Data Protection Agreement

1.1. “Applicable Data Protection Laws” means all applicable laws and regulations related to privacy, security, protection and the handling of Personal Data, including without limitation, as applicable: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (the "GDPR") EU Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the Processing of Personal Data and the protection of privacy in the electronic communications sector; UK General Data Protection Regulation (Regulation (EU) (2016/679) ('UK GDPR') and the Data Protection Act 2018; the Swiss Federal Act on Data Protection 235.1 of 25 September 2020; the California Consumer Privacy Act of 2018 (“CCPA”), as amended by the California Privacy Rights Act of 2020 (“CPPA”); the US Health Insurance Portability and Accountability Act (“HIPAA”); the Personal Information Protection Law of the People's Republic of China (“PIPL”); and all other relevant data protection regulations where the Parties operate.

1.2. “Customer” means the appropriately licensed hearing care professional or facility which dispenses hearing device(s) to the End-Users.

1.3. “End-Users” refers to individuals who use a Sonova hearing device directly.

1.4. "Personal Data” shall have the meaning set forth in the Applicable Data Protection Laws (e.g., any data that relates to an identified or identifiable natural person) or as otherwise referenced therein (e.g., personal information, personally identifiable information). For the sake of clarity, Personal Data does not include information that has been de-identified or aggregated such that the individual is no longer identifiable.

1.5. For the purposes of this DPA, the terms "Supervisory Authority", "Data Protection Officer", "Personal Data", "Data Subjects", "Pseudonymisation", "Controller", "processing", "Transfer", "Processor", “Sale”, “Share” and “Sharing”, and "Personal Data Breach" shall have the same meanings given to them in in the Applicable Data Protection Laws.

3.1. Depending on the nature of the product and/or service provided, Sonova and the Customer may act either as independent Controllers or as joint Controllers, as those terms are defined under Applicable Data Protection Laws. The applicable role shall be determined by the specific processing activity and the purposes and means of processing defined in connection with the relevant product or service.

3.2. Where the Parties act as joint Controllers, such processing shall be governed by Section A of this DPA (Articles 4 to 12).

3.3. Where the Parties act as independent Controllers, such processing shall be governed by Section B of this DPA (Article 13).

3.4. To the extent that, in the course of their relationship, one Party processes Personal Data on behalf of the other Party and thereby qualifies as a Processor acting on behalf of a Controller within the meaning of Applicable Data Protection Laws, the Parties agree that a separate Data Processing Agreement shall be entered into between the Parties

4.1. The Parties acknowledge that, in the context of the use of the Sonova’s products and services, they may act as joint Controllers in respect of Personal Data relating to the End-Users, where both Parties jointly determine the purposes and mean of Processing.

4.2. The Parties acknowledge and agree that, as a general rule, the following activities do not require the disclosure or sharing of the Personal Data of End-Users with Sonova. Notwithstanding the foregoing, where Personal Data is in fact shared, the Parties shall act as joint Controllers for the Processing of Personal Data for the following purposes:

a) Post-sales service of the products, including repair, replacement, or maintenance, where such processing is necessary for the performance of the contract with the End-User. Depending on the circumstances, postsales service of products may be subject to the collection of additional consent or any applicable lawful grounds.
b) Use of tools and software incidental to the product, including software updates, remote monitoring, or device configuration, where necessary for the performance of the contract with the End-User or subject to a lawful ground. Product manufacturing, including personalization or adaptation of the product to the End-User, where necessary for the performance of the contract with the End-User and subject to a valid legal basis under Applicable Data Protection Laws.

4.3. Where, for the Customer’s own operational convenience, the Customer elects to disclose or otherwise make available Personal Data of End-Users to Sonova beyond what is strictly necessary for the purposes set out in Article4.2, the Customer shall:

a) ensure compliance with the principle of data minimisation under Applicable Data Protection Laws;
b) identify and document an appropriate legal basis, including obtaining valid consent where required;
c) provide the required information to Data Subjects pursuant to Applicable Data Protection Laws, including clear information regarding the disclosure of their Personal Data to Sonova, the purposes of such disclosure, and the respective roles of the Parties

4.4. The Customer represents and warrants that any Personal Data shared with Sonova in the context of joint processing has been lawfully collected and may be lawfully processed for the purposes set out in this DPA, any additional privacy documentation, and in accordance with Applicable Data Protection Laws.

4.5. Upon first request, the Customer shall provide evidence of the relevant legal basis for the transfer of personal data from end-consumer. If no such legal basis exists, the customer shall indemnify Sonova against any resulting claims by third parties, including those by competent authorities.

4.6. The Customer shall not Sell or Share End-Users' Personal Data, nor use, retain, disclose, or otherwise process Sonova’s confidential or proprietary information outside of its business relationship with Sonova or for any other business or commercial purpose except as required by law.

5.1 The Parties agree that the processing of Personal Data, the purposes and means of which they define together, shall have the characteristics set forth in the applicable privacy notice, which is incorporated by reference into this DPA.

5.2 Sonova may aggregate or deidentify Personal Data such that the resultant data no longer constitutes Personal Data under the Applicable Data Protection Laws and provided such data is incapable of being identified to or associated with a Data Subject by Sonova (collectively, “Aggregated Data”) and may use such Aggregated Data for its own internal purposes (e.g., research and service improvement, generative artificial intelligence) to the extent permitted in the Professional User Agreement and Applicable Data Protection Laws.

6.1 The Parties undertake to:

a) Ensure that the personnel having access to or being involved in the processing of Personal Data, by virtue of this Contract, are bound by an obligation of confidentiality, and receive the necessary training in the protection of Personal Data;
b) Take all steps necessary to comply with Applicable Data Protection Laws, including keep a register of processing activities and cooperate in the conduction of data protection impact assessments regarding Personal Data processing, as applicable.
c) In the event of subcontracting the processing activities, ensure that all vendors, subcontractors, or other third parties comply with the obligations arising from this DPA.
d) Securely delete or destroy all such Personal Data, including all copies and reproductions thereof, except to the extent that applicable law requires retention of such data.

7.1 The Customer shall be responsible for proving information on the processing of Personal Data to the End-Users concerned by such processing, in accordance with Applicable Data Protection Laws, and for obtaining and documenting any required consent or other legal basis from the End-User before sharing Personal Data with Sonova.

7.2 Data Subjects may exercise their rights with either Party. The Parties shall cooperate in good faith to ensure timely and compliant responses.

8.1 Each Party shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk associated with the Processing of Personal Data, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the Processing.

8.2 Without limitation, such measures shall include, as appropriate or required by law:

a) Pseudonymisation and encryption of Personal Data to protect against unauthorized access or disclosure;
b) Measures to ensure the ongoing confidentiality, integrity, availability, and resilience of Processing systems and services, including administrative, technical, and physical safeguards;
c) Procedures to restore the availability of and access to Personal Data in a timely manner in the event of a physical or technical incident;
d) Regular testing, assessment, and evaluation of the effectiveness of the technical and organisational measures, to ensure the security of the Processing, including vulnerability testing and penetration testing where appropriate;
e) Access control measures, ensuring that only authorized personnel with a legitimate need may access Personal Data;
f) Logging and monitoring of Processing activities, to detect, prevent, and respond to unauthorized access or security incidents; and
g) Employee training and awareness programs, ensuring personnel involved in Processing understand their obligations under Applicable Data Protection Laws and this DPA.

8.3 Each Party shall be responsible for implementing the security measures in its respective area of responsibility and shall promptly notify the other Party of any security incidents that could reasonably affect Personal Data shared or jointly processed.

9.1 The Parties may use Processors subject to compliance with the provisions in Article 9.

9.2. All Processing by Processors shall be subject to a written agreement between the relevant Party and the Processors that requires the Processors to comply with the same obligations and restrictions as provided for in this DPA, including express guarantees by the Processors to implement technical and organizational measures to ensure that Processing satisfies all requirements of Applicable Data Protection Laws.

9.3 Each Party shall maintain an up-to-date list of its Processors involved in the processing of Personal Data under this DPA. Upon reasonable written request by the other Party, such list shall be made available, provided that the disclosing Party may redact or limit information to the extent necessary to protect confidential information or security.

9.4. Each Party shall remain responsible for the Processing of Personal Data and for any acts and omissions of its Processors to the same extent as if such acts or omissions were performed by relevant Party.

10.1 In the event of a Personal Data Breach, the Parties undertake to cooperate and to inform each other without undue delay after becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA. Such notification shall include all information reasonably necessary to allow the other Party to comply with its obligations under Applicable Data Protection Laws.

10.2 The Parties shall cooperate in good faith to assess the scope, nature, and likely consequences of the Personal Data Breach, and to determine whether the breach is likely to result in a risk or a high risk to the rights and freedoms of natural persons.

10.3 The Party concerned by the Personal Data Breach will carry out an investigation and an analysis in order to determine the consequences of the Personal Data Breach and in particular whether it is likely to create a risk for the rights and freedoms of the Data Subjects. In this regard:

a) The concerned Party shall be responsible for notifying the competent supervisory authority and, where necessary, the Data Subjects impacted, unless otherwise required by Applicable Data Protection Laws. The other Party shall provide all necessary assistance and information to enable such notification to be made within the applicable timeframes.
b) The concerned Party shall implement as soon as possible the measures necessary to remediate the Personal Data Breach;
c) The concerned Party shall document the Personal Data Breach in order to ensure its traceability, whether or not the analysis shows that there is a risk to the rights and freedoms of the Data Subjects.

11.1 The Parties undertake, in the event of the Transfer of Personal Data outside the of the country where the Personal Data is collected and if the importing country is not considered to have an adequate level of data protection according to the Applicable Data Protection Law, both Parties agree to cooperate to ensure:

a) The implementation of adequate procedures to comply with the Personal Data Legislation, and in particular when a request for authorization from the competent Supervisory authority is necessary;
b) The implementation of appropriate organizational, technical and legal safeguards to govern the said transfer and to ensure the necessary and adequate level of protection under the Personal Data Legislation;
c) If necessary, the implementation of legitimate mechanisms for cross-border transfers, such as the standard contractual clauses adopted by the European Commission (Decision 2010/87/EU of 5 February 2010 or more recent versions, including the SCCs set forth in the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021), the International Data Transfer Agreement or International Data Transfer Addendum issued by the UK Information Commissioner’s Office, the standard contractual clauses or other transfer mechanisms recognized under Swiss data protection law ,or the regulations of the Autoridade Nacional de Proteção de Dados, including among all relevant subsidiaries as necessary.

11.2 Depending on the importing third country, the Parties undertake to take supplementary measures such as completing a data transfer adequacy assessment if, after evaluation of the circumstances of the transfer, and after evaluation of the legislation of the third country, it is necessary for the protection of the transferred Personal Data.

12.1 The Parties shall provide each other with the contact details of their Data Protection Officer upon request.

13.1 Sonova acts as an independent Controller for the processing of Personal Data relating to the Customer and/or its representatives, employees, or contact persons for the following purposes. Where the GDPR is applicable, the legal bases indicated below shall apply:

a) execution of orders and performance of the contract (Article 6(1)(b) GDPR);
b) monitoring of the Customer relationship and follow-up on requests (Article 6(1)(b) GDPR);
c) administrative management of the Customer file (Article 6(1)(b) and Article 6(1)(f) GDPR);
d) Customer relationship and account management (Article 6(1)(b) and Article 6(1)(f) GDPR);
e) accounting and financial management (Article 6(1)(b) and Article 6(1)(f) GDPR);
f) after-sales service operations (Article 6(1)(b) and Article 6(1)(f) GDPR);
g) sales and marketing activities (Article 6(1)(f) GDPR);
h) competitions and promotional initiatives (Article 6(1)(a) GDPR);
i) organisation of professional events (Article 6(1)(a) GDPR).

13.2 Sonova acts as an independent Controller for the processing of Personal Data relating to the End-Users (including patients) of the Customer for the following purposes. Where the GDPR is applicable, the legal bases indicated below shall apply:

a) compliance with applicable legal and regulatory obligations, including those arising under Regulation (EU) 2017/745 on medical devices ("MDR") (Article 6(1)(c) GDPR);
b) use of tools and software ancillary to products developed by Sonova, as further described in the applicable privacy notice or policy.

13.3 The Customer acts as an independent Controller for the processing of Personal Data relating to its End-Users (including patients) for its own purposes, including the management of its commercial relationship and the provision of care, in compliance with its legal and regulatory obligations.