This agreement on the processing of personal data (hereinafter “DPA”) applies to patients’ personal data which, within the framework of the activities covered by the contract, even occasionally, are provided to the Sweden & Martina Group, unless otherwise agreed in writing.

 

In accordance with Article 28 of EU Regulation 679/2016 (known as GDPR), in order to process such personal data, the Sweden & Martina Group (as defined under “group of undertakings” in Article 4.19 of EU Regulation 679/2016, represented by the parent company Sweden & Martina S.p.A., VAT No. 00401550280) must be appointed as Data Processor.

 

By means of this agreement, the user, acting on behalf of the Data Controller, appoints the Sweden & Martina Group as Data Processor pursuant to Article 28 of the GDPR, for the processing operations described in the table below, whose duration is functionally linked thereto, and grants general authorization to appoint other sub-processors.

 

Hereinafter, and for simplicity, the Data Controller will be referred to as the “Contracting Party” and the Sweden & Martina Group as the “Processor.”

​

Processing

Management of requested services, including:

• aligners *

• CAD CAM products

• guided implantology *

• subperiosteal implants

• management of First-Fit orders

• Bone Iuxta

​

Duration: Duration of the contractual relationship with Sweden & Martina

 

Nature: Activities necessary for the purpose, in particular: consultation, processing and use

​

Purpose:

Design and manufacture of dental aligners*

Design and manufacture of products using CAD CAM technology

Design and manufacture of veneers, GUIDE and models

Manufacture iuxta ossei

 

* Processing activity carried out by Sweden & Martina S.p.A. solely on behalf of Clients authorized to practice dentistry

​

Type of personal data: General personal data; Data concerning health

 

Categories of data subjects: Patients

 

Transfers of personal data outside the EU/EEA: the processing of personal data (for example, storage and retention on its own servers or in the cloud) is limited to the territories of the countries that are part of the European Union, with an express prohibition on transferring such data to countries outside the EU that do not provide (or in the absence of) an adequate level of protection, or in the absence of the safeguards provided under EU Regulation 2016/679 (such as a third country deemed adequate by the European Commission, binding corporate rules, standard contractual clauses, consent of the data subjects, etc.).

​

Technical and organizational security measure: The security measures provided for in Article 32 of the GDPR are implemented, which are considered appropriate taking into account the state of the art and the costs of implementation, as well as the nature, purpose, context, and objectives of the processing, and the varying likelihood and severity of the risk to the rights and freedoms of the data subjects.

 

Within the framework of the processing activities described, Sweden & Martina S.p.A. undertakes to:

• process personal data solely in accordance with the documented instructions of the Contracting Party, including in the event of a transfer of personal data to a third country or an international organization, unless required otherwise by European Union or national law to which the Data Controller is subject; in such case, the Processor shall inform the Contracting Party without undue delay of such legal obligation prior to processing, unless the law prohibits it for important reasons of public interest;

• ensure that persons authorized to process personal data have committed themselves to confidentiality or are subject to an appropriate legal obligation of confidentiality;

• assist the Contracting Party, to the extent possible, with appropriate technical and organizational measures, taking into account the nature of the processing, in order to establish and maintain an adequate security system;

• make available to the Contracting Party all necessary information to demonstrate compliance with the obligations set out in this agreement, following economic, technical, and organizational coordination;

• assist data subjects who submit requests relating to the exercise of their rights, informing the Contracting Party promptly of such requests. In particular, when the Processor processes data subject to a request for portability, it undertakes to assist the Contracting Party with appropriate technical and organizational measures to respond to such request;

• assist the Contracting Party in fulfilling the obligation to notify a personal data breach to the supervisory authority as provided in Articles 33 and 34 of EU Regulation 679/2016. In the event of a personal data breach, the Processor shall inform the Contracting Party without undue delay and, in any case, within 36 hours from becoming aware of the breach;

• assist the Contracting Party in activities related to data protection impact assessments and prior consultations (Articles 35 and 36 of EU Regulation 2016/679), taking into account the nature of the processing and the information available to the Processor;

• ensure that any sub-processor appointed signs an agreement that respects the technical and organizational measures established in this agreement;

• limit the scope of circulation and processing of personal data (for example, storage, archiving, and retention on its own servers or in the cloud) to countries that are part of the European Union, with an express prohibition on transferring them to countries outside the EU that do not provide (or in the absence of) an adequate level of protection, or in the absence of the safeguards provided under EU Regulation 2016/679 (such as a third country deemed adequate by the European Commission, binding corporate rules, standard contractual clauses, consent of the data subjects, etc.);

• delete or return, at the choice of the Data Controller, all personal data processed and remove any existing copies (unless European Union or Member State law requires their retention) upon termination or revocation of this agreement.

 

The Contracting Party is obliged to:

• not share personal data that are not necessary in connection with the activities requested from the Processor;

• immediately and fully inform the Processor as soon as any errors and/or irregularities in the processing of data carried out by the Processor are detected;

• support, to the extent possible, the defense of the Processor in the event that a data subject takes action against it to obtain compensation in accordance with Article 82 of the GDPR;

• provide the Processor with a contact point to address any questions related to data protection arising from or in any way related to this appointment;

• indemnify the Processor against any harm, including indirect harm (including potential reputational damage), that may result from the adoption of specific measures imposed by the Contracting Party for the processing of personal data;

• provide data subjects with information regarding the processing of their personal data in accordance with Articles 13 and 14 of the GDPR, at the time of data collection.

 

Any modification to this agreement shall be valid and binding only if formalized in writing or via written communication, including electronic communication. If any provision of this agreement is found to be invalid or unenforceable, the validity and enforceability of the remaining provisions shall not be affected.

 

 

Last update: M.222-EN rev 9 - 2026/02/20