Standard contractual clauses

(January 2020 – rev Frame July 2023)

pursuant to Article 28(3) of Regulation 2016/679 (GDPR) for the processing of personal data by the processor

between

The customer

hereinafter ‘the controller’

and

Frame ApS
CVR 42049581
Bragesgade 8B,
2200 København N
Danmark

hereinafter ‘the processor’

each of which is a ‘Party’ and together constitute the ‘Parties’

HAVE AGREED upon the following standard contractual clauses (the Clauses) in order to comply with the GDPR and to ensure the protection of privacy and the fundamental rights and freedoms of natural persons

  1.  

2. preamble

  1. These Clauses set out the rights and obligations of the data processor when it
    processing of personal data on behalf of the controller.

  2. These provisions are designed to ensure compliance by the Parties with Article 28(3) of the Europe Agreement.
    Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in
    on the processing of personal data and on the free movement of such data and on the
    repealing Directive 95/46/EC (the General Data Protection Regulation).

  3. In connection with the delivery of FRAME, the data processor processes personal data on behalf of the
    data controller in accordance with these Clauses.

  4. The provisions take precedence over any similar provisions in other agreements between
    parties.

  5. There are four annexes to these Regulations and the annexes form an integral part of the Regulations.

  6. Annex A contains details on the processing of personal data, including the nature of the processing
    the purpose and nature, the type of personal data, the categories of data subjects and the duration of the processing.

  7. Annex B contains the data controller’s conditions for the data processor’s use of sub-processors and a
    list of sub-processors that the controller has authorized the use of.

  8. Appendix C contains the data controller’s instructions regarding the data processor’s processing of
    personal data, a description of the security measures that the processor shall as a minimum
    and how the data processor and any sub-processors are supervised.

  9. Annex D contains provisions for other activities not covered by the Regulations.

  10. The provisions and their annexes shall be kept in writing, including electronically, by both parties.

  11. These Clauses do not release the data processor from any obligations imposed on the data processor under
    GDPR or any other legislation.

3. Rights and obligations of the data controller

  1. The controller is responsible for ensuring that the processing of personal data is carried out in accordance with
    with the General Data Protection Regulation (see Article 24 of the Regulation), data protection provisions in other EU
    law or the law of the Member States [1] national law and these Provisions.

  2. The controller has the right and obligation to decide for which purpose(s) and with which
    assistive technology, personal data may be processed.

  3. The data controller is responsible for, among other things, ensuring that there is a legal basis for the processing
    of personal data that the data processor is instructed to perform.

4. The data processor acts on instructions

  1. The data processor may only process personal data according to documented instructions from the data controller,
    unless required by EU law or the national law of the Member State of the processor
    subject to. This instruction must be specified in Annexes A and C. Subsequent instructions may also be given by the
    controller while personal data is being processed, but the instruction must always be
    documented and kept in writing, including electronically, together with these Provisions.

  2. The Processor shall immediately inform the Controller if, in its opinion, an instruction
    is in breach of this Regulation or data protection provisions of other Union or Member State law
    national law.

5. Confidentiality

  1. The data processor may only provide access to personal data processed on behalf of the data controller to
    persons who are subject to the data processor’s instructional powers, who have committed themselves to confidentiality
    or are subject to an appropriate statutory duty of confidentiality, and only to the extent necessary. The list of people,
    who have been granted access must be reviewed on an ongoing basis. Based on this review, access to
    personal data shall be closed if access is no longer necessary, and the personal data shall then be
    no longer be available to these individuals.

  2. The data processor shall, at the request of the data controller, be able to demonstrate that the persons concerned,
    who are subject to the data processor’s powers of instruction are subject to the aforementioned duty of confidentiality.

6. Security of processing

  1. Article 32 of the GDPR states that the controller and the processor shall, during the
    taking into account the current state of the art, the implementation costs and the
    the nature, scope, context and purpose of the processing and the risks of varying likelihood and severity
    for the rights and freedoms of natural persons, implement appropriate technical and organizational
    measures to ensure a level of protection appropriate to those risks.

    The controller must assess the risks to the rights and freedoms of natural persons as
    the processing poses and implement measures to address these risks. Depending on their relevance
    it can include:

    a. Pseudonymization and encryption of personal data

    b. Ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services

    c. Ability to timely restore the availability of and access to personal data in the event of a physical or technical incident

    d. A procedure for regularly testing, assessing and evaluating the effectiveness of the technical and organizational measures for ensuring the security of processing.

  2. According to Article 32 of the Regulation, the processor – independently of the controller – must also assess
    the risks to the rights of natural persons posed by the processing and implement measures to
    address these risks. For the purposes of this assessment, the controller shall provide the necessary
    information available to the processor that enables the processor to identify and assess
    such risks.

  3. In addition, the data processor must assist the data controller with its compliance with the
    the data controller’s obligation under Article 32 of the Regulation by, among other things, providing the necessary information to
    available to the controller regarding the technical and organizational security measures that
    the processor has already implemented in accordance with Article 32 of the Regulation, and any other information that
    is necessary for the controller to comply with its obligation under Article 32 of the Regulation.

    If addressing the identified risks – in the opinion of the controller – requires the implementation of
    measures in addition to those already implemented by the processor, it shall
    the controller shall specify the additional measures to be implemented in Annex C.

7. Use of sub-processors

  1. The data processor must meet the conditions referred to in Article 28 of the GDPR,
    (2) and (4) to make use of another data processor (a sub-processor).

  2. Thus, the Data Processor may not make use of a sub-processor for the fulfillment of these Clauses
    without the prior general written consent of the controller.

  3. The processor has the general authorization of the controller for the use of sub-processors.
    The Processor shall inform the Controller in writing of any planned changes regarding
    addition or replacement of sub-processors with at least 14 days’ notice, thereby giving the
    data controller the opportunity to object to such changes prior to the use of the data in question
    sub-processor(s). Longer notification notice for specific processing activities
    may be specified in Annex B. The list of sub-processors that the controller has already authorized,
    is shown in Appendix B.

  4. When the data processor makes use of a sub-processor in connection with the performance of specific
    processing activities on behalf of the data controller, the data processor shall, through a contract or other
    legal act under Union or Member State law, order the Member States to
    the sub-processor the same data protection obligations as those set out in these
    Provisions providing, in particular, the necessary guarantees that the sub-processor will
    implement the technical and organizational measures in such a way that the processing complies with
    the requirements of these Clauses and the GDPR.

    The data processor is therefore responsible for requiring the sub-processor to, as a minimum, comply with
    the data processor’s obligations under these Clauses and the GDPR.
  5. Sub-processor agreement(s) and any subsequent amendments thereto shall be sent – after the data controller’s
    request – in copy to the data controller, who thereby has the opportunity to ensure that similar
    data protection obligations arising from these Clauses are imposed on the sub-processor.
    Provisions on commercial terms that do not affect the data protection law content of
    the sub-processor agreement shall not be sent to the controller.

  6. Deleted

  7. If the sub-processor does not fulfill its data protection obligations, the processor remains fully responsible for
    responsible to the controller for the fulfillment of the sub-processor’s obligations. This affects
    not the rights of data subjects arising from the General Data Protection Regulation, in particular the
    Articles 79 and 82, against the controller and the processor, including the sub-processor.

8. Transfer to third countries or international organizations

  1. Any transfer of personal data to third countries or international organizations may only be carried out by
    the data processor on the basis of documented instructions from the data controller and must always take place in
    in accordance with Chapter V of the GDPR.

  2. If the transfer of personal data to third countries or international organizations to which the data processor
    has not been instructed to do so by the controller, is required by EU law or
    the national law of the Member State to which the processor is subject, the processor shall inform the
    controller of this legal requirement prior to processing, unless the law in question prohibits such
    notification for reasons of important public interest.

  3. Without documented instructions from the data controller, the data processor may not, within the framework of
    these Provisions:

    a. Transfer personal data to a controller or processor in a third country or an international organization
    organization

    b. Entrust the processing of personal data to a sub-processor in a third country

    c. Process the personal data in a third country

  4. The controller’s instructions regarding the transfer of personal data to a third country, including the
    any transfer basis in Chapter V of the GDPR on which the transfer is based must
    are listed in Appendix C.6.

  5. These Conditions are not to be confused with standard contractual clauses as referred to in
    Article 46(2)(c) and (d) of the GDPR, and these Clauses cannot constitute a
    basis for the transfer of personal data as referred to in Chapter V of the GDPR.

9. Assistance to the controller

  1. The data processor shall, taking into account the nature of the processing, assist the data controller as far as possible in
    using appropriate technical and organizational measures in compliance with the data controller’s
    obligation to respond to requests for the exercise of data subjects’ rights as laid down in
    Chapter III of the General Data Protection Regulation.

    This means that the data processor must, as far as possible, assist the data controller in connection with the
    the controller must ensure compliance:

    a. the obligation to provide information when collecting personal data from the data subject
    b. the obligation to provide information where personal data has not been collected from the data subject
    c. the right of access
    d. the right to rectification
    e. the right to erasure (“right to be forgotten”)
    f. the right to restriction of processing
    g. the obligation to notify the rectification or erasure of personal data; or
    limitation of treatment
    h. the right to data portability
    i. the right to object
    j. the right not to be subject to a decision based solely on automated processing,
    including profiling

  2. In addition to the Processor’s obligation to assist the Controller pursuant to Clause 6.3, the Processor shall
    the processor, taking into account the nature of the processing and the information contained in the
    available to the processor, controller, etc:

    a. the data controller’s obligation to, without undue delay and, if possible, no later than 72 hours after
    has become aware of it, to report a personal data breach to the competent
    supervisory authority, Datatilsynet, unless it is unlikely that the breach of
    the security of personal data poses a risk to the rights or freedoms of natural persons

    b. the controller’s obligation to inform the data subject without undue delay of a breach of
    personal data security when the breach is likely to result in a high risk to natural persons
    rights and freedoms

    c. the controller’s obligation to carry out a pre-processing analysis of the intended processing
    the impact of processing operations on the protection of personal data (an impact assessment)

    d. the controller’s obligation to consult the competent supervisory authority, the Data Protection Authority, before
    processing where a data protection impact assessment shows that the processing will lead to
    high risk in the absence of measures taken by the controller to mitigate the risk.

  3. The Parties shall specify in Annex C the necessary technical and organizational measures by which
    the data processor must assist the data controller and to what extent and scope. This applies to the
    obligations arising from Clause 9.1. and 9.2.

10. Personal data breach notification

  1. The data processor shall inform the data controller without undue delay after becoming aware of
    that a personal data breach has occurred.

  2. The data processor’s notification to the data controller must, if possible, take place no later than 24 hours after the data controller has
    become aware of the breach so that the controller can comply with its obligation to notify
    the personal data breach to the competent supervisory authority in accordance with the GDPR
    Article 33.

  3. In accordance with Clause 9.2.a, the Processor shall assist the Controller in making
    notification of the breach to the competent supervisory authority. This means that the data processor must assist with
    to provide the following information, which according to Article 33(3) shall be included in the controller’s
    notification of the breach to the competent supervisory authority:

    a. the nature of the personal data breach, including, if possible, the categories and the
    approximate number of affected registrants, as well as the categories and approximate number of affected registrations
    of personal data

    b. the likely consequences of the personal data breach

    c. the measures taken or proposed to be taken by the controller to address the breach
    the security of personal data, including, where appropriate, measures to limit its possible
    harmful effects.

  4. The parties shall specify in Annex C the information that the data processor must provide in connection with its
    assisting the data controller in its obligation to notify personal data breaches to the
    competent supervisory authority.

11. Deletion and return of data

  1. Upon termination of the services relating to the processing of personal data, the data processor is obliged to
    erase all personal data that has been processed on behalf of the controller and confirm to the
    the controller that the data has been erased unless EU or Member State law
    prescribes the retention of the personal data.

12. auditing, including inspection

  1. The data processor shall provide all information necessary to demonstrate compliance with
    Article 28 of the General Data Protection Regulation and these Clauses, at the disposal of the controller and shall provide
    enable and contribute to audits, including inspections, carried out by the controller or a
    another auditor authorized by the controller.

  2. The procedures for the controller’s audits, including inspections, with the processor; and
    sub-processors are specified in Appendix C.7. and C.8.

  3. The data processor is obliged to provide supervisory authorities, which according to applicable law have access to
    the facilities of the controller or processor, or representatives acting on behalf of the controller or processor
    on behalf of the supervisory authority, access to the physical facilities of the processor against proper identification.

13. Agreement of the parties on other matters

  1. The parties may agree on other provisions of the Service regarding the processing of personal data
    such as liability, as long as these other provisions do not directly or indirectly conflict with
    the provisions or impairs the fundamental rights and freedoms of the data subject, which
    follows from the General Data Protection Regulation.

14. Entry into force and termination

  1. The provisions shall enter into force on the date on which the Controller puts the platform into use

  2. Both parties may demand renegotiation of the Clauses if changes in the law or inappropriateness of
    The provisions give rise to this.

  3. The provisions apply for the duration of the personal data processing service. I
    this period, the Clauses may not be terminated unless other provisions governing the provision of
    service regarding the processing of personal data shall be agreed between the parties.

  4. If the provision of the services relating to the processing of personal data ceases and the personal data is
    deleted or returned to the controller in accordance with Clause 11.1 and Annex C.4, may
    The provisions are terminated with written notice by either party.

15. contact persons at the controller and the processor

  1. The Data Controller (Customer) must provide the contact person at the start of the project.

  2. The parties are obliged to keep each other informed of changes concerning contact persons.

  3. Contact with the Data Processor can be made to the following:
    Name: Jesper Ring
    Position: CEO
    Telephone number: +45 5077 8840
    E-mail: jr@openframe.org

16. Remuneration for assistance under this agreement

  1. Frame is entitled to a separate fee according to consumption for assistance/assistance in relation to the
    the data controller’s obligations and claims covered by the data processing agreement §6.3, §7.5, §9, §10, §11 and §12
    incl. associated appendices.



Appendix A – Information about the processing

A.1. Purpose of the processing of personal data by the processor on behalf of the controller

The purpose of the processing of personal data is to make the collection and storage of documentation in the controller’s construction processes easy, fast and efficient.

A.2. The processing of personal data by the processor on behalf of the controller relates primarily to (nature of the processing)

The main objective is to provide an IT system that makes the collection, storage and dissemination of information on construction processes to and from relevant stakeholders efficient.

A.3. The processing includes the following types of personal data of the data subjects

Contact details, including name, email, telephone number of the registered users.

Project information, including information on buildings, construction conditions, construction plans, as well as text and comments that users can enter in free text fields.

Documentary information, including specific information on construction projects.

A.4. The processing includes the following categories of data subjects

    • Employees of the controller

    • Stakeholders in the construction project including employees of authorities, advisors, consultants, clients, contractors and others involved in the construction process

A.5. The processing of personal data by the processor on behalf of the controller may begin after the entry into force of these Provisions. The duration of the treatment is as follows

Until the Agreement is terminated

Appendix B – Sub-processors

B.1. Authorized sub-processors

Upon entry into force of the Provisions, the Controller has authorized the use of the following sub-processors

NAME CVR ADDRESS DESCRIPTION OF TREATMENT
VNTRS consulting AB Göransgatan 63, 112 38 Stockholm, Sweden Technical development of Frame In Use and Frame Build
Amazon Web Services, Danish branch of Amazon Web Services EMEA SARL, Luxembourg 39009323 Lyskær 3 C 1 tv, 2730 Herlev Storage of information, data storage. Including storage of files and database, development and operation of web application and running background processes
Google Workspace
Google LLC, Google Ireland Limited.DK branch:
28866984 Sankt Petri Passage 5, 2nd, 1165 Copenhagen K Used for document management, presentations, email communication, etc.
Visma e-conomic a/s 29403473 Langebrogade 11411 Copenhagen K, Denmark E-conomic is used as an accounting system for postings, invoicing, etc.
Hubspot 2 Canal Park Cambridge, MA 02141 United States CRM system – marketing email management, sales leads, support management and more.
Teamtailor Östgötagatan 16, 116 21 Stockholm, Sweden Used to manage the recruitment process and career site
Microsoft Clarity Microsoft Azure Cloud Services 13612870 Kanalvej 7, 2800 Kongens Lyngby, Denmark Used to analyze the use of the platform through recordings and heatmaps
TwentyThree 30070860 Sortedam Dossering 7E, 2200 Copenhagen, Denmark Used for hosting a webinar
ScaleUp Finance 43196308 Nyropsgade 41, 1602 Copenhagen, Denmark Used for external accounting

B.2. Notification for the approval of sub-processors

When using new sub-processors, this is notified within 14 days before the start of use.

Appendix C – Instructions for processing personal data

C.1. Subject matter/instruction of the treatment

The data processor’s processing of personal data on behalf of the data controller is carried out by the data processor performing the following:

The Data Processor provides a digital platform “Frame” for handling data related to the Data Controller’s construction projects. The platform is designed to efficiently manage processes, communication, assessments, calculations, documentation, etc. based on the data uploaded and entered by the users in each project.

Data controllers themselves invite users from their own and other organizations to each project and encourage each user to work with the agreed data. In this context, the controller is responsible for instructing all users on how to process data, what data may be uploaded and processed and with whom it may be shared.

The data controller’s users access the platform themselves via a browser and their own usernames and passwords, which is why the data processor does not independently access project data unless the data controller or the data controller’s invited users request this via Frame ApS’ support function.

Personal data

Data can be in the form of profile information for each user, uploaded documents and files, and entries in free text fields.

Profile information

For each user, at least the e-mail address used as username is registered. This username must not be changed, as it is the controller’s wish to be able to identify a user’s actions in each project. In addition, a user can voluntarily provide their name, telephone number, address, title and organization/company.

It is the controller who instructs users on the correct handling of these

personal data. In reports and log files, the user must be identifiable by email address (or by name if entered), so that it is recorded who has made the specific entry or action.

Other profile information must be accessible to other users in a specific project or to

The controller’s employees have the right to do so, but must be able to delete or modify the data if the user so wishes.

A user’s data must be deleted together with other data when a project is terminated by the controller. A project must be automatically deleted when the controller has not paid for the platform/service for 3 consecutive months.

Uploaded documents and files

Users are free to upload documents and files and it is the data controller who instructs users on the correct handling of personal data in this context. Users must not be able to delete uploaded documents and files themselves, as these must be available in the project for documentation purposes, but the data controller may instruct the data processor to delete specific documents and files.

Uploaded documents and files must be deleted together with other data when a project is closed by the data controller. A project must be automatically deleted when the controller has not paid for the platform/service for 3 consecutive months.

Entry in free text fields

Users are free to enter personal data in free text fields in the platform. It is the controller who instructs users on the correct handling of personal data in this context. Users must be able to delete and change text in free text fields via the project’s designated Sustainability Manager, so that the new/corrected text appears in the reports going forward from the time of correction. Entries should continue to be visible in log files.

Inputs in free text fields must be deleted together with other data when a project is closed by the data controller. A project shall be automatically deleted when the Customer has not paid for the platform/service for 3 consecutive months.

Special categories of personal data

Frame ApS is not required to handle special categories of personal data for the controller. The controller is responsible for instructing invited users on the correct handling of personal data.

Updates to the platform

The data processor is instructed to inform the data controller and users about new features/updates of the platform that may have an impact on what data is processed and how data is processed. This information should be provided through, for example, e-mails to users. All users must be informed of this fact via a user agreement when they create their profile on the platform.

The processor must have formal procedures in place to ensure that updates are assessed and implemented in a timely manner.

For critical security updates, the processor must have procedures in place to ensure that these can – as far as possible – be completed within 48 hours.

C.2. Security of treatment

The level of security must reflect:

That the service processes personal data. The service must be provided with a level of security that minimizes the risks that personal data can be misused or that data subjects’ rights are otherwise violated. However, the processing concerns only a few personal data of the data subjects and the total amount of personal data is limited. No information is collected in special categories, information on criminal convictions or information such as CPR numbers. Furthermore, it is assessed that the information collected could only be misused to a very limited extent. It is important that personal data is not freely accessible and that access to the platform is protected against unauthorized access and that data transmitted is protected as far as possible.

The data processor is then entitled and obliged to make decisions about the technical and organizational security measures to be implemented to establish the necessary (and agreed) level of security.

However, the processor shall – in any event and as a minimum – implement the following measures agreed with the controller

    • Users of the Frame platform have access only to their own data and data necessary for the performance of their tasks.
    • All passwords registered in the platform are stored and transmitted in either encrypted form or by replacing them with a hash code.
    • All communication between users and Frame’s system is encrypted via https protocols.
    • Frame’s platform uses a verified certificate.
    • Access to personal data shall be restricted to necessary staff of the processor.
    • The Processor’s own staff may only access personal data via personal passwords or keys.
    • Data is stored on Amazon Web Services (AWS) secured cloud platforms in the EU.

C.3 Assistance to the controller

The Processor shall, to the extent possible and within the scope and extent set out below, assist the Controller in accordance with Clause 9.1 and 9.2 by implementing the following technical and organizational measures

In the context of the controller’s duty of information, the system will have the possibility to display a text to new users. This text is prepared by the controller and it is the controller’s responsibility to ensure that it is accurate.

If the processor receives requests from the data subjects, such as access, rectification, erasure or other requests, these are forwarded to the controller. In many cases, the controller will then be able to process the request itself. If necessary, the processor will, on instruction, assist the controller with the processing of requests if the controller requests this in writing.

C.4 Retention period/deletion routine

Personal data are kept until the controller requests the erasure of individual data or until the contract for the provision of the service is terminated.

Upon termination of the personal data processing service, the processor shall delete the personal data in accordance with clause 11.1, unless the controller – after signing these provisions – has changed the controller’s initial choice. Such changes shall be documented and kept in writing, including electronically, in relation to the provisions.

Personal data in CRM, subscription management and accounting systems shall be deleted on request if the contractual relationship is terminated.

C.5 Location of treatment

The processing of personal data covered by the Clauses may not, without the prior written authorization of the controller, be carried out in locations other than the following

    • Within the EU

C.6 Instructions on the transfer of personal data to third countries

C.7 Procedures for audits, including inspections, by the controller of the processing of personal data entrusted to the processor

The parties agree that there is no need for external audit opinions. However, the controller may, once a year, ask the processor for a statement on the processor’s compliance with the GDPR, data protection provisions of other Union or Member State law and these Clauses.

In addition, the controller or a representative of the controller shall have the right to carry out inspections, including physical inspections, of the premises from which the processor carries out the processing of personal data, including physical locations and systems used for or in connection with the processing. Such inspections may be carried out whenever the controller deems it necessary.

Any costs incurred by the controller in relation to a physical inspection shall be borne by the controller. However, the processor is obliged to allocate the resources (mainly time) necessary for the controller to carry out its inspection.

C.8 Procedures for audits, including inspections, of the processing of personal data entrusted to sub-processors

The Data Processor shall once a year, at its own expense, obtain evidence of the Sub-Processor’s compliance with the GDPR, data protection provisions in other Union or Member State law and these Clauses.

The Parties agree that the following types of documentation, statements or reports may be used in accordance with these provisions:

    • Sub-processor’s own declarations regarding compliance with the GDPR and information security.
    • Audit reports or audit opinion on GDPR compliance and information security carried out by an independent third party.

Appendix D – The parties’ regulation of other matters

Other matters are regulated in the parties’ agreement for the provision of the service.


[1] References to “Member State” in these provisions shall be understood as referring to “EEA Member States”.

Tilmeld dig vores mailingliste

Subscribe to our mailing list