EU Data Processing Addendum

KaVo Dental GmbH ("Company") carries out a remote maintenance operation on your systems and devices on your behalf ("Customer"). Should KaVo have access to or insight into the personal data of patients during the course of the remote maintenance operation, you agree with the granting of the remote maintenance order with the provisions of this Data Processing Addendum.

  1. This Addendum shall apply to all Processing of Personal Data in the context of the remote maintenance operation.
  2. For the purpose of this Addendum, Data Processor, Data Subject, Personal Data Breach, and Processing have the meanings ascribed to them in the European Union (“EU”) General Data Protection Regulation 2016/679 (“GDPR”). Applicable Law means all applicable EU or EU Member State laws and regulations relating to the privacy, confidentiality, security or protection of Personal Data, including, without limitation, (i) the GDPR and EU Member State laws supplementing the GDPR, and (ii) the EU Directive 2002/58/EC (e-Privacy Directive), as replaced from time to time, and EU Member State laws implementing the e-Privacy Directive, including laws regulating the use of cookies and other tracking technologies. Personal Data means any information relating to an identified or identifiable natural person that is obtained or accessed by Company as contemplated by the Agreement.
  3. In circumstances in which Company Processes Personal Data as a Data Processor in the context of the remote maintenance operation, Company shall:
    1. Process the Personal Data only in accordance with the documented instructions of Customer, unless Company is required to do otherwise by Applicable Law, in which case Company shall inform Customer of the relevant legal requirement before Processing the Personal Data unless informing Customer is prohibited by law on important grounds of public interest;
    2. Ensure that Company’s employees or subcontractors authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
    3. Take security measures required pursuant to Article 32 of the GDPR;
    4. Taking into account the nature of the Processing, assist Customer, by appropriate technical and organizational measures, insofar as this is possible, in fulfilling Customer’s obligation to respond to Data Subjects’ requests for exercising their rights under the GDPR with respect to their Personal Data;
    5. Assist Customer in complying with its obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of the Processing and the information available to Company;
    6. At Customer’s choice, delete or return all Personal Data to Customer after the end of the term of the Agreement, and delete existing copies, unless Applicable Law requires storage of the Personal Data;
    7. Make available to Customer, for inspection on Company’s premises only, the information necessary to demonstrate compliance with the obligations set out in this Addendum and allow for and contribute to audits conducted by Customer or another auditor mandated by Customer and approved by Company, provided that Customer gives Company at least 30 (thirty) days’ prior written notice of its intention to carry out an audit. This notice shall include a detailed work plan for the audit. Any third party involved in the audit must agree to Company’s confidentiality undertakings and Customer will bear all costs and expenses incurred by Company in connection with the audit; and
    8. Company shall immediately inform Customer if, in Company’s opinion, an instruction provided by Customer infringes Applicable Law.
  4. Customer confirms that:
    1. He/she has full rights to provide the Personal Data to Company to allow Company to fulfill the objectives of the remote maintenance operation;
    2. He/she has notified Company of all limitations on Customer’s uses or disclosures of the Personal Data that result from: (i) notices provided to the Data Subject by the third party or any downstream third party from which the data originated, or (ii) any objection by the Data Subject to his or her Personal Data being used for particular purposes;
    3. He/she has complied with all laws and legal requirements in its collection of the Personal Data and transfer of the Personal Data to Customer.
    4. If the Personal Data includes Sensitive Personal Data (e.g., health data), Customer has obtained the written consent of the Data Subject to disclose the Personal Data to Company to allow Company to fulfill the objectives of the remote maintenance operation.
  5. Customer agrees that Company may subcontract its Processing operations performed on behalf of Customer in the context of the remote maintenance operation. Prior to providing any subcontractor access to Personal Data, Company shall require such subcontractor to enter into a written agreement that imposes the same data protection obligations as set out in this Addendum. Upon Customer’s request, Company shall provide Customer with the list of subcontractors authorized to access Personal Data in the context of the remote maintenance operation.
  6. Customer agrees that Company may transfer Personal Data outside of the EU for the purpose of fulfilling its obligations to Customer under the Agreement and on the condition that Company has implemented appropriate safeguards for the transfer of the Personal Data in accordance with Applicable Law.