Privacy Policy

DSD is committed to protecting the privacy of users of this website (the “Website”) and will do everything in its power to ensure that users’ Personal Data is treated with respect to their fundamental rights and freedoms as well as personal dignity, with particular reference to confidentiality.

We at DSD have thus prepared this Privacy Policy in order to briefly explain to you how we will collect, use, share and secure your Personal Data. It also describes your choices regarding the use, access, and correction of your Personal Data.

We may require users to provide certain personal information and details in order to provide our services, and we would therefore like to explain the procedures and ways in which we handle data supplied to us.

This Privacy Policy will also provide you with full information so that you are able to consent to the processing of your Personal Data in an explicit and informed manner, where appropriate.

In general, any information and data which you provide, or which is otherwise gathered by us in the context of the Website, will be used by DSD in compliance with Regulation (EU) 2016/679 (“GDPR”) of the European Parliament and the Council of 27 April 2016 on the protection of natural persons, or General Data Protection Regulation (RGPD).

This means, in particular, that any Personal Data processing carried out by DSD will respect the principles of lawfulness, fairness, transparency, purpose limitation, storage limitation, data minimization, accuracy, integrity, and confidentiality.

Direct contact SMS will be used to contact you related to website and website lead capture form for Digital Smile Design and the services advertised herein. Message and data rates may apply. Check with your carrier for more information.

Message frequency varies but you may opt out of SMS communication at any time by sending "STOP" in reply to any SMS communications.

You may contact customer support here or calling us at +34 916 64 66 03.

1. WHO IS THE DATA CONTROLLER?

DSD Planning Center S.L. (Hereinafter “DSD”)

Street C/ Ochandiano, 10, Planta 1, 28023, Madrid

NIF (TAX ID): ESB86563285

DPO: dpo@digitalsmiledesign.com

2. THE PURPOSE OF PROCESSING, LAWFULNESS AND RETENTION PERIOD

As you use the Website and, in particular, as you provide information and upload files to the Website in order to access the Website’s services, DSD may collect and process information related to you as an individual and which allows you to be identified, either directly or together with additional information (“Personal Data”).

Such information may include your name, address, telephone number, email address, date of birth or age, gender, credit card, and other financial information related to payments for services, dental records, photographs, and other information you choose to provide.

We will notify you of such purposes at the time that we request to collect Personal Information from you and will endeavor to only collect the information that is strictly necessary to fulfill those purposes. We will ask for your explicit consent to the collection of sensitive data and acceptance of the terms of this Privacy Policy.

We will also collect information about your use of our Website as described in the section "Cookies and Advertisements" below.

DSD intends to use your Personal Data, collected through the Website, for the following purposes:

• To set up and manage your member account on our Sites.

• To allow you to use and purchase products and services.

• To provide you with information about our products, services, news, and events we believe may be of interest to you.

• To gather demographic information about user trends.

• To analyze the use of our services and products, develop new services and products, and customize our products, services, and other information we make available.

Depending on the Data Subject category, DSD might process the information you provide us with the following purposes:

DATA SUBJECTS	PURPOSE OF PROCESSING	LAWFULNESS OF PROCESSING	RETENTION PERIOD
POTENTIAL CLIENTS	To manage the potential commercial and/or professional relationship	Art 6.1. a) GDPR: Consent to the processing	Data will be deleted once it has fulfilled the purpose for which it was collected and the conservation periods have been met due to legal obligation
	To manage the sending of the requested information and/or to resolve the queries raised	Art 6.1. a) GDPR: Consent to the processing
	To facilitate offers of our services and/or products of your interest	Art 6.1. a) GDPR: Consent to the processing
CLIENTS	Register on our platform as a user or healthcare professional.	Art 6.1. a) GDPR: Consent to the processing	Data will be deleted once it has fulfilled the purpose for which it was collected and the conservation periods have been met due to legal obligation If you delete your Client Account, your data will be destroyed after 5 years maximum, keeping your data during this period blocked.
	Manage the orders you request from us.	Art 6.1. b) GDPR: Performance of a contract to which the data subject is party
	Management of the invoicing of services. Depending on the service requested, invoicing may be carried out from any of the companies in the DSD group.	Art 6.1. b) GDPR: Performance of a contract to which the data subject is a party
	Send the order to your center or to your client's address.	Art 6.1. b) GDPR: Performance of a contract to which the data subject is a party
	Provide offers for our services and/or products that may be of interest	Art 6.1. b) GDPR: Performance of a contract to which the data subject is party Art 22.1 LSSICE: Performance of a contract to which the data subject is party
SUPPLIERS	To manage the commercial and/or professional relationship.	Art 6.1. b) GDPR: Performance of a contract to which the data subject is party	Data will be deleted once it has fulfilled the purpose for which it was collected and the conservation periods have been met due to legal obligation
SUPPLIERS	Management of the invoicing of services
APPLICANTS	Manage the selection process.	Art 6.1. b) GDPR: Execution of a contract in which the interested party is a party or adoption of pre-contractual measures.	Personal data will be deleted or anonymized once the recruitment process is completed. Thereafter, personal data will only be available as metadata without direct personal reference for statistical purposes (e.g. percentage of women and men in applications received, number of applications per period, etc.). DSD will retain personal data in order to identify any other position that is of interest to the applicant for a maximum period of 2 years, as long as the said applicant has given his/her express consent accordingly. This also applies to applications for training and internship positions.
APPLICANTS	To keep the CV for new job opportunities in the future.	Art 6.1. a) GDPR: Consent to the processing.
WEB USERS	Analyze navigation data	Art 6.1. a) GDPR: Consent to the processing	The retention period will be determined by the cookie policy, with each cookie setting the retention period or until the user deletes them.
COURSE USERS	Processing of data required to manage course attendance.	Art 6.1. a) GDPR: Consent to the processing. Art 6.1. b) GDPR: Performance of a contract to which the data subject is a party.	Data will be deleted once it has fulfilled the purpose for which it was collected and the conservation periods have been met due to legal obligation. The maximum retention period for course users will be five years.
COURSES DEMONSTRATION PATIENTs	To manage the selection process of those volunteer candidates who wish to participate/are nominators to participate in a Live demonstration case usind DSD soclutions. * For this purpose it will be necessary to use images, videos in which the candidate appears, and participation implies acceptance of this condition.	Art 6.1. a) and 9.2. a) GDPR: Consent to the processing.	Data will be deleted once the have fulfilled the purpose for which they were collected and the conservation periods have been met due to legal obligation

3. PATIENT DATA

3.1 Data Processing Agreement (DPA)

DSD PLANNING will act as the Processor of patient data communicated to us by HEALTHCARE PROFESSIONALS.( “Clients” or ·Potential Clients” or “ HEALTHCARE PROFESSIONALS”).

All health professionals who register on our platform accept the conditions of data processing and are responsible for obtaining the informed consent, and the image authorization form from patients.

DSD PLANNING, along with all employees, is obliged to the following:

Use the personal data subject to processing, or those collected for processing, exclusively for the purpose object of their responsibility. Under no circumstance may the data be used for personal or different purposes than those determined by the HEALTHCARE PROFESSIONALS.
Process data according to the guidelines drafted by the HEALTHCARE PROFESSIONALS. DSD may communicate the data to other companies for the performance of its services, acting as sub-processors, including outside the EEA.
Likewise, those registered HEALTHCARE PROFESSIONALS who are granted the provision or performance of service will act as sub-processors and are obliged to comply with the minimum measures established in this section.
Guarantee that those authorized to process personal data agree, expressly to keep confidentiality, and professional secrecy and comply with the corresponding security measures. The duty of secrecy and confidentiality relative to personal data which may have been accessed by virtue of this processing shall prevail indefinitely over time.
Provide, in writing, a record of all the categories of processing activities.
Support the HEALTHCARE PROFESSIONALS, when possible, taking into account the nature of such processing and with the appropriate technical and organizational means, in order for the HEALTHCARE PROFESSIONALS to comply with the rights to access, rectification, erasure, right to object, restriction of processing, right to data portability and the right not to be subject to a decision based solely on automated processing (including profiling ).

When the data subjects execute the rights of access, rectification, erasure, right to object, restriction of processing, right to data portability, and the right not to be subject to a decision based solely:

If the notification has been done to the HEALTHCARE PROFESSIONAL, DSD must be notified in an e-mail to the account dpo@digitalsmiledesign.com . Such notification must be done immediately and no later than 5 working days after the receipt of the request, attached to, in the given case, additional information relevant to the request.
If the notification has been done to DSD directly, DSD will notify the HEALTHCARE PROFFESIONALno later than 5 working days after the receipt of the request, attached to, in the given case, additional information relevant to the request.

Provide support to the CONTROLLER in the development of impact assessments related to data protection and in previous consulting activities to the Control Authority, if applicable and when deemed appropriate, following the data protection regulations that may be applicable and/or following the guidelines provided by the local Control Authority.

3.2 Security Measures

DSD will implement the necessary technical and organizational security measures to guarantee the permanent confidentiality, integrity, availability, and resilience of the treatment systems and services. As minimum guarantees, DSD has implemented the following measures:

Access control. DSD has implemented access controls and user management processes to ensure that only authorized individuals gain access to business applications, systems, and computing devices, that individual accountability is assured, and to provide authorized users with access privileges that are sufficient to enable them to perform their duties but do not permit them to exceed their authority.
1. Password policy. DSD has implemented a password policy that guarantees the following minimum levels of security:
2. Minimum of 8 characters in length
3. Password complexity including upper case, lower case, number & special characters must be enforced
4. Passwords are changed no more than every 6 months
5. Account lockout after no more than a total of 10 failed login attempts must be enforced
Antivirus and similar systems.
Firewall, Intrusion, and detection prevention systems or similar systems.
Physical access control system to the facilities where the information is housed.
Audit logs recording user activities and information security events on systems supporting the Service shall be produced, and shall be kept for a minimum period of 90 days.
Daily backup systems. Documented process of backing up and recovering data.
All software will be updated to ensure they have the latest security patches.
If employees are going to connect to remote systems, security systems such as VPN or other encrypted connection systems will be implemented.
Encryption of patient health-related information.

Upon completion of services, DSD will remove the Personal Data. Nonetheless, the PROCESSOR may keep a copy with the data properly blocked if there are liabilities resulting from the provision of the service or if there is a legal obligation to do so.

3.3 Security Breaches

DSD PLANNING shall notify the HEALTHCARE PROFESSIONALS, without delay and, in any case, within no more than 72 hours after the event is notified through an e-mail, of security breaches for the Personal data under their responsibility, that they may be aware of, as well as any information relevant to the issue’s documentation and communication.

The minimal following information, if available, must be provided:

Description of the nature of the security breach of personal data, including, when possible, the categories and an approximate number of affected parties and the categories and an approximate number of registries of affected personal data.
Name and contact information of the delegate for data protection or another contact that may provide further information.
Description of possible consequences of a security breach in personal data.
Description of the implemented or proposed measures to correct the security breach in personal data, including, if applicable, measures established to relieve possible negative effects.

If the aforementioned information cannot be provided at once, it shall be provided, within the possibilities, gradually, as may be made available, without further delay.

The HEALTHCARE PROFESSIONALS do not need to be notified when it is unlikely that said security breach implies a risk to the rights and liberties of natural persons.

4. RECIPIENTS DATA AND INTERNATIONAL TRANSFERS.

In the framework of its activity and for the purposes specified above, your Personal Data may be shared with the following entities (“Recipients”):

Other companies within the DSD Group* for internal administrative purposes and/or as a complementary service to any DSD Product Purchased:

DSD USA LLC
DSD Planning Center Brasil Ltda.
Digital Smile Design Consultoria Odontologica Ltda

Our partners for purposes of performing services on our behalf, such as business, administrative, accounting, tailored advertising, measuring and improving our services and products, and enabling other enhancements. This may include our partners contacting you via email, mobile phone, text, or other means to which you consent.

DSD's third party, dental and/or training service partners, including those outside the EU, for the purpose of receiving information, products, or benefits from them, pursuant to the various commercial agreements reached by DSD. ("Co-branding Activities"). The third party's use of your information will be governed by the third party's privacy policy, the General Data Protection Regulation (EU) 2016/679 (GDPR).

Network of collaborating laboratories or healthcare professionals for the manufacturing and/or performance of molds, studies, and other related services.

Selected individuals authorized by DSD to process Personal Data needed to carry out activities strictly related to the provision of the services through the Website, who have undertaken an obligation of confidentiality or are subject to an appropriate legal obligation of confidentiality.

Public entities, bodies, or authorities, in accordance with the applicable law or binding orders of those entities, bodies, or authorities.

Depending on the service requested, invoicing may be carried out from any of the companies in the DSD group.

IMPORTANT*

For the Service performance, it might be necessary that the Personal Data is transferred to other companies, which are not always going to be in a territorial scope considered safe by the GDPR.

DSD looks for the best health professionals and service providers to deliver the service worldwide, often according to the geographical area from which orders are placed.

Therefore, such transfers will only be made with your consent and knowing that it will not always be possible to guarantee that the companies using our services come from a territory with an adequate scope of protection.

The consequence of not accepting that both your data as a user of the application or web app, as well as the health data of patients are communicated to an unsafe territory, will make our service not accessible.

All professionals using DSD's services shall ensure that they have requested their patients' consent that their data may eventually be communicated to non-secure territories in accordance with the GDPR, in a clear manner, and that they have understood the information.

5. DATA RIGHTS

As a data subject, you are entitled to exercise the following rights, at any time:

Right to be informed. To be informed about how your Personal Data is collected and processed and, its purposes.
Right of Access. To obtain confirmation as to the existence of your Personal Data being processed by DSD, access and obtain a copy of such data.
Right of rectification. To request to update, modify and/or rectify your Personal Data where it may be inaccurate or incomplete.
Right of Erasure. To obtain the erasure of your Personal Data where you feel that the processing is unnecessary or otherwise unlawful, render Personal Data anonymous, block data whose processing is unlawful, or set limits to the processing.Provided DSD’s legitimate interest to hold such information.
Right to object.

Object to the processing of your Personal Data, based on relevant grounds related to your particular situation, which you believe must prevent DSD from processing your Personal Data for a given purpose.
Object to processing of Personal Data that is made for the purposes of sending advertising material, carrying out direct sales, market research, or commercial communication.

Right to restriction of the processing. Where you feel that the Personal Data processed is inaccurate, or that the processing is unnecessary or unlawful, as well as where you have objected to the processing.

Right to Withdraw your consent to processing (for Marketing and Profiling), where your consent serves as the legal basis for processing – this will not affect the lawfulness of the processing carried out prior to your withdrawal.

Right of Portability – you have the right to obtain a copy of the Personal Data you provided to DSD.

Please note that most of the Personal Data you provide to DSD can be changed at any time, by accessing, where applicable, your user profile created on the Website.

You can also withdraw consent for Marketing (for communications received via e-mail) by selecting the appropriate link included at the bottom of every marketing message. Consent for Profiling carried out by cookies may be withdrawn at any time.

When you request the deletion of your Personal Data, we not only delete the data from our system, but also notify all identified third parties that have access to the personal data to completely remove the data from their systems and confirm erasure.

At any time, you shall be entitled to exercise the rights established by the law in force, by addressing the relevant request to our Privacy Department by sending a written notification to the email: dpo@digitalsmiledesign.com, attaching, in either case, a photocopy of your ID DOCUMENT or other similar identification documents to prove identity as Data Subject.

Models, application forms, and other information regarding rights are available on the website www.aepd.es of the Control Authority, the Spanish Data Protection Agency, hereinafter, AEPD for its abbreviation in Spanish.

6. SECURITY MEASURES

DSD has implemented the necessary technical and organizational security measures to guarantee the confidentiality, integrity, availability, and permanent resistance of treatment systems and services, establishing encryption systems for sensitive information.

In order to determine the security measures to be implemented, DSD has taken into account the risk analysis of our company, through which the most appropriate measures have been determined to guarantee the security of the treatment, which must be adopted, and everything that has been done. In any case, we continue to work to improve the security of our systems and ensure that information is properly protected.

DSD has implemented duly documented and regularly updated personal data protection policies.
DSD´s personal data protection procedures are formally documented, when required, periodically reviewed, and substantiated with objective documents (e.g., minutes of meetings, lists, IT logs), which may demonstrate constant diligence and vigilance regarding the protection of personal data in the processing activities carried out.
DSD has appointed both a security officer and a data protection officer (DPO) responsible for coordinating and monitoring the security rules and procedures as well as data protection compliance.
DSD’s employees are aware of the procedures for data subjects to exercise their right of access, and for communicating requests to exercise data subjects’ rights to the data controller.
DSD maintains a general register where these requests, e.g., to exercise the right of access, are recorded.
DSD has appointed a person/function (the DPO) in charge of providing written explanations to the data controller regarding requests from data subjects.
DSD has set a deadline for communicating requests to the data controller.
DSD has a procedure to document, in writing, any refusals given to data subject's requests to exercise their rights to erasure, restriction of processing, or data portability, and to share this documentation with the data controller.
DSD Client´s Data will be deleted once they have fulfilled the purpose for which they were collected and the conservation periods have been met due to legal obligation.
DSD acts as the Processor of patient data communicated to us by healthcare professionals. For this reason, all health professionals who register on our platform accept the conditions of data processing and are responsible for obtaining the informed consent of patients. Likewise, those registered health professionals who are granted the provision or performance of service will act as sub-charger and are obliged to comply with the minimum measures established in the "data patients" section.
DSD will use the personal data subject to processing exclusively for the purpose object of their responsibility.
DSD will process data according to the guidelines drafted by the healthcare professionals.

DSD may communicate the data to other companies for the performance of its services, acting as sub-processors, including outside the EEA.

7. COMMUNICATION CLAUSE WITH CLIENTS IN RELATION TO DATA PROTECTION

With the aim that DSD Planning Center S.L. provides its services correctly:

The Client/User), agrees to establish communications through SKYPE, WHATSAPP, EMAIL, and other systems in order to maintain and upkeep an adequate legal and/or contractual relationship between the Planning Center DSD S.L. and the Client/User.

If you do not wish to use any of the following means, let us know and we will look for an alternative means

8. CONFIDENTIALITY

All staff members of DSD participating in any of the processing stages shall process and handle your data under strict care and confidentiality. Your data shall not be disclosed or communicated to a third party unless required by legal provisions or the data subject has authorized otherwise.

Last Version 08.06.22