionable way; or
• to assist or encourage anyone to do any of the above.

3. PROCESSING

Customer and Hoya agree that Customer is the Controller of any Personal Data it provides to VR (“Customer Data”) and Hoya is the Processor of Customer Data. The parties note that in some cases, Customer may be the Processor of Customer Data, in which case, Hoya is the subprocessor. In each case, Hoya will Process Customer Data as described further below:

Subject Matter, Categories of Personal Data and Special Categories of Personal Data. Patient data (such as fitting information for ophthalmic lenses, frames and face imagery) and other personally identifiable information (such as names, company details, user names and employee contact information) that are stored and accessed in VR.

Duration of the Processing. The duration of the Processing shall be in accordance with Customer instructions until such time where Agreement is terminated or other legitimate interest to maintain.

Nature and Purpose of the Processing. The nature and purpose of the Processing shall be to provide the products or services (e.g. manufacturing and dispensing contact or ophthalmic lenses) requested by Customer when using the VR.

Do Not Sell. Hoya will not sell any Customer data as that term is understood under Applicable Data Protection Laws.

Data Subjects. Customer’s patients or Customer employees who use the VR.

Data Protection Officer: Hoya has appointed a Data Protection Officer, who may be contacted at DPO@Hoya.com.

4. OBLIGATIONS

a. HOYA’S OBLIGATIONS

i. Instructions

As a Processor, Hoya will Process Customer Data in accordance with Customer’s documented instructions, unless required to Process such Customer Data by applicable law to which Hoya is subject; in such a case, Hoya shall inform Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest. Hoya shall immediately inform Customer if, in its opinion, an instruction of Customer infringes the Applicable Data Protection Laws.

ii. Security

Hoya will implement and maintain appropriate technical and organizational measures to protect Customer Data. Customer is solely responsible for making an independent determination as to whether Hoya’s technical and organizational measures adequately protect Customer Data. Confidentiality and Regulatory Requests Hoya shall ensure that its personnel authorised to Process the Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. In case Hoya is ordered by any regulator or other authority to disclose or allow access to Customer Data, Hoya shall notify Customer and allow a reasonable time for Customer to respond, provided that such notification and time to respond is permitted by the applicable law or regulation.

iii. Data Subject Rights Requests

Hoya shall provide reasonable assistance to the Customer to enable the Customer to comply with its obligation to respond to Data Subjects' requests in accordance with Applicable Data Protection Laws. Hoya will redirect any request it receives to the Customer, except where otherwise instructed by the Customer in writing. Customer shall instruct Hoya on how to handle any such request, including whether to respond to the request. Where Customer’s instruction and Applicable Data Protection Laws conflict, Hoya will comply with Applicable Data Protection Laws.

iv. Data Impact Assessments and Prior Consultation

Hoya shall provide Customer with reasonable assistance in conducting data protection impact assessments and, if required, prior consultation with relevant competent Data Supervisory Authorities where relevant to the processing of Customer Data under this DPA.

v. Customer’s information and audit right

Customer may request information relating to Hoya’s Processing activities and its compliance with this DPA. Customer may also request an audit of Hoya’s compliance with this DPA. Hoya will cooperate with such requests audits pursuant to this Section. Due to sensitivity and confidentiality of Hoya’s practices (e.g., security practices), Hoya may provide assurances through certificates or affidavits instead of details of certain parts of its program. In addition, Hoya may request that an audit be conducted by a third party service provider rather than Customer. Customer will be responsible for the costs of that third party auditor. Customer may select the auditor and Hoya’s consent to such auditor may not be unreasonably withheld. The Customer commits to treat any information communicated, accessed or received under this Article as Hoya’s confidential information and to ensure its confidentiality and security.

vi. Data Breaches

Hoya shall, without undue delay, notify Customer in writing of any Personal Data Breach affecting Customer Data. Hoya shall provide Customer with reasonable information to aid Customer to (i) comply with Customer’s Personal Data Breach notification obligations under Applicable Data Protection Laws, and (ii) remedy the Personal Data Breach or limit or neutralize the consequences of the Personal Data Breach on Customer, where this is within the control of Hoya.

vii. Subprocessing

Customer hereby grants Hoya a general written authorization to engage the sub-processors including VisuSolution GmbH (a company based in Germany that hosts, manages and maintains the VR) and Amazon Web Services (AWS) (for storing Customer Data) (“Subprocessors”). If Hoya appoints a new Subprocessor or intends to make any changes concerning the addition or replacement of the Subprocessor, it shall provide Customer with ten [10] business days’ prior written notice, during which Customer can object against the appointment or replacement. If Customer does not object, Hoya may proceed with the appointment or replacement. Hoya is responsible for its Subprocessors’ compliance with Hoya’s obligations in this DPA. Hoya will ensure that Subprocessors are bound by written agreements which contains obligations on the Subprocessors which are no less onerous on the relevant Subprocessor than the obligations on Hoya under this DPA.

viii. Data Transfers

Customer acknowledges and agrees that Hoya may appoint a Subprocessor to Process the Customer Data in a Third Country, in which case either: a. Customer grants Processor a mandate to execute the Controller to Processor Clauses (with the processing details set out in Article 3 and the technical and organizational security measures set out in Article 4(ii) applying for the purposes of Appendix 1 and Appendix 2, respectively) with any relevant Subprocessor it appoints on behalf of Customer; or b. to the extent in force from time to time, Hoya shall execute the Processor to Processor Clauses with any relevant Subprocessor it appoints on behalf of Customer, and such Processor to Processor Clauses shall replace any Controller to Processor Clauses executed between the relevant Subprocessor and the Customer pursuant to Article 4(ix)(a).

ix. Deletion/return of Customer Data

At the choice of Customer, Hoya shall either delete or return all Customer Data to Customer after the end of the Agreement, and delete existing copies of the Customer Data unless any applicable law to which Hoya is subject requires storage of such data. In case no documented instructions are provided by Customer within ten (10) days following termination of the Agreement , Hoya shall proceed with the deletion of the Customer Data.

b. CUSTOMER’S OBLIGATIONS

Customer retains all control and rights relating to the Customer Data stored and used in and in connection with the VR. Hoya acquires no rights relating to the Customer Data, other than the rights Customer grants to Hoya. Customer warrants that (i) the legislation applicable to it does not prevent Hoya from fulfilling the instructions received from the Customer and performing Hoya’s obligations under this DPA and the Agreement; and (ii) it has complied and continues to comply with the Applicable Data Protection Laws, in particular that it has obtained any necessary consents or given any necessary notices, and otherwise has a legitimate ground to disclose the data to Hoya and enable the Processing of the Personal Data (including biometric data) by Hoya as set out in this DPA and the Agreement.

5. INDEMNIFICATION

Customer will indemnify and hold harmless Hoya for any claims, liabilities, costs, expenses, losses, or damages (including consequential losses, loss of profit and loss of reputation and all interest, penalties and legal and other professional costs and expenses) incurred by Hoya arising directly or indirectly from a breach of Article 4(b).

6. CHANGES IN APPLICABLE DATA PROTECTION LAWS

The parties agree to negotiate in good faith modifications to this DPA if changes are required for Hoya to continue to process the Customer Data as contemplated by this DPA in compliance with the Applicable Data Protection Laws or to address the legal interpretation of the Applicable Data Protection Laws, including (i) to comply with the GDPR or any national legislation implementing it and any guidance on the interpretation of any of their respective provisions; (ii) the Controller to Processor Clauses or any other mechanisms or findings of adequacy are invalidated or amended, or (iii) if changes to the membership status of a country in the European Union or the European Economic Area require such modification.

7. TERM

This DPA is entered into and will remain in force until complete deletion or complete return of all Customer Data to Customer in compliance with this DPA.

8. LAW AND JURISDICTION

This DPA and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in all respects in accordance with the laws of Netherlands and shall be deemed to have been made in the Netherlands, and each party hereby submits to the jurisdiction of the courts of the Netherlands.