AKI (Estonia) - No. 2.1-1/24/397-890-38
Estonian DPA finds Align Technology's Invisalign data processing non-compliant with GDPR.
Summary
The Estonian Data Protection Inspectorate (DPA) ruled that the controller failed to demonstrate lawful and transparent processing of data related to the Invisalign service under GDPR. The DPA found that Align Technology exercised significant control, suggesting it should be considered a joint controller rather than a processor. Additionally, patient consent was deemed invalid due to insufficient information and unclear legal bases for processing. The DPA ordered a review of contractual relationships and amendments to consent forms and privacy policies.
Full text
Help AKI (Estonia) - No. 2.1-1/24/397-890-38: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Revision as of 10:43, 7 July 2026 view sourceBms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators141 edits Tag: submission [1.0] Latest revision as of 10:53, 7 July 2026 view source Bms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators141 editsTag: Visual edit Line 105: Line 105: === Holding ====== Holding === The DPA held that the controller had failed to demonstrate that the processing carried out in connection with the Invisalign service was lawful and transparent under Articles 5(1)(a) and 5(2) GDPR.The DPA held that the controller had failed to demonstrate that the processing carried out in connection with the Invisalign service was lawful and transparent under [[Article 5 GDPR|Articles 5(1)(a)]] and [[Article 5 GDPR|5(2) GDPR]]. First, the DPA found that the parties’ roles had not been properly determined. Under [[Article 4 GDPR#7|Article 4(7) GDPR]], the assessment had to be based on which party actually determined the purposes and means of processing, rather than solely on the contractual description of the relationship. The controller decided whether Invisalign treatment was suitable for a patient and collected the relevant health data. It therefore acted as a controller in relation to the treatment. However, Align Technology exercised significant control over the subsequent processing, including the data collected, the recipients, retention arrangements, the use of other service providers and transfers outside the European Union. The DPA therefore considered that Align Technology could not simply be regarded as a processor acting only on documented instructions under [[Article 28 GDPR#3a|Article 28(3)(a) GDPR]]. On the available evidence, it was at least a joint controller under [[Article 26 GDPR]]. First, the DPA found that the parties’ roles had not been properly determined. Under [[Article 4 GDPR#7|Article 4(7) GDPR]], the assessment had to be based on which party actually determined the purposes and means of processing, rather than solely on the contractual description of the relationship. The controller decided whether Invisalign treatment was suitable for a patient and collected the relevant health data. It therefore acted as a controller in relation to the treatment. However, Align Technology exercised significant control over the subsequent processing, including the data collected, the recipients, retention arrangements, the use of other service providers and transfers outside the European Union. The DPA therefore considered that Align Technology could not simply be regarded as a processor acting only on documented instructions under [[Article 28 GDPR#3a|Article 28(3)(a) GDPR]]. On the available evidence, it was at least a joint controller under [[Article 26 GDPR|Article 26 GDPR]]. The DPA ordered the controller to review the contractual relationship. If Align Technology acted as a processor, the agreement had to comply with [[Article 28 GDPR|Article 28 GDPR]], including the requirements concerning subprocessors under Article 28(2). If the parties were joint controllers, they had to allocate their respective responsibilities under [[Article 26 GDPR|Article 26 GDPR]].The DPA ordered the controller to review the contractual relationship. If Align Technology acted as a processor, the agreement had to comply with [[Article 28 GDPR]], including the requirements concerning subprocessors under [[Article 28 GDPR|Article 28(2)]]. If the parties were joint controllers, they had to allocate their respective responsibilities under [[Article 26 GDPR]]. Second, the DPA found that the consent obtained from patients was invalid. The consent form did not provide sufficient information for patients to understand the processing and therefore did not meet Articles 4(11), 6(1)(a), 7 and 9(2)(a) GDPR.Second, the DPA found that the consent obtained from patients was invalid. The consent form did not provide sufficient information for patients to understand the processing and therefore did not meet [[Article 4 GDPR|Articles 4(11)]], [[Article 6 GDPR|6(1)(a)]], [[Article 7 GDPR|7]] and [[Article 9 GDPR|9(2)(a) GDPR]]. The DPA also noted that healthcare processing may, depending on the operation concerned, rely on [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] together with [[Article 9 GDPR#2h|Article 9(2)(h) GDPR]]. However, the controller had not clearly identified the applicable legal bases for the different processing activities.The DPA also noted that healthcare processing may, depending on the operation concerned, rely on [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] together with [[Article 9 GDPR#2h|Article 9(2)(h) GDPR]]. However, the controller had not clearly identified the applicable legal bases for the different processing activities. The privacy information also failed to comply with Articles 12, 13 and 14 GDPR. Patients were required to consult several documents and external websites, some of which contained incomplete or inconsistent information. The controller had therefore not ensured that the information was easily accessible, understandable and available in Estonian.The privacy information also failed to comply with [[Article 12 GDPR|Articles 12]], [[Article 13 GDPR|13]] and [[Article 14 GDPR|14 GDPR]]. Patients were required to consult several documents and external websites, some of which contained incomplete or inconsistent information. The controller had therefore not ensured that the information was easily accessible, understandable and available in Estonian. The DPA further referred to [[Article 25 GDPR|Article 25 GDPR]] when emphasising that the controller had to ensure that the processing arrangements and safeguards complied with the GDPR.The DPA further referred to [[Article 25 GDPR]] when emphasising that the controller had to ensure that the processing arrangements and safeguards complied with the GDPR. Under [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]] and § 56(1) of the Estonian Personal Data Protection Act, the DPA ordered the controller to clarify the parties’ roles, conclude an Article 26 arrangement or Article 28 agreement, amend the consent form and privacy policy, and publish the required information in Estonian.Under [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]] and § [https://www.riigiteataja.ee/en/akt/523012019001?leiaKehtiv 56(1) of the Estonian Personal Data Protection Act], the DPA ordered the controller to clarify the parties’ roles, conclude an [[Article 26 GDPR|Article 26]] arrangement or [[Article 28 GDPR|Article 28]] agreement, amend the consent form and privacy policy, and publish the required information in Estonian. No administrative fine was imposed. However, failure to comply could result in a penalty payment of €1,000 for each unfulfilled point or subpoint of the order, imposed repeatedly until compliance.No administrative fine was imposed. However, failure to comply could result in a penalty payment of €1,000 for each unfulfilled point or subpoint of the order, imposed repeatedly until compliance. Latest revision as of 10:53, 7 July 2026 AKI - No. 2.1-1/24/397-890-38 Authority: AKI (Estonia) Jurisdiction: Estonia Relevant Law: Article 4(7) GDPR Article 4(11) GDPR Article 5(1)(a) GDPR Article 5(2) GDPR Article 6(1)(a) GDPR Article 6(1)(b) GDPR Article 9(2)(a) GDPR Article 12 GDPR Article 13 GDPR Article 14 GDPR Article 25 GDPR Article 26 GDPR Article 28 GDPR Article 58(2)(b) GDPR Type: Complaint Outcome: Upheld Started: Decided: 16.04.2026 Published: Fine: n/a Parties: OÜ Dr Mõttus Hambaravi Align Technology, Inc. National Case Number/Name: No. 2.1-1/24/397-890-38 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Estonian Original Source: AKI (in ET) Initial Contributor: bms The DPA ordered a dental clinic to clarify its GDPR relationship with Align Technology and remedy tran