Standard contractual clauses
(January 2020 – rev Openframe July 2023)
pursuant to Article 28(3) of Regulation 2016/679 (GDPR) for the processing of personal data by the processor
between
Kunden
hereinafter ‘the controller’
and
Openframe ApS
CVR 42049581
Bragesgade 8B,
2200 København N
Danmark
hereinafter ‘the processor’
each of which is a ‘Party’ and together constitute the ‘Parties’
HAVE AGREED upon the following standard contractual clauses (the Clauses) in order to comply with the GDPR and to ensure the protection of privacy and the fundamental rights and freedoms of natural persons
- Content
- Preamble
- Rights and obligations of the controller
- The processor acts on instructions
- Confidentiality
- Security of treatment
- Use of sub-processors
- Transfer to third countries or international organizations
- Assistance to the controller
- Personal data breach notification
- Deletion and return of data
- Audit, including inspection
- Agreement of the parties on other matters
- Entry into force and termination
- Contact persons at the controller and the processor
- Fees for assistance under this agreement
Appendix A Information about the processing
Appendix C Instructions for processing personal data
2. preamble
- These Terms and Conditions set out the rights and obligations of the data processor when
processing personal data on behalf of the data controller. - These provisions are designed to ensure the parties’ compliance with Article 28(3) of Regulation (EU) 2016/679 of the European
Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the
processing of personal data and on the free movement of such data, and
repealing Directive 95/46/EC (General Data Protection Regulation). - In connection with the provision of Openframe, the data processor processes personal data on behalf of the
data controller in accordance with these Terms and Conditions. - The provisions take precedence over any similar provisions in other agreements between
the parties. - There are four annexes to these Regulations and the annexes form an integral part of the Regulations.
- Annex A contains details of the processing of personal data, including the purpose and nature of the processing, the type of personal data, the categories of data subjects and the duration of the processing.
- Appendix B contains the controller’s conditions for the processor’s use of sub-processors and a
list of sub-processors that the controller has approved the use of. - Appendix C contains the data controller’s instructions regarding the data processor’s processing of
personal data, a description of the minimum security measures that the data processor must
implement, and how the data processor and any sub-processors are supervised. - Annex D contains provisions for other activities not covered by the Regulations.
- The provisions and their annexes shall be kept in writing, including electronically, by both parties.
- These Clauses do not release the Data Processor from obligations imposed on the Data Processor under the
General Data Protection Regulation or any other legislation.
3. Rights and obligations of the data controller
- The controller is responsible for ensuring that the processing of personal data complies
with the GDPR (see Article 24 of the Regulation), data protection provisions of other EU law
or Member State law[1] national law and these Regulations. - The controller has the right and obligation to decide for which purpose(s) and with which
means personal data may be processed. - The data controller is responsible for, among other things, ensuring that there is a processing basis for the processing
of personal data that the data processor is instructed to perform.
4. The data processor acts on instructions
- The data processor may only process personal data following documented instructions from the data controller,
unless required by EU or Member State law to which the data processor is
subject. These instructions shall be specified in Annexes A and C. Subsequent instructions may also be given by the
controller while personal data is being processed, but the instructions must always be
documented and stored in writing, including electronically, together with these Clauses. - The processor shall inform the controller without delay if, in its opinion,
an instruction infringes this Regulation or data protection provisions of other Union or Member State
law.
5. Confidentiality
- The data processor may only grant access to personal data processed on behalf of the data controller to
persons who are subject to the data processor’s powers of instruction, who have committed themselves to confidentiality
or are subject to an appropriate statutory duty of confidentiality, and only to the extent necessary. The list of persons
who have been granted access shall be reviewed on an ongoing basis. Based on this review, access to
personal data may be closed if the access is no longer necessary, and the personal data shall then
no longer be accessible to these persons. - At the request of the controller, the data processor must be able to demonstrate that the persons concerned,
who are subject to the data processor’s instructional powers, are subject to the aforementioned duty of confidentiality.
6. Security of processing
- Article 32 GDPR states that the controller and processor, taking
into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the
processing as well as the risks of varying likelihood and severity
for the rights and freedoms of natural persons, shall implement appropriate technical and organizational
measures to ensure a level of protection appropriate to the risks.The controller must assess the risks to the rights and freedoms of natural
persons posed by the processing and implement measures to address those risks. Depending on their relevance
may include:a. Pseudonymization and encryption of personal data
b. Ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
c. Ability to timely restore the availability of and access to personal data in the event of a physical or technical incident
d. A procedure for regularly testing, assessing and evaluating the effectiveness of the technical and organizational measures for ensuring the security of processing.
- Pursuant to Article 32 of the Regulation, the processor shall – independently of the controller – also assess
the risks to the rights of natural persons posed by the processing and implement measures to
mitigate those risks. For the purposes of this assessment, the controller shall provide the necessary
information to the processor to enable it to identify and assess
such risks. - In addition, the processor shall assist the controller in its compliance with the
controller’s obligation under Article 32 of the Regulation by, inter alia, making the necessary information
available to the controller regarding the technical and organizational security measures that
the processor has already implemented pursuant to Article 32 of the Regulation and any other information that
is necessary for the controller to comply with its obligation under Article 32 of the Regulation.
If addressing the identified risks – in the controller’s assessment – requires the implementation of
additional measures to those already implemented by the processor, the
controller shall specify the additional measures to be implemented in Annex C.
7. Use of sub-processors
- The data processor must fulfill the conditions referred to in Article 28,
(2) and (4) of the Data Protection Regulation to use another data processor (a sub-processor). - Thus, the Data Processor may not use a Sub-Processor for the fulfillment of these Clauses
without prior general written approval from the Data Controller. - The Processor has the Controller’s general approval for the use of sub-processors.
The Processor shall notify the Controller in writing of any planned changes regarding
the addition or replacement of sub-processors with at least 14 days’ notice, thereby giving the
Controller the opportunity to object to such changes prior to the use of the
sub-processor(s) concerned. Longer notice periods for notification in relation to specific processing activities
may be specified in Annex B. The list of sub-processors already authorized by the controller
can be found in Appendix B. - Where the processor uses a sub-processor to carry out specific
processing activities on behalf of the controller, the processor shall, by contract or other
legal act under Union or Member State law, impose on the
sub-processor the same data protection obligations as those set out in these
Clauses, in particular providing the necessary guarantees that the sub-processor will
implement the technical and organizational measures in such a way that the processing complies
with the requirements of these Clauses and the GDPR.
The data processor is therefore responsible for demanding that the sub-processor at least complies
with the data processor’s obligations under these Clauses and the GDPR. - The sub-processor agreement(s) and any subsequent amendments thereto shall – at the data controller’s
request – be sent in copy to the data controller, who thereby has the opportunity to ensure that similar
data protection obligations arising from these Clauses are imposed on the sub-processor.
Provisions on commercial terms that do not affect the data protection law content of the
sub-processor agreement shall not be sent to the data controller. - Deleted
- If the sub-processor does not fulfill its data protection obligations, the processor remains fully
liable to the controller for the fulfillment of the sub-processor’s obligations. This does
not affect the rights of the data subjects resulting from the GDPR, in particular Articles 79 and 82
of the Regulation, vis-à-vis the controller and the processor, including the sub-processor.
8. Transfer to third countries or international organizations
- Any transfer of personal data to third countries or international organizations may only be made by
the data processor on the basis of documented instructions from the data controller and must always be made in
accordance with Chapter V of the General Data Protection Regulation. - Where the transfer of personal data to third countries or international organizations, which the processor
has not been instructed to carry out by the controller, is required by Union or
Member State law to which the processor is subject, the processor shall inform the
controller of that legal requirement prior to processing, unless that law prohibits such
notification for reasons of important public interest. - Without documented instructions from the controller, the data processor may not, within the framework of
, implement these Terms and Conditions:
a. Transfer personal data to a controller or processor in a third country or an international
organization
b. Entrust the processing of personal data to a sub-processor in a third country
c. Process the personal data in a third country - The controller’s instructions regarding the transfer of personal data to a third country, including the
possible transfer basis in Chapter V of the GDPR on which the transfer is based, must
be indicated in Annex C.6. - These Clauses shall not be confused with standard contractual clauses within the meaning of
Article 46(2)(c) and (d) of the GDPR and these Clauses cannot constitute a
basis for the transfer of personal data within the meaning of Chapter V of the GDPR.
9. Assistance to the controller
- The data processor shall, taking into account the nature of the processing, assist the controller as far as possible by
using appropriate technical and organizational measures to fulfill the controller’s
obligation to respond to requests for the exercise of the data subject’s rights as laid down in Chapter III of the
GDPR.
This means that the data processor must, as far as possible, assist the data controller in connection with the
data controller ensuring compliance with:
a. the obligation to provide information when personal data is collected from the data subject
b. the obligation to provide information if personal data has not been collected from the data subject
c. the right of access
d. the right to rectification
e. the right to erasure (“right to be forgotten”)
f. the right to restriction of processing
g. the duty to inform in connection with rectification or erasure of personal data or
restriction of processing
h. the right to data portability
i. the right to object
j. the right not to be subject to a decision based solely on automated processing
including profiling - In addition to the data processor’s obligation to assist the data controller in accordance with Clause 6.3,
shall, taking into account the nature of the processing and the information
available to the data processor, further assist the data controller:
a. the obligation of the controller to report the personal data breach to the competent
supervisory authority, the Danish Data Protection Agency, without undue delay and, where feasible, no later than 72 hours after becoming
aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons
b. the controller’s obligation to notify the data subject without undue delay of a personal data
breach when the breach is likely to result in a high risk to the rights and freedoms of natural
persons
c. the obligation for the controller to carry out a pre-processing analysis of the personal data protection impact of the intended
processing operations (a data protection impact assessment)
d. the controller’s obligation to consult the competent supervisory authority, the Danish Data Protection Agency, prior to
processing if a data protection impact assessment shows that the processing would result in
high risk in the absence of measures taken by the controller to mitigate the risk. - The parties shall specify in Annex C the necessary technical and organizational measures with
which the data processor shall assist the data controller and to what extent and scope. This applies to the
obligations arising from Clause 9.1. and 9.2.
10. Personal data breach notification
- The data processor shall notify the data controller without undue delay after becoming aware
that a personal data breach has occurred. - The data processor’s notification to the data controller shall, if possible, take place no later than 24 hours after the data
controller has become aware of the breach, so that the data controller can comply with its obligation to report
the personal data breach to the competent supervisory authority, cf. the General Data Protection Regulation
Article 33. - In accordance with Clause 9.2.a, the processor shall assist the controller in making
the notification of the breach to the competent supervisory authority. This means that the processor shall assist in
providing the following information, which, according to Article 33(3), shall be included in the controller’s
notification of the breach to the competent supervisory authority:
a. the nature of the personal data breach, including, where possible, the categories and
approximate number of data subjects affected and the categories and approximate number of personal data
records affected
b. the likely consequences of the personal data breach
c. the measures that the controller has taken or proposes to take to address the
personal data breach, including, where applicable, measures to mitigate its possible
adverse effects. - The Parties shall specify in Annex C the information that the Processor shall provide in connection with its
assistance to the Controller in its obligation to notify personal data breaches to the
competent supervisory authority.
11. Deletion and return of data
- Upon termination of the personal data processing services, the data processor is obliged to
delete all personal data that has been processed on behalf of the controller and confirm to
the controller that the data has been deleted, unless EU or Member State law
prescribes the storage of the personal data.
12. auditing, including inspection
- The Data Processor shall provide the Controller with all information necessary to demonstrate compliance with
Article 28 of the GDPR and these Clauses and shall
enable and contribute to audits, including inspections, conducted by the Controller or another auditor
authorized by the Controller. - The procedures for the controller’s audits, including inspections, with the processor and
sub-processors are detailed in Appendix C.7. and C.8. - The data processor is obliged to grant supervisory authorities that, according to applicable legislation, have access to
the data controller’s or data processor’s facilities, or representatives acting on behalf of
the supervisory authority, access to the data processor’s physical facilities against proper identification.
13. Agreement of the parties on other matters
- The parties may agree on other provisions relating to the service concerning the processing of personal data
, such as liability for damages, as long as these other provisions do not directly or indirectly conflict with the
provisions or impair the fundamental rights and freedoms of the data subject
arising from the General Data Protection Regulation.
14. Entry into force and termination
- The provisions shall enter into force on the date on which the Controller puts the platform into use
- Either party may demand renegotiation of the Terms if changes in legislation or inappropriateness in
the Terms give rise to this. - The provisions apply for the duration of the personal data processing service. During
this period, the Terms cannot be terminated unless other provisions regulating the provision of the
service regarding the processing of personal data are agreed between the parties. - If the provision of the services relating to the processing of personal data ceases and the personal data is
deleted or returned to the controller in accordance with Clause 11.1 and Appendix C.4, the
Clauses may be terminated with written notice by either party.
15. contact persons at the controller and the processor
- The Data Controller (Customer) must provide the contact person at the start of the project.
- The parties are obliged to keep each other informed of changes concerning contact persons.
- Contact to the Data Processor can be made to the following:
Name: Jesper Ring
Position: CEO
Phone number: +45 5077 8840
E-mail: jr@openframe.org
16. Remuneration for assistance under this agreement
- Openframe is entitled to separate remuneration according to consumption for assistance/assistance in relation to the
data controller’s obligations and claims covered by §6.3, §7.5, §9, §10, §11 and §12 of the Data Processing Agreement
including associated appendices.
Appendix A – Information about the processing
A.1. Purpose of the processing of personal data by the processor on behalf of the controller
The purpose of the processing of personal data is to make the collection and storage of documentation in the controller’s construction processes easy, fast and efficient.
A.2. The processing of personal data by the processor on behalf of the controller relates primarily to (nature of the processing)
The main objective is to provide an IT system that makes the collection, storage and dissemination of information on construction processes to and from relevant stakeholders efficient.
A.3. The processing includes the following types of personal data of the data subjects
Contact details, including name, email, telephone number of the registered users.
Project information, including information on buildings, construction conditions, construction plans, as well as text and comments that users can enter in free text fields.
Documentary information, including specific information on construction projects.
A.4. The processing includes the following categories of data subjects
-
- Employees of the controller
- Stakeholders in the construction project including employees of authorities, advisors, consultants, clients, contractors and others involved in the construction process
- Employees of the controller
A.5. The processing of personal data by the processor on behalf of the controller may begin after the entry into force of these Provisions. The duration of the treatment is as follows
Until the Agreement is terminated
Appendix B – Sub-processors
B.1. Authorized sub-processors
Upon entry into force of the Provisions, the Controller has authorized the use of the following sub-processors
NAME | CVR | ADDRESS | DESCRIPTION OF TREATMENT |
VNTRS consulting AB | – | Göransgatan 63, 112 38 Stockholm, Sweden | Technical development of Openframe In Use and Openframe Build |
Amazon Web Services, Danish branch of Amazon Web Services EMEA SARL, Luxembourg | 39009323 | Lyskær 3 C 1 tv, 2730 Herlev | Storage of information, data storage. Including storage of files and database, development and operation of web application and running background processes |
Google Workspace Google LLC, Google Ireland Limited.DK branch: |
28866984 | Sankt Petri Passage 5, 2., 1165 Copenhagen K | Used for document management, presentations, email communication, etc. |
Visma e-conomic a/s | 29403473 | Langebrogade 11411 Copenhagen K, Denmark | E-conomic is used as an accounting system for postings, invoicing, etc. |
Hubspot | – | 2 Canal Park Cambridge, MA 02141 United States | CRM system – marketing email management, sales leads, support management and more. |
Teamtailor | – | Östgötagatan 16, 116 21 Stockholm, Sweden | Used to manage the recruitment process and career site |
Microsoft Clarity Microsoft Azure Cloud Services | 13612870 | Kanalvej 7, 2800 Kongens Lyngby, Denmark | Used to analyze the use of the platform through recordings and heatmaps |
TwentyThree | 30070860 | Sortedam Dossering 7E, 2200 Copenhagen, Denmark | Used for hosting a webinar |
ScaleUp Finance | 43196308 | Nyropsgade 41, 1602 Copenhagen, Denmark | Used for external accounting |
B.2. Notification for the approval of sub-processors
When using new sub-processors, this is notified within 14 days before the start of use.
Appendix C – Instructions for processing personal data
C.1. Subject matter/instruction of the treatment
The data processor’s processing of personal data on behalf of the data controller is carried out by the data processor performing the following:
The Data Processor provides a digital platform “Frame” for handling data related to the Data Controller’s construction projects. The platform is designed to efficiently manage processes, communication, assessments, calculations, documentation, etc. based on the data uploaded and entered by the users in each project.
Data controllers themselves invite users from their own and other organizations to each project and encourage each user to work with the agreed data. In this context, the controller is responsible for instructing all users on how to process data, what data may be uploaded and processed and with whom it may be shared.
The data controller’s users access the platform themselves via a browser and their own usernames and passwords, which is why the data processor does not independently access project data unless the data controller or the data controller’s invited users request this via Openframe ApS’ support function.
Personal data
Data can be in the form of profile information for each user, uploaded documents and files, and entries in free text fields.
Profile information
For each user, at least the e-mail address used as username is registered. This username must not be changed, as it is the controller’s wish to be able to identify a user’s actions in each project. In addition, a user can voluntarily provide their name, telephone number, address, title and organization/company.
It is the controller who instructs users on the correct handling of these
personal data. In reports and log files, the user must be identifiable by email address (or by name if entered), so that it is recorded who has made the specific entry or action.
Other profile information must be accessible to other users in a specific project or to
The controller’s employees have the right to do so, but must be able to delete or modify the data if the user so wishes.
A user’s data must be deleted together with other data when a project is terminated by the controller. A project must be automatically deleted when the controller has not paid for the platform/service for 3 consecutive months.
Uploaded documents and files
Users are free to upload documents and files and it is the data controller who instructs users on the correct handling of personal data in this context. Users must not be able to delete uploaded documents and files themselves, as these must be available in the project for documentation purposes, but the data controller may instruct the data processor to delete specific documents and files.
Uploaded documents and files must be deleted together with other data when a project is closed by the data controller. A project must be automatically deleted when the controller has not paid for the platform/service for 3 consecutive months.
Entry in free text fields
Users are free to enter personal data in free text fields in the platform. It is the controller who instructs users on the correct handling of personal data in this context. Users must be able to delete and change text in free text fields via the project’s designated Sustainability Manager, so that the new/corrected text appears in the reports going forward from the time of correction. Entries should continue to be visible in log files.
Inputs in free text fields must be deleted together with other data when a project is closed by the data controller. A project shall be automatically deleted when the Customer has not paid for the platform/service for 3 consecutive months.
Special categories of personal data
Openframe ApS shall not handle special categories of personal data for the data controller. The controller is responsible for instructing invited users on the correct handling of personal data.
Updates to the platform
The data processor is instructed to inform the data controller and users about new features/updates of the platform that may have an impact on what data is processed and how data is processed. This information should be provided through, for example, e-mails to users. All users must be informed of this fact via a user agreement when they create their profile on the platform.
The processor must have formal procedures in place to ensure that updates are assessed and implemented in a timely manner.
For critical security updates, the processor must have procedures in place to ensure that these can – as far as possible – be completed within 48 hours.
C.2. Security of treatment
The level of security must reflect:
That the service processes personal data. The service must be provided with a level of security that minimizes the risks that personal data can be misused or that data subjects’ rights are otherwise violated. However, the processing concerns only a few personal data of the data subjects and the total amount of personal data is limited. No information is collected in special categories, information on criminal convictions or information such as CPR numbers. Furthermore, it is assessed that the information collected could only be misused to a very limited extent. It is important that personal data is not freely accessible and that access to the platform is protected against unauthorized access and that data transmitted is protected as far as possible.
The data processor is then entitled and obliged to make decisions about the technical and organizational security measures to be implemented to establish the necessary (and agreed) level of security.
However, the processor shall – in any event and as a minimum – implement the following measures agreed with the controller
-
- Users of the Openframe platform only have access to their own data and data necessary for the performance of their tasks.
- All passwords registered in the platform are stored and transmitted in either encrypted form or by replacing them with a hash code.
- All communication between users and Openframe’s system is encrypted via. https protocols.
- Openframe’s platform uses a verified certificate.
- Access to personal data shall be restricted to necessary staff of the processor.
- The Processor’s own staff may only access personal data via personal passwords or keys.
- Data is stored on Amazon Web Services (AWS) secured cloud platforms in the EU.
C.3 Assistance to the controller
The Processor shall, to the extent possible and within the scope and extent set out below, assist the Controller in accordance with Clause 9.1 and 9.2 by implementing the following technical and organizational measures
In the context of the controller’s duty of information, the system will have the possibility to display a text to new users. This text is prepared by the controller and it is the controller’s responsibility to ensure that it is accurate.
If the processor receives requests from the data subjects, such as access, rectification, erasure or other requests, these are forwarded to the controller. In many cases, the controller will then be able to process the request itself. If necessary, the processor will, on instruction, assist the controller with the processing of requests if the controller requests this in writing.
C.4 Retention period/deletion routine
Personal data are kept until the controller requests the erasure of individual data or until the contract for the provision of the service is terminated.
Upon termination of the personal data processing service, the processor shall delete the personal data in accordance with clause 11.1, unless the controller – after signing these provisions – has changed the controller’s initial choice. Such changes shall be documented and kept in writing, including electronically, in relation to the provisions.
Personal data in CRM, subscription management and accounting systems shall be deleted on request if the contractual relationship is terminated.
C.5 Location of treatment
The processing of personal data covered by the Clauses may not, without the prior written authorization of the controller, be carried out in locations other than the following
-
- Within the EU
C.6 Instructions on the transfer of personal data to third countries
C.7 Procedures for audits, including inspections, by the controller of the processing of personal data entrusted to the processor
The parties agree that there is no need for external audit opinions. However, the controller may, once a year, ask the processor for a statement on the processor’s compliance with the GDPR, data protection provisions of other Union or Member State law and these Clauses.
In addition, the controller or a representative of the controller shall have the right to carry out inspections, including physical inspections, of the premises from which the processor carries out the processing of personal data, including physical locations and systems used for or in connection with the processing. Such inspections may be carried out whenever the controller deems it necessary.
Any costs incurred by the controller in relation to a physical inspection shall be borne by the controller. However, the processor is obliged to allocate the resources (mainly time) necessary for the controller to carry out its inspection.
C.8 Procedures for audits, including inspections, of the processing of personal data entrusted to sub-processors
The Data Processor shall once a year, at its own expense, obtain evidence of the Sub-Processor’s compliance with the GDPR, data protection provisions in other Union or Member State law and these Clauses.
The Parties agree that the following types of documentation, statements or reports may be used in accordance with these provisions:
-
- Sub-processor’s own declarations regarding compliance with the GDPR and information security.
- Audit reports or audit opinion on GDPR compliance and information security carried out by an independent third party.
Appendix D – The parties’ regulation of other matters
Other matters are regulated in the parties’ agreement for the provision of the service.
[1] References to “Member State” in these provisions shall be understood as referring to “EEA Member States”.