Standard contractual clauses

( January 2020 – rev Frame June 2021)

pursuant to Article 28(3) of Regulation 2016/679 (GDPR) for the processing of personal data by the processor

between

customers

hereinafter ‘the controller’

and

Frame ApS
CVR 42049581
Bragesgade 8B,  
2200 Copenhagen N
Denmark

hereinafter ‘the processor’

each of which is a ‘Party’ and together constitute the ‘Parties’

HAVE AGREED upon the following standard contractual clauses (the Clauses) in order to comply with the GDPR and to ensure the protection of privacy and the fundamental rights and freedoms of natural persons

1. Content

2. Preamble

3. Rights and obligations of the controller

4. The processor acts on instructions

5. Confidentiality

6. Security of treatment

7. Use of sub-processors

8. Transfer to third countries or international organizations

9. Assistance to the controller

10. Personal data breach notification

11. Deletion and return of data

12. Audit, including inspection

13. Agreement of the parties on other matters

14. Entry into force and termination

15. Contact persons at the controller and the processor

16. Fees for assistance under this agreement

Annex A Information on the processing

Annex B Sub-processors

Annex C Instructions on the processing of personal data

• Personal data
• Profile information
• Uploaded documents and files
• Entry in free text fields
• Special categories of personal data
• Updates to the platform

Annex D Regulation of other matters by the parties

2. Preamble
3. These Clauses set out the rights and obligations of the processor when processing personal data on behalf of the controller.
4. These provisions are designed to ensure the Parties’ compliance with Article 28(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR).
5. In the context of the provision of FRAME, the processor processes personal data on behalf of the controller in accordance with these Clauses.
6. These provisions shall prevail over any similar provisions in other agreements between the Parties.
7. There are four annexes to these Regulations and the annexes form an integral part of the Regulations.
8. Annex A provides details on the processing of personal data, including the purpose and nature of the processing, the type of personal data, the categories of data subjects and the duration of the processing.
9. Annex B contains the controller’s conditions for the processor’s use of sub-processors and a list of sub-processors that the controller has authorized the use of.
10. Annex C contains the controller’s instructions regarding the processing of personal data by the processor, a description of the minimum security measures to be implemented by the processor and how the processor and any sub-processors are supervised.
11. Annex D contains provisions for other activities not covered by the Regulations.
12. The provisions and their annexes shall be kept in writing, including electronically, by both parties.
13. These Clauses do not release the Processor from any obligations imposed on the Processor by the GDPR or any other legislation.
14. Rights and obligations of the controller
15. The controller is responsible for ensuring that the processing of personal data is carried out in accordance with the GDPR (see Article 24 of the Regulation), data protection provisions of other Union law or Member State law ^[1] national law and these Clauses.
16. The controller has the right and the obligation to decide for what purpose(s) and by what means personal data may be processed.
17. The controller is responsible for, among other things, ensuring that there is a legal basis for the processing of personal data that the processor is instructed to carry out.
18. The processor acts on instructions
19. The processor shall process personal data only on the documented instructions of the controller, unless required by Union or Member State law to which the processor is subject. This instruction must be specified in Annexes A and C. Subsequent instructions may also be given by the controller while personal data are being processed, but the instruction must always be documented and kept in writing, including electronically, together with these Clauses.
20. The processor shall immediately inform the controller if, in its opinion, an instruction infringes this Regulation or data protection provisions of other Union or Member State law.
21. Confidentiality
22. The processor shall only provide access to personal data processed on behalf of the controller to persons who are subject to the processor’s authority, who are under an obligation of confidentiality or who are subject to an appropriate statutory duty of secrecy, and only to the extent necessary. The list of persons granted access must be reviewed on a regular basis. Based on this review, access to personal data can be closed if access is no longer necessary and the personal data should then no longer be accessible to those individuals.
23. The processor shall be able to demonstrate, at the request of the controller, that the persons concerned who are subject to the processor’s powers of instruction are subject to the abovementioned obligation of professional secrecy.
24. Security of treatment
25. Article 32 of the GDPR states that the controller and the processor, taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, shall implement appropriate technical and organizational measures to ensure a level of protection appropriate to those risks.
    
    The controller must assess the risks to the rights and freedoms of natural persons posed by the processing and implement measures to address those risks. Depending on their relevance, it may include:

• Pseudonymization and encryption of personal data

• ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services

• ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident

• a procedure for regularly testing, assessing and evaluating the effectiveness of the technical and organizational measures for ensuring the security of processing.

2. Article 32 of the Regulation also requires the processor – independently of the controller – to assess the risks to the rights of natural persons posed by the processing and to implement measures to address those risks. For the purposes of that assessment, the controller shall make available to the processor the necessary information to enable the processor to identify and assess such risks.
3. In addition, the processor shall assist the controller in its compliance with the controller’s obligation under Article 32 of the Regulation, including by making available to the controller the necessary information concerning the technical and organizational security measures already implemented by the processor pursuant to Article 32 of the Regulation and any other information necessary for the controller to comply with its obligation under Article 32 of the Regulation.
   
   Where addressing the identified risks requires – in the controller’s assessment – the implementation of additional measures to those already implemented by the processor, the controller shall specify the additional measures to be implemented in Annex C.
4. Use of sub-processors
5. The processor must meet the conditions referred to in Article 28(2) and (4) of the GDPR in order to use another processor (a sub-processor).
6. Thus, the Processor may not use a sub-processor for the fulfillment of these Clauses without the prior general written consent of the Controller.
7. The processor has the general authorization of the controller for the use of sub-processors. The Processor shall notify the Controller in writing of any planned changes regarding the addition or replacement of sub-processors with at least 14 days’ notice, thereby giving the Controller the opportunity to object to such changes prior to the use of the sub-processor(s) in question. Longer notice periods for notification for specific processing operations may be specified in Annex B. The list of sub-processors already authorized by the controller is set out in Annex B.
8. Where the processor uses a sub-processor for the performance of specific processing activities on behalf of the controller, the processor shall impose on the sub-processor, by way of a contract or other legal act under Union or Member State law, the same data protection obligations as those set out in these Clauses, in particular providing appropriate guarantees that the sub-processor will implement the technical and organizational measures in such a way that the processing complies with the requirements of these Clauses and the GDPR.
   
   The Processor is therefore responsible for requiring the sub-processor to at least comply with the Processor’s obligations under these Clauses and the GDPR.
9. A copy of the sub-processor agreement(s) and any subsequent amendments thereto shall – at the request of the controller – be sent to the controller, who thereby has the opportunity to ensure that similar data protection obligations arising from these Clauses are imposed on the sub-processor. Provisions on commercial terms which do not affect the data protection law content of the sub-processor agreement shall not be sent to the controller.
10. Deleted
11. If the sub-processor fails to comply with its data protection obligations, the processor remains fully liable to the controller for the performance of the sub-processor’s obligations. This is without prejudice to the data subjects’ rights under the GDPR, in particular Articles 79 and 82 of the Regulation, vis-à-vis the controller and the processor, including the sub-processor.
12. Transfer to third countries or international organizations
13. Any transfer of personal data to third countries or international organizations may only be carried out by the processor on the basis of documented instructions from the controller and shall always be in accordance with Chapter V of the GDPR.
14. Where the transfer of personal data to third countries or international organizations, which the processor has not been instructed to carry out by the controller, is required by Union or Member State law to which the processor is subject, the processor shall inform the controller of that legal requirement prior to processing, unless that law prohibits such information on important grounds of public interest.
15. Thus, without documented instructions from the controller, the processor cannot within the framework of these Clauses:

• transfer personal data to a controller or processor in a third country or an international organization
• entrust the processing of personal data to a sub-processor in a third country
• process the personal data in a third country

4. The controller’s instructions for the transfer of personal data to a third country, including the possible transfer basis in Chapter V of the GDPR on which the transfer is based, if any, shall be set out in Annex C.6.
5. These Clauses shall not be confused with standard contractual clauses within the meaning of Article 46(2)(c) and (d) of the GDPR and these Clauses cannot constitute a basis for the transfer of personal data within the meaning of Chapter V of the GDPR.
6. Assistance to the controller
7. The processor shall, taking into account the nature of the processing, assist the controller as far as possible, by appropriate technical and organizational measures, in fulfilling the controller’s obligation to respond to requests for the exercise of the rights of data subjects as laid down in Chapter III of the GDPR. This implies that the processor shall, as far as possible, assist the controller in connection with the controller’s obligation to ensure compliance with

• the obligation to provide information when collecting personal data from the data subject
• the obligation to provide information where personal data has not been collected from the data subject
• the right of access
• the right to rectification
• the right to erasure (“right to be forgotten”)
• the right to restriction of processing
• the obligation to notify the rectification or erasure of personal data or restriction of processing
• the right to data portability
• the right to object
• the right not to be subject to a decision based solely on automated processing, including profiling

2. In addition to the processor’s obligation to assist the controller pursuant to Clause 6.3, the processor shall, taking into account the nature of the processing and the information available to the processor, further assist the controller by

• the controller’s obligation to notify the personal data breach to the competent supervisory authority, the Data Protection Authority, without undue delay and, where possible, no later than 72 hours after becoming aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons

• the controller’s obligation to communicate a personal data breach to the data subject without undue delay where the breach is likely to result in a high risk to the rights and freedoms of natural persons

• the obligation for the controller to carry out a pre-processing analysis of the impact of the envisaged processing operations on the protection of personal data (an impact assessment)

4. the obligation of the controller to consult the competent supervisory authority, the Data Protection Authority, prior to processing, where a data protection impact assessment shows that the processing will lead to a high risk in the absence of measures taken by the controller to mitigate the risk.
5. The parties shall specify in Annex C the technical and organizational measures necessary for the processor to assist the controller and the extent and scope of the assistance to be provided by the processor. This applies to the obligations arising from Clause 9.1. and 9.2.
6. Personal data breach notification
7. The processor shall inform the controller without undue delay after becoming aware of a personal data breach.
8. The data processor’s notification to the data controller shall, where possible, be made no later than 24 hours after it has become aware of the breach, so that the data controller can comply with its obligation to notify the personal data breach to the competent supervisory authority, cf. Article 33 of the GDPR.
9. In accordance with Clause 9.2.a, the Processor shall assist the Controller in notifying the breach to the competent supervisory authority. This means that the processor must assist in providing the following information, which according to Article 33(3) must be included in the controller’s notification of the breach to the competent supervisory authority:

• the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects affected and the categories and approximate number of personal data records affected

• the likely consequences of the personal data breach

• the measures taken or proposed to be taken by the controller to address the personal data breach, including, where applicable, measures to mitigate its possible adverse effects.

4. The parties shall specify in Annex C the information to be provided by the processor in relation to its assistance to the controller in its obligation to notify personal data breaches to the competent supervisory authority.
5. Deletion and return of data
6. Upon termination of the personal data processing services, the processor shall be obliged to erase all personal data that have been processed on behalf of the controller and to confirm to the controller that the data have been erased, unless Union or Member State law provides for the retention of the personal data.
7. Audit, including inspection
8. The processor shall make available to the controller all information necessary to demonstrate compliance with Article 28 of the GDPR and these Clauses and shall allow for and contribute to audits, including inspections, carried out by the controller or another auditor authorized by the controller.
9. The procedures for the controller’s audits, including inspections, with the processor and sub-processors are detailed in Annex C.7. and C.8.
10. The Processor shall be obliged to grant access to the physical facilities of the Processor to supervisory authorities that have access to the facilities of the Controller or Processor under applicable law, or to representatives acting on behalf of the supervisory authority, against proper identification.
11. Agreement of the parties on other matters
12. The parties may agree on other provisions concerning the service relating to the processing of personal data, such as liability, as long as these other provisions do not directly or indirectly conflict with the Clauses or impair the fundamental rights and freedoms of the data subject arising from the GDPR.
13. Entry into force and termination
14. The provisions shall enter into force on the date on which the Controller puts the platform into use
15. Both parties may request renegotiation of the Provisions if changes in legislation or inappropriateness of the Provisions give rise to this.
16. The provisions apply for the duration of the personal data processing service. During this period, the Clauses cannot be terminated unless other provisions governing the provision of the service relating to the processing of personal data are agreed between the parties.
17. If the provision of the services relating to the processing of personal data ceases and the personal data has been erased or returned to the controller in accordance with Clause 11.1 and Annex C.4, the Clauses may be terminated with written notice by either party.
18. Contact persons at the controller and the processor
19. The Data Controller (Customer) must provide the contact person at the start of the project.
20. The parties are obliged to keep each other informed of changes concerning contact persons.
21. Contact with the Data Processor can be made to the following:

Name: Jesper Ring Jesper Ring

Position: CEO

Telephone number: +45 5077 8840

E-mail: jr@openframe.org

16. Fees for assistance under this agreement
17. Frame is entitled to separate remuneration according to consumption for assistance/assistance in relation to the data controller’s obligations and requirements covered by the data processing agreement §6.3, §7.5, §9, §10, §11 and §12 including associated appendices.

 

Annex A – Information on the processing

A.1. Purpose of the processing of personal data by the processor on behalf of the controller

The purpose of the processing of personal data is to make the collection and storage of documentation in the controller’s construction processes easy, fast and efficient.

A.2. The processing of personal data by the processor on behalf of the controller relates primarily to (nature of the processing)

The main objective is to provide an IT system that makes the collection, storage and dissemination of information on construction processes to and from relevant stakeholders efficient.

A.3. The processing includes the following types of personal data of the data subjects

Contact details, including name, email, telephone number of the registered users.

Project information, including information on buildings, construction conditions, construction plans, as well as text and comments that users can enter in free text fields.

Documentary information, including specific information on construction projects.

A.4. The processing includes the following categories of data subjects

• Employees of the controller
• Stakeholders in the construction project including employees of authorities, advisors, consultants, clients, contractors and others involved in the construction process

A.5. The processing of personal data by the processor on behalf of the controller may begin after the entry into force of these Provisions. The duration of the treatment is as follows

Until the Agreement is terminated

Annex B – Sub-processors

B.1. Authorized sub-processors

Upon entry into force of the Provisions, the Controller has authorized the use of the following sub-processors

NAME	CVR	ADDRESS	DESCRIPTION OF TREATMENT
Amazon Web Services, Danish branch of Amazon Web Services EMEA SARL, Luxembourg	39009323	Lyskær 3 C 1 tv, 2730 Herlev	Storage of information, data storage. Including storage of files and database, development and operation of web application and running background processes
Google LLC, Google Ireland Limited.DK branch:	28866984	Sankt Petri Passage 5, 2.1165 København K	Google Workspace is used for document management, presentations, communication, etc.
Upodi ApS	38558862	Åbogade 25, st., 8200 Aarhus N	Subscription management system for managing and invoicing licenses
Pipedrive OÜ	–	Mustamäe tee 3a Tallinn 10615, Estonia	CRM system
Visma e-conomic a/s	29403473	Langebrogade 11411 Copenhagen K	E-conomic is used as an accounting system for postings, invoicing, etc.
The Rocket Science Group LLC d/b/a Mailchimp	–	675 Ponce de Leon Ave NE, Suite 5000 Atlanta, GA 30308 USA	Mailchimp is used for newsletters and the recipient can unsubscribe from newsletters at any time.
AgileLeanHouse A/S	30279751	Niels Finsensvej 20 – DK-7100 Vejle, Denmark	Technical development of the Frame platform.

Upon entry into force of the Provisions, the Controller has authorized the use of the above-mentioned sub-processors for the processing activity described. The processor shall not – without the written authorization of the controller – use a sub-processor for a processing activity other than that described and agreed or use another sub-processor for that processing activity.

B.2. Notification for the approval of sub-processors

When using new sub-processors, this is notified within 14 days before the start of use.

Annex C – Instructions on the processing of personal data

C.1. Subject matter/instruction of the treatment

The data processor’s processing of personal data on behalf of the data controller is carried out by the data processor performing the following:

The Data Processor provides a digital platform “Frame” for handling data related to the Data Controller’s construction projects. The platform is designed to efficiently manage processes, communication, assessments, calculations, documentation, etc. based on the data uploaded and entered by the users in each project.

Data controllers themselves invite users from their own and other organizations to each project and encourage each user to work with the agreed data. In this context, the controller is responsible for instructing all users on how to process data, what data may be uploaded and processed and with whom it may be shared.

The data controller’s users access the platform themselves via a browser and their own usernames and passwords, which is why the data processor does not independently access project data unless the data controller or the data controller’s invited users request this via Frame ApS’ support function.

Personal data

Data can be in the form of profile information for each user, uploaded documents and files, and

entries in free text fields.

Profile information

For each user, at least the e-mail address used as username is registered. This username must not be changed, as it is the controller’s wish to be able to identify a user’s actions in each project. In addition, a user can voluntarily provide their name, telephone number, address, title and organization/company.

It is the controller who instructs users on the correct handling of these

personal data. In reports and log files, the user must be identifiable by email address (or by name if entered), so that it is recorded who has made the specific entry or action.

Other profile information must be accessible to other users in a specific project or to

The controller’s employees have the right to do so, but must be able to delete or modify the data if the user so wishes.

A user’s data must be deleted together with other data when a project is terminated by the controller. A project must be automatically deleted when the controller has not paid for the platform/service for 3 consecutive months.

Uploaded documents and files

Users are free to upload documents and files and it is the data controller who instructs users on the correct handling of personal data in this context. Users must not be able to delete uploaded documents and files themselves, as these must be available in the project for documentation purposes, but the data controller may instruct the data processor to delete specific documents and files.

Uploaded documents and files must be deleted together with other data when a project is closed by the data controller. A project must be automatically deleted when the controller has not paid for the platform/service for 3 consecutive months.

Entry in free text fields

Users are free to enter personal data in free text fields in the platform. It is the controller who instructs users on the correct handling of personal data in this context. Users must be able to delete and change text in free text fields via the project’s designated Sustainability Manager, so that the new/corrected text appears in the reports going forward from the time of correction. Entries should continue to be visible in log files.

Inputs in free text fields must be deleted together with other data when a project is closed by the data controller. A project shall be automatically deleted when the Customer has not paid for the platform/service for 3 consecutive months.

Special categories of personal data

Frame ApS is not required to handle special categories of personal data for the controller. The controller is responsible for instructing invited users on the correct handling of personal data.

Updates to the platform

The data processor is instructed to inform the data controller and users about new features/updates of the platform that may have an impact on what data is processed and how data is processed. This information should be provided through, for example, e-mails to users. All users must be informed of this fact via a user agreement when they create their profile on the platform.

The processor must have formal procedures in place to ensure that updates are assessed and implemented in a timely manner.

For critical security updates, the processor must have procedures in place to ensure that these can – as far as possible – be completed within 48 hours.

C.2. Security of treatment

The level of security must reflect:

That the service processes personal data. The service must be provided with a level of security that minimizes the risks that personal data can be misused or that data subjects’ rights are otherwise violated. However, the processing concerns only a few personal data of the data subjects and the total amount of personal data is limited. No information is collected in special categories, information on criminal convictions or information such as CPR numbers. Furthermore, it is assessed that the information collected could only be misused to a very limited extent. It is important that personal data is not freely accessible and that access to the platform is protected against unauthorized access and that data transmitted is protected as far as possible.

The data processor is then entitled and obliged to make decisions about the technical and organizational security measures to be implemented to establish the necessary (and agreed) level of security.

However, the processor shall – in any event and as a minimum – implement the following measures agreed with the controller

• Users of the Frame platform have access only to their own data and data necessary for the performance of their tasks.
• All passwords registered in the platform are stored and transmitted in either encrypted form or by replacing them with a hash code.
• All communication between users and Frame’s system is encrypted via https protocols.
• Frame’s platform uses a verified certificate.
• Access to personal data shall be restricted to necessary staff of the processor.
• The Processor’s own staff may only access personal data via personal passwords or keys.
• Data is stored on Amazon Web Services (AWS) secured cloud platforms in the EU.

C.3 Assistance to the controller

The Processor shall, to the extent possible and within the scope and extent set out below, assist the Controller in accordance with Clause 9.1 and 9.2 by implementing the following technical and organizational measures

In the context of the controller’s duty of information, the system will have the possibility to display a text to new users. This text is prepared by the controller and it is the controller’s responsibility to ensure that it is accurate.

If the processor receives requests from the data subjects, such as access, rectification, erasure or other requests, these are forwarded to the controller. In many cases, the controller will then be able to process the request itself. If necessary, the processor will, on instruction, assist the controller with the processing of requests if the controller requests this in writing.

C.4 Retention period/deletion routine

Personal data are kept until the controller requests the erasure of individual data or until the contract for the provision of the service is terminated.

Upon termination of the personal data processing service, the processor shall delete the personal data in accordance with clause 11.1, unless the controller – after signing these provisions – has changed the controller’s initial choice. Such changes shall be documented and kept in writing, including electronically, in relation to the provisions.

Personal data in CRM, subscription management and accounting systems shall be deleted on request if the contractual relationship is terminated.

C.5 Location of treatment

The processing of personal data covered by the Clauses may not, without the prior written authorization of the controller, be carried out in locations other than the following

• Within the EU

C.6 Instructions on the transfer of personal data to third countries

C.7 Procedures for audits, including inspections, by the controller of the processing of personal data entrusted to the processor

The parties agree that there is no need for external audit opinions. However, the controller may, once a year, ask the processor for a statement on the processor’s compliance with the GDPR, data protection provisions of other Union or Member State law and these Clauses.

In addition, the controller or a representative of the controller shall have the right to carry out inspections, including physical inspections, of the premises from which the processor carries out the processing of personal data, including physical locations and systems used for or in connection with the processing. Such inspections may be carried out whenever the controller deems it necessary.

Any costs incurred by the controller in relation to a physical inspection shall be borne by the controller. However, the processor is obliged to allocate the resources (mainly time) necessary for the controller to carry out its inspection.

C.8 Procedures for audits, including inspections, of the processing of personal data entrusted to sub-processors

The Data Processor shall once a year, at its own expense, obtain evidence of the Sub-Processor’s compliance with the GDPR, data protection provisions in other Union or Member State law and these Clauses.

The Parties agree that the following types of documentation, statements or reports may be used in accordance with these provisions:

• Sub-processor’s own declarations regarding compliance with the GDPR and information security.
• Audit reports or audit opinion on GDPR compliance and information security carried out by an independent third party.

Annex D – Regulation of other matters by the parties

Other matters are regulated in the parties’ agreement for the provision of the service.

---

[1] References to “Member State” in these provisions shall be understood as referring to “EEA Member States”.