Back to Feed
PolicyJul 7, 2026

AKI (Estonia) - No. 2.1-1/24/397-890-38

Estonian DPA orders dental clinic to clarify GDPR roles with Align Technology.

Summary

The Estonian Data Protection Authority (AKI) has ordered OÜ Dr Mõttus Hambaravi, a dental clinic, to clarify its data processing relationship with Align Technology, Inc. concerning Invisalign patient data. The clinic failed to provide adequate transparency and consent information to patients, and the roles of the clinic and Align Technology as either joint controllers or processors were not clearly established. While no fine was imposed, the clinic was directed to remedy these GDPR violations.

Full text

Help AKI (Estonia) - No. 2.1-1/24/397-890-38: Difference between revisions From GDPRhub Jump to:navigation, search Newer edit →VisualWikitext Revision as of 10:43, 7 July 2026 view source Bms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators141 edits Tag: submission [1.0]Newer edit → (No difference) Revision as of 10:43, 7 July 2026 AKI - No. 2.1-1/24/397-890-38 Authority: AKI (Estonia) Jurisdiction: Estonia Relevant Law: Article 4(7) GDPR Article 4(11) GDPR Article 5(1)(a) GDPR Article 5(2) GDPR Article 6(1)(a) GDPR Article 6(1)(b) GDPR Article 9(2)(a) GDPR Article 12 GDPR Article 13 GDPR Article 14 GDPR Article 25 GDPR Article 26 GDPR Article 28 GDPR Article 58(2)(b) GDPR Type: Complaint Outcome: Upheld Started: Decided: 16.04.2026 Published: Fine: n/a Parties: OÜ Dr Mõttus Hambaravi Align Technology, Inc. National Case Number/Name: No. 2.1-1/24/397-890-38 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Estonian Original Source: AKI (in ET) Initial Contributor: bms The DPA ordered a dental clinic to clarify its GDPR relationship with Align Technology and remedy transparency and consent failures in the processing of Invisalign patients’ health data. No fine was imposed. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts OÜ Dr Mõttus Hambaravi, the controller, is a Dental Clinic. On March 2024, the DPA received a complaint from a data subject regarding the fact that the controller had failed to provide all personal data requested. The controller only partially complied after several requests from the DPA. Although the DPA closed the part of the case concerning the access request, it continued investigating the controller’s processing of patients’ personal data when providing Invisalign treatment. The service required the controller to collect and transfer patients’ health data to Align Technology, Inc. However, the contractual documents did not clearly establish whether Align Technology acted as a processor, an independent controller or a joint controller. The controller stated that Align Technology largely determined the conditions of the service, including the consent form and the processing arrangements, and that individual clinics could not unilaterally amend these conditions. The DPA also found that the information provided to patients was incomplete and fragmented. The consent form and privacy information did not clearly explain the legal basis and purposes of processing, the parties involved, data recipients, retention periods, transfers outside the European Union or the safeguards applied to such transfers. Parts of the information were only available in English on external websites. Holding The DPA held that the controller had failed to demonstrate that the processing carried out in connection with the Invisalign service was lawful and transparent under Articles 5(1)(a) and 5(2) GDPR. First, the DPA found that the parties’ roles had not been properly determined. Under Article 4(7) GDPR, the assessment had to be based on which party actually determined the purposes and means of processing, rather than solely on the contractual description of the relationship. The controller decided whether Invisalign treatment was suitable for a patient and collected the relevant health data. It therefore acted as a controller in relation to the treatment. However, Align Technology exercised significant control over the subsequent processing, including the data collected, the recipients, retention arrangements, the use of other service providers and transfers outside the European Union. The DPA therefore considered that Align Technology could not simply be regarded as a processor acting only on documented instructions under Article 28(3)(a) GDPR. On the available evidence, it was at least a joint controller under Article 26 GDPR. The DPA ordered the controller to review the contractual relationship. If Align Technology acted as a processor, the agreement had to comply with Article 28 GDPR, including the requirements concerning subprocessors under Article 28(2). If the parties were joint controllers, they had to allocate their respective responsibilities under Article 26 GDPR. Second, the DPA found that the consent obtained from patients was invalid. The consent form did not provide sufficient information for patients to understand the processing and therefore did not meet Articles 4(11), 6(1)(a), 7 and 9(2)(a) GDPR. The DPA also noted that healthcare processing may, depending on the operation concerned, rely on Article 6(1)(b) GDPR together with Article 9(2)(h) GDPR. However, the controller had not clearly identified the applicable legal bases for the different processing activities. The privacy information also failed to comply with Articles 12, 13 and 14 GDPR. Patients were required to consult several documents and external websites, some of which contained incomplete or inconsistent information. The controller had therefore not ensured that the information was easily accessible, understandable and available in Estonian. The DPA further referred to Article 25 GDPR when emphasising that the controller had to ensure that the processing arrangements and safeguards complied with the GDPR. Under Article 58(2)(d) GDPR and § 56(1) of the Estonian Personal Data Protection Act, the DPA ordered the controller to clarify the parties’ roles, conclude an Article 26 arrangement or Article 28 agreement, amend the consent form and privacy policy, and publish the required information in Estonian. No administrative fine was imposed. However, failure to comply could result in a penalty payment of €1,000 for each unfulfilled point or subpoint of the order, imposed repeatedly until compliance. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Estonian original. Please refer to the Estonian original for more details. PROTECTION OF PRIVACY AND STATE TRANSPARENCY Information holder: Data Protection Inspectorate Note made: 01.04.2026 Access restriction valid until: 01.04.2101, Basis: AvTS § 35 (1) (2) PRECAUTION-WARNING in personal data protection case no. 2.1-1/24/397-890-38 Precept maker: Kirsika Kuutma, lawyer of the Data Protection Inspectorate Precept making date: 16.04.2026 in Tallinn time and place Recipient of the precept – Fullgevity OÜ (former business name OÜ Dr Mõttus Hambaravi) personal data processor registry code: 12166527 address: Harju County, Tallinn, Nõmme district, Jaama tn 1a, 11615 e-mail address: info@citymed.ee Member of the Management Board responsible person RESOLUTION Based on § 56 (1) of the Personal Data Protection Act and Art. 58 (2) (d) of the General Data Protection Regulation the Data Protection Inspectorate issues a mandatory precept for compliance 1. To review the agreement(s) concluded between Fullgevity OÜ and Align Technology, Inc. within the framework of the provision of the Invisalign service, in the course of which: 1.1. to define the roles arising from the GDPR (controller, processor, joint processors) in accordance with the processing operations performed with personal data; 1.2. in the case of the controller and processor relationship, to ensure that the agreement covers the requirements arising from Art. 28 of the GDPR; 1.3. in the case of the joint processors relationship, to agree on the areas of responsibility for fulfilling the obligations arising from the GDPR (Art. 26 of the GDPR). 2. Ensure that the provision of Invisalign services to clients and the transfer of data within the framework of this is transparent for data subjects and in accordance with Article 5(1)(a) of the GDPR: 2.1. bring the consent form into line with the requirements for consent set out in Article 4(11), Article 6(1)(a), Article 7 and Article 9(2)(a) of the GDPR (see i

Entities

Align Technology, Inc. (vendor)Invisalign (product)