Privacy Policy
Privacy Policy – PENTAX Medical
Effective Date: 10 December 2025
1 Who We Are
PENTAX Europe GmbH (“we”, “our”, or “PENTAX Medical”) is committed to protecting personal information across all of our operations. This Privacy Policy explains how we collect, use, share, and protect personal information during the course of our business activities.
Depending on where you are located and the products or services you engage with, the controller of your personal information will be the relevant local PENTAX Medical legal entity in your country. This means that different PENTAX entities act as controllers in different jurisdictions. PENTAX Europe GmbH may act as controller for certain activities within Europe, and as a central contact point for certain group‑level matters.
This Privacy Policy applies to all personal information we process except employee data, which is covered under a separate internal privacy notice. It applies to personal information collected through our websites, in connection with our products and services, during business interactions, in relation to job applications and recruitment, and across our internal business operations.
We operate globally, and this Privacy Policy is intended to apply consistently across jurisdictions. Where local privacy laws provide additional rights or impose additional requirements, we comply with those local obligations.
We follow the requirements of the following key data protection laws, among others:
Brazil: Lei Geral de Proteção de Dados Pessoais (LGPD)
Canada: Personal Information Protection and Electronic Documents Act (PIPEDA)
China: Personal Information Protection Law (PIPL)
European Economic Area (EEA): General Data Protection Regulation (GDPR)
India: Digital Personal Data Protection Act 2023
Japan: Act on the Protection of Personal Information (APPI)
Malaysia: Personal Data Protection Act 2010 (PDPA)
Russian Federation: Federal Law on Personal Data (No. 152-FZ)
Singapore: Personal Data Protection Act 2012 (PDPA)
United Kingdom: UK GDPR and Data Protection Act 2018
United States: Health Insurance Portability and Accountability Act (HIPAA), the California Consumer Privacy Act (CCPA), and all other applicable state‑level privacy laws currently enacted
Where required, we supplement this policy with additional local privacy notices or consent mechanisms.
2 Information We Collect
We collect personal information in the course of our business activities with customers, vendors, contractors, business partners, prospects, medical professionals, research participants, visitors, and other stakeholders. The categories of personal information we may collect include:
2.1 Information you provide to us
§ Contact and identification details (name, email, phone, company, job title, role, professional address)
§ Professional information of healthcare professionals and researchers (specialty, institution, qualifications, training records)
§ Contract and transaction information (agreements, purchase orders, invoices, payments and other transactions)
§ Login and account credentials (where you create an account, e.g. username/email and password) This includes credentials created for the eIFU Download System
§ Communications and correspondence (emails, calls, meeting notes, enquiries, feedback, complaints)
§ Recruitment and candidate information (CVs/resumes, cover letters, application forms, qualifications, employment history, references, interview notes, assessment results)
§ Event and marketing data (registrations, preferences, survey responses, participation records, testimonials)
§ Media content (photos, video and audio recordings from events, interviews, or testimonials)
§ Consent records and preference management information
§ Product and training data (service requests, feedback forms, training attendance)
§ Information provided during due diligence, onboarding, or compliance checks
2.2 Information we collect automatically
Digital identity and activity data (IP address, browser type, device information, operating system, log‑in events, session logs)
Website usage information (pages visited, links clicked, cookie data)
Access records for systems, platforms, or facilities (log-in events, visitor Wi‑Fi usage, CCTV footage, security badge data, audit trails)
2.3 Information we may receive from third parties
§ Business contact information from distributors, partners, or public sources
§ Compliance or verification information from regulators, industry databases, or screening providers
§ Professional information about healthcare providers or researchers involved in our collaborations
§ Candidate background check results and references from recruitment agencies, educational institutions, or former employers (where permitted by law)
2.4 Special categories of information (only where necessary and permitted by law)
§ Health information – We do not routinely collect patient information. However, patient data may be processed incidentally in limited circumstances, for example when handling complaints, vigilance reporting, product recalls, or adverse event notifications. Such processing is strictly limited to what is required under applicable medical device regulations.
3 How and Why, We Use Your Information
Purpose | What We Use | Legal Basis | Legitimate Interest (if applicable) |
Customer and Business Relationship Management | Contact details, communication history, contracts, transaction details | Contract, Legitimate interest | Managing relationships with customers, vendors, contractors, and partners |
Customer Service and Technical Support | Contact details, service history, case data, complaint records | Contract, Legitimate interest | Providing product support, resolving issues, handling complaints |
Account Creation and Management | Identification data, login credentials, device/registration info For eIFU Download System accounts, we only create and process your login credentials where you have provided your consent during the registration process. | Consent, Contract, Legitimate interest | Authenticating users, providing secure access, managing accounts |
Marketing, Events, and Engagement | Contact details, preferences, website usage, event registrations, survey responses, testimonials, photos/video/audio recordings | Consent, Legitimate interest | Promoting products and services, organising events, managing engagement |
Professional and Clinical Collaboration | Professional information of healthcare providers and researchers, training records, collaboration data, feedback | Contract, Legitimate interest | Engaging with medical professionals, supporting research, improving product use |
Communication and Social Media | Contact forms, emails, meeting notes, chats, video calls, correspondence, social media posts, direct messages | Legitimate interest | Responding to queries, monitoring feedback, maintaining interactions |
Contract Management, Compliance, and Legal Obligations | Contract records, due diligence data, verification checks | Legal obligation, Legitimate interest | Fulfilling contracts, meeting compliance requirements, onboarding vendors |
Website, Systems, Network and Facility Management and Security | Usage data, cookies, IP addresses, device/browser details, log‑in and access logs, visitor Wi‑Fi logs, security badge data, CCTV, security alerts | Consent (for non-essential cookies), Legitimate interest, Legal obligation | Delivering digital services, ensuring IT and facility security, preventing fraud, abuse and unauthorised access |
Access to the eIFU Download System | Email address, password, unique user ID, system access logs (such as timestamp and IFU downloaded) | Consent |
|
Product Development, Quality, and Regulatory Reporting | Customer feedback, training data, complaint metadata | Legal obligation, Legitimate interest | Improving products, meeting medical device regulations, supporting audits |
Health Vigilance, Post-Market Surveillance, Recalls and Complaints | Patient identifiers (e.g. age, DOB, gender, weight, height, ID number), product identifiers (type, serial number, implant date), health data, contact details of complainants and healthcare professionals | Consent, Legal obligation | Ensuring compliance with regulatory obligations, conducting vigilance activities, managing adverse events and complaints |
Clinical Studies and Research | Participant data (e.g. age, gender, health data, lifestyle information, reimbursement details), HCP professional data (name, specialty, institution, training, qualifications) | Consent, Legal obligation, Legitimate interest (where applicable) | Conducting research to assess safety, performance, and quality of medical devices |
Litigation, Dispute Resolution, and Auditing | Identification and contact information, relevant case documentation | Legal obligation, Legitimate interest | Protecting our legal rights, managing disputes, supporting audits and investigations |
Telephonic Contact and Recordings | Telephone numbers, call recordings, notes from customer service | Consent, Legitimate interest | Responding to support requests, training staff, quality assurance |
AI and Automation Support | Metadata, user-submitted content, relevant business records, business tool outputs, device data | Legitimate interest | Use of AI in medical devices and business tools to improve efficiency and support product performance, always with human oversight |
Recruitment and Job Applications | Candidate information (CVs, qualifications, references, application data, interview notes, assessment results) | Consent, Contract (pre-contractual steps), Legal obligation (where applicable) | Managing recruitment processes, assessing suitability for roles, maintaining a candidate pipeline |
Note: Where legitimate interest is not available as a legal basis under local law, we will rely on another lawful ground. For example:
Japan: processing must remain within the “specified purpose of use” disclosed at the time of collection. See Annex A.
Canada, China, India, Malaysia, Russia, United States: processing will rely on consent, or another ground permitted under local law (such as contract performance, compliance with a legal obligation, protection of life or health, or other statutory exceptions).
4 Sensitive Data Use
Some of the personal information we collect, and use is considered sensitive under applicable laws. This may include, for example, health-related information. For clinical studies and research, PENTAX Medical acts as the controller of participant data, although the information is typically collected and managed on our behalf by authorized clinical research organizations.
We only collect and use sensitive personal information where it is strictly necessary:
To provide you with the services or products you request (for example, in connection with medical device safety or regulatory reporting), or
For additional purposes such as research where you have given your explicit consent.
You may choose to withhold or withdraw your consent at any time. However, if your sensitive personal information is required in order to provide you with a service, we will not be able to deliver that service without it.
5 Protected Health Information under HIPAA
This Privacy Policy does not apply to our processing of Protected Health Information (PHI) that is subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). In those cases, the use and disclosure of PHI is governed by:
the Notice of Privacy Practices provided by your healthcare provider, or
where applicable, the terms of a Business Associate Agreement between PENTAX Medical and the provider.
PHI handled under HIPAA may be de-identified in accordance with either the Safe Harbor method or the Expert Determination method. Once de-identified, such information will not be re-identified by PENTAX Medical, except as required by law or with the individual’s consent.
6 Use of AI and Automated Technologies
We use artificial intelligence (AI) tools in two ways:
AI in Business Tools
We use AI features in internal applications (e.g. Microsoft Copilot) to support tasks such as document creation, summarisation, and communication. These tools may process business contact data or content contextually.
Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) – operational efficiency and productivity
AI in Medical Devices
Some PENTAX Medical endoscopic products use AI functionality to assist clinicians with visual cues during procedures. These tools support -not replace- human clinical judgement.
Legal basis: Contract performance (Art. 6(1)(b)) or legitimate interest (f) - product enhancement and clinical support
No automated decision-making
We do not use AI systems to make decisions about you that produce legal or similarly significant effects without human oversight.
7 Sharing of Information
We do not sell or rent your personal information. We may share it with:
Group companies – for internal administration, business continuity, and to deliver group‑level services.
Trusted service providers – such as IT developers, hosting and cloud providers, analytics platforms, customer relationship management tools, marketing support partners, event organisers, survey tool providers, payment or accounts payable providers, and contract management platforms. These parties act on our instructions and are bound by strict confidentiality and data protection obligations.
Healthcare providers and regulators – where required to coordinate or manage product safety, recalls, complaints, clinical studies, or vigilance reporting. This may include disclosure to government health authorities, regulators, or oversight bodies.
Professional advisers and specialists – including lawyers, auditors, consultants, insurers, tax advisers, and other external experts engaged to support our business or defend legal claims.
Research and collaboration partners – where we work jointly with academic institutions, hospitals, or industry partners in clinical studies or research activities.
Corporate transactions – third parties involved in a merger, acquisition, joint venture, divestiture, restructuring, or sale of business or assets.
Regulatory bodies, law enforcement, or other public authorities – where required by law, legal process, or to protect the safety, rights, or property of individuals or the business.
Others at your request – where you ask us to share your information with another party, such as a healthcare provider or collaborator.
All parties receiving data are bound by strict confidentiality and data protection obligations.
8 International Data Transfers
Your personal information may be transferred outside of your country of residence. When we do so, we apply safeguards that are consistent with the requirements of applicable law.
eIFU Download System: If you register for or access the eIFU Download System, your account information (including email address, password, and unique user ID) and related usage logs are hosted on secure servers located in Japan. Japan is recognised by the European Commission as providing an adequate level of data protection, which means your personal information receives equivalent protection to the EEA.
Internal transfers
All internal transfers within the HOYA Group are governed by the HOYA Data Sharing Framework. This framework incorporates the European Commission’s Standard Contractual Clauses (SCCs) and equivalent protections to ensure that personal information is safeguarded when shared across countries.
External transfers
When we use external service providers or partners located outside your country, we apply safeguards such as:
Standard Contractual Clauses (SCCs) approved by the European Commission or UK authorities
Adequacy decisions (where recognised by the European Commission, UK, or other regulators)
Supplementary contractual, organisational, or technical safeguards
Country-specific rules
Japan: We assess the data protection framework of the receiving country and apply measures in line with the Act on the Protection of Personal Information (APPI).
China: Cross-border transfers of personal information are subject to the Personal Information Protection Law (PIPL). Where required, we obtain consent, conduct security assessments or filings, and use standard contracts or other mechanisms approved by the Cyberspace Administration of China (CAC).
Brazil: International transfers are carried out in line with the Brazilian LGPD, which may include contractual clauses or reliance on adequacy decisions issued by the ANPD.
United States: Where US service providers are used, we require contractual safeguards and, where relevant, rely on frameworks such as the EU‑US Data Privacy Framework or UK Extension (if applicable).
Other countries: Where other local rules apply (such as in Canada, Singapore, or Australia), we comply with those requirements and ensure adequate protection for personal information.
9 How Long We Keep Your Information
We keep your personal information only for as long as necessary to fulfil the purposes listed above, or as required by law. This includes:
Website and analytics data – for up to 26 months
Contact enquiries – up to 12 months after closure
Event registration and marketing – until consent is withdrawn or 2 years
Contractual or legal records – as required under commercial or regulatory obligations
Candidate and recruitment data – generally up to 12 months after the recruitment process ends, unless a longer period is required by local law or you provide consent to retain your information for future opportunities
When no longer needed, we securely delete or anonymise your data.
10 Your Rights
Your privacy rights depend on where you live. For example:
If you are in the EEA or UK, you have rights under GDPR (e.g. access, rectification, erasure, objection, restriction, portability, and withdrawal of consent).
If you are in Japan, your rights are governed by the Act on the Protection of Personal Information (APPI).
If you are in another country, your rights may vary depending on local law.
We will respect and apply the rights available under your local law, wherever you are located.
For a full overview of rights by country, visit:
www.hoya.com/Privacyrights
To exercise your rights, contact us using the details below.
11 Security of Your Information
We apply appropriate technical and organisational measures to protect your personal information. These include:
Encryption of data in transit and at rest where appropriate
Access controls to limit data to authorised users
Multi-layered security architecture, including firewalls and intrusion prevention
Regular security audits, risk assessments, and vulnerability testing
Monitoring of threats and response procedures for incident handling
These measures reflect global information security standards and aim to safeguard your data from loss, misuse, or unauthorised access.
12 Cookies and analytics tools
We use cookies and similar technologies to ensure site functionality, security, and to enhance your experience. Some cookies are strictly necessary; others, such as analytics and marketing cookies, require your consent. Analytics tools we use include Google Analytics, Google Tag Manager, Microsoft Clarity, and LinkedIn Insight Tag. These tools help us understand visitor behaviour, improve our Website, and measure the effectiveness of our marketing. You can manage or withdraw your consent at any time via the Consent Manager or through your browser settings.
13 Contact Us
If you have any questions about this policy or wish to exercise your rights, please contact:
PENTAX Europe GmbH
Julius-Vosseler-Str. 104
22527 Hamburg, Germany
14 Changes to This Policy
We may update this policy to reflect changes in our data practices or legal obligations. When we do, we’ll revise the “Effective Date” at the top of this page and highlight material updates where appropriate.
Annex A – Specified Purpose of Use (Japan)
In accordance with the Act on the Protection of Personal Information (APPI), when we collect personal information in Japan we must specify the purpose of use at the time of collection. The purposes of use for PENTAX Medical are set out below. These purposes apply unless otherwise notified or agreed at the time your information is collected.
Category of data subject | Utilisation purpose |
Customers and medical personnel | Provision of information related to the arrangement and shipment of products and services; sales of products, repair, maintenance, and inspection; provision of after‑sales service and technical support; handling and documentation of inquiries and service requests; organisation and notification of seminars, academic conferences, exhibitions, training, campaigns, and events hosted or supported by PENTAX; planning, research, development and marketing of products; provision of product demonstrations and training; quality and safety reporting, including complaint handling, vigilance and recalls; access control and history management of facilities managed by PENTAX; performance of negotiations, meetings and communications with customers; performance of investigations and documentation, as well as reports to government institutions as required by law. |
Vendors, contractors and business partners | Performance of negotiations, meetings, communications and other interactions with business partners; management of invoicing, payment and other business operations; due diligence and compliance checks; administration of contracts and onboarding; performance of business operations commissioned to PENTAX; access control and access history management of facilities managed by PENTAX; history management of training provided by PENTAX; performance of investigations and documentation, as well as reports to government institutions as required by law. |
Healthcare professionals and research collaborators | Engagement in clinical collaboration, training, and research activities; collection of professional information (specialty, institution, qualifications); management of research contracts, reimbursements, and related payments; analysis of product usage and feedback to improve performance and safety; reporting to regulators as required by law. |
Visitors and guests | Security and safety management of facilities, including CCTV, visitor registration, Wi‑Fi access, and access badge systems; access control and audit trails; compliance with safety regulations. |
Patients (incidental data) | Handling and documentation of information received in connection with vigilance reporting, adverse event notifications, or product complaints; performance of investigations and documentation, as well as reports to government institutions as required by law and other ordinances. |
Job applicants (including interns) | Selection of candidates, provision of information and interview results; performing operations related to the recruitment process; management of recruitment operations; performance of investigations and documentation, as well as reports to government institutions as required by law. |
