This Data Processing Agreement (hereinafter “DPA”) applies to the personal data of patients that is provided to the Sweden & Martina Group, even incidentally, in connection with the activities covered by the contract, unless otherwise agreed in writing.
As provided for in Article 28 of EU Regulation 679/2016 (the so-called GDPR), in order to process such personal data, the Sweden & Martina Group (as defined as a “business group” under Article 4.19 of EU Regulation 679/2016, in the person of the parent company Sweden & Martina S.p.A., VAT No. 00401550280) must be designated as the Data Processor.

By this agreement, the user, acting on behalf of the Data Controller, appoints the Sweden & Martina Group as a Data Processor pursuant to Article 28 of the GDPR for the processing activities described in the table below, to which the term of this agreement is functionally linked, and generally authorizes it to appoint additional data processors.

For simplicity’s sake, the Data Controller will hereinafter be referred to as the “Client,” and the Sweden & Martina Group as the “Data Processor.”

Treatment	Management of services requested between: · aligners * · CAD/CAM-manufactured parts · guided implantology * · occlusal splints · First-Fit order management · adjacent to the bone
Duration	Duration of the contractual relationship with Sweden & Martina
Nature	Activities necessary to achieve the purpose, specifically: consultation, processing, and use
Purpose	Design and manufacture of dental aligners* Design and manufacturing of products using CAD/CAM technology Design and manufacture of veneers, surgical guides, and models Design and manufacture of occlusal splints Intraosseous production
Type of personal data	General data; Health-related data

*Data processing activities carried out by Sweden & Martina S.p.A. solely on behalf of clients licensed to practice dentistry

Categories of data subjects	Patients
Transfers of personal data outside the EU/EEA	The processing of personal data (e.g., storage, archiving, and retention of data on our servers or in the cloud) is limited to the territory of the European Union member states, with an express prohibition on transferring such data to non-EU countries that do not guarantee (or lack) an adequate level of protection, or in the absence of the safeguards provided for by EU Regulation 2016/679 (third countries deemed adequate by the European Commission, group BCRs, standard contractual clauses, consent of the data subjects, etc.)
Technical and organizational security measures	The security measures provided for in Article 32 of the GDPR have been implemented; these are considered appropriate given the state of the art and the costs of implementation, as well as the nature, scope, context, and purposes of the processing, and the risk of varying likelihood and severity to the rights and freedoms of data subjects

 

In connection with the processing activities described above, Sweden & Martina S.p.A. undertakes to:

• process personal data only on the basis of documented instructions from the Client, including in the event of a transfer of personal data to a third country or an international organization, unless required by Union or national law to which the data processor is subject; in such a case, the data processor shall promptly inform the Client of this legal obligation prior to processing, unless the law prohibits such information for compelling reasons of public interest;
• ensure that persons authorized to process personal data have agreed to maintain confidentiality or are subject to an appropriate legal obligation of confidentiality;
• assist the Client, to the extent possible, with appropriate technical and organizational measures, taking into account the nature of the processing, in order to establish and maintain an adequate security system;
• provide the Client with all the information necessary to demonstrate compliance with the obligations set forth in this agreement, subject to financial, technical, and organizational agreement;
• assist data subjects who submit requests regarding the exercise of their rights, promptly informing the Client of such requests. In particular, if the Data Processor handles data that is the subject of a portability request, it undertakes to assist the Client with appropriate technical and organizational measures in order to respond to said request;
• assist the Client in ensuring compliance with the obligation to notify a personal data breach to the supervisory authority pursuant to Articles 33 and 34 of EU Regulation 679/2016. In the event of a personal data breach, the Data Processor shall inform the Client without undue delay and, in any event, within 36 hours of becoming aware of the breach;
• assist the Client with activities related to data protection impact assessments and prior consultation (Articles 35 and 36 of EU Regulation 2016/679), taking into account the nature of the processing and the information available to the Data Processor;
• have any additional data processor that may be appointed sign an agreement that complies with the technical and organizational measures set forth in this agreement;
• limit the scope of the circulation and processing of personal data (e.g., storage, archiving, and retention of data on its own servers or in the cloud) to countries within the European Union, with an express prohibition on transferring such data to non-EU countries that do not guarantee (or lack) an adequate level of protection, or in the absence of the safeguards provided for by EU Regulation 2016/679 (third country deemed adequate by the European Commission, group BCRs, standard contractual clauses, consent of the data subjects, etc.);
• delete or return, at the data controller’s discretion, all personal data related to the processing and delete any existing copies (unless Union or Member State law requires the retention of such data), upon the termination or revocation of this agreement.

 

The Client is required to:

• Do not share personal data that is not necessary for the activities required of the Data Processor;
• immediately and fully inform the Data Controller as soon as you discover any errors and/or irregularities in the processing of data carried out by the Data Controller;
• to support, to the extent possible, the Data Processor’s defense in the event that a data subject brings a claim against the Data Processor for compensation for damages pursuant to Article 82 of the GDPR;
• provide the Data Protection Officer with a point of contact to whom they may turn for any matter relating to data protection that arises from or is in any way connected to this designation;
• to hold the Data Controller harmless from any and all harm, including indirect harm (such as damage to reputation), that may arise from the implementation of specific measures imposed by the Client for the processing of personal data;
• provide data subjects with information regarding the processing of personal data, in accordance with Articles 13 and 14 of the GDPR, at the time the data is collected.

 

Any amendment to this agreement shall be valid and binding only if made in writing or communicated in writing, including by electronic means. Should any provision of this agreement be found to be invalid or unenforceable, the validity and enforceability of the remaining provisions shall remain unaffected.

 

Last updated: M222 rev. 9 – February 20, 2026