Standard contractual clauses

(January 2020 – rev Openframe July 2023)

pursuant to Article 28(3) of Regulation 2016/679 (GDPR) for the processing of personal data by the processor

between

Kunden

hereinafter ‘the controller’

and

Openframe ApS
CVR 42049581
Bragesgade 8B,
2200 København N
Danmark

hereinafter ‘the processor’

each of which is a ‘Party’ and together constitute the ‘Parties’

HAVE AGREED upon the following standard contractual clauses (the Clauses) in order to comply with the GDPR and to ensure the protection of privacy and the fundamental rights and freedoms of natural persons

2. preamble

  1. These Terms and Conditions set out the rights and obligations of the data processor when
    processing personal data on behalf of the data controller.
  2. These provisions are designed to ensure the parties’ compliance with Article 28(3) of Regulation (EU) 2016/679 of the European
    Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the
    processing of personal data and on the free movement of such data, and
    repealing Directive 95/46/EC (General Data Protection Regulation).
  3. In connection with the provision of Openframe, the data processor processes personal data on behalf of the
    data controller in accordance with these Terms and Conditions.
  4. The provisions take precedence over any similar provisions in other agreements between
    the parties.
  5. There are four annexes to these Regulations and the annexes form an integral part of the Regulations.
  6. Annex A contains details of the processing of personal data, including the purpose and nature of the processing, the type of personal data, the categories of data subjects and the duration of the processing.
  7. Appendix B contains the controller’s conditions for the processor’s use of sub-processors and a
    list of sub-processors that the controller has approved the use of.
  8. Appendix C contains the data controller’s instructions regarding the data processor’s processing of
    personal data, a description of the minimum security measures that the data processor must
    implement, and how the data processor and any sub-processors are supervised.
  9. Annex D contains provisions for other activities not covered by the Regulations.
  10. The provisions and their annexes shall be kept in writing, including electronically, by both parties.
  11. These Clauses do not release the Data Processor from obligations imposed on the Data Processor under the
    General Data Protection Regulation or any other legislation.

3. Rights and obligations of the data controller

  1. The controller is responsible for ensuring that the processing of personal data complies
    with the GDPR (see Article 24 of the Regulation), data protection provisions of other EU law
    or Member State law[1] national law and these Regulations.

  2. The controller has the right and obligation to decide for which purpose(s) and with which
    means personal data may be processed.

  3. The data controller is responsible for, among other things, ensuring that there is a processing basis for the processing
    of personal data that the data processor is instructed to perform.

4. The data processor acts on instructions

  1. The data processor may only process personal data following documented instructions from the data controller,
    unless required by EU or Member State law to which the data processor is
    subject. These instructions shall be specified in Annexes A and C. Subsequent instructions may also be given by the
    controller while personal data is being processed, but the instructions must always be
    documented and stored in writing, including electronically, together with these Clauses.

  2. The processor shall inform the controller without delay if, in its opinion,
    an instruction infringes this Regulation or data protection provisions of other Union or Member State
    law.

5. Confidentiality

  1. The data processor may only grant access to personal data processed on behalf of the data controller to
    persons who are subject to the data processor’s powers of instruction, who have committed themselves to confidentiality
    or are subject to an appropriate statutory duty of confidentiality, and only to the extent necessary. The list of persons
    who have been granted access shall be reviewed on an ongoing basis. Based on this review, access to
    personal data may be closed if the access is no longer necessary, and the personal data shall then
    no longer be accessible to these persons.

  2. At the request of the controller, the data processor must be able to demonstrate that the persons concerned,
    who are subject to the data processor’s instructional powers, are subject to the aforementioned duty of confidentiality.

6. Security of processing

  1. Article 32 GDPR states that the controller and processor, taking
    into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the
    processing as well as the risks of varying likelihood and severity
    for the rights and freedoms of natural persons, shall implement appropriate technical and organizational
    measures to ensure a level of protection appropriate to the risks.

    The controller must assess the risks to the rights and freedoms of natural
    persons posed by the processing and implement measures to address those risks. Depending on their relevance
    may include:

    a. Pseudonymization and encryption of personal data

    b. Ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services

    c. Ability to timely restore the availability of and access to personal data in the event of a physical or technical incident

    d. A procedure for regularly testing, assessing and evaluating the effectiveness of the technical and organizational measures for ensuring the security of processing.

  2. Pursuant to Article 32 of the Regulation, the processor shall – independently of the controller – also assess
    the risks to the rights of natural persons posed by the processing and implement measures to
    mitigate those risks. For the purposes of this assessment, the controller shall provide the necessary
    information to the processor to enable it to identify and assess
    such risks.

  3. In addition, the processor shall assist the controller in its compliance with the
    controller’s obligation under Article 32 of the Regulation by, inter alia, making the necessary information
    available to the controller regarding the technical and organizational security measures that
    the processor has already implemented pursuant to Article 32 of the Regulation and any other information that
    is necessary for the controller to comply with its obligation under Article 32 of the Regulation.

    If addressing the identified risks – in the controller’s assessment – requires the implementation of
    additional measures to those already implemented by the processor, the
    controller shall specify the additional measures to be implemented in Annex C.

7. Use of sub-processors

  1. The data processor must fulfill the conditions referred to in Article 28,
    (2) and (4) of the Data Protection Regulation to use another data processor (a sub-processor).

  2. Thus, the Data Processor may not use a Sub-Processor for the fulfillment of these Clauses
    without prior general written approval from the Data Controller.

  3. The Processor has the Controller’s general approval for the use of sub-processors.
    The Processor shall notify the Controller in writing of any planned changes regarding
    the addition or replacement of sub-processors with at least 14 days’ notice, thereby giving the
    Controller the opportunity to object to such changes prior to the use of the
    sub-processor(s) concerned. Longer notice periods for notification in relation to specific processing activities
    may be specified in Annex B. The list of sub-processors already authorized by the controller
    can be found in Appendix B.

  4. Where the processor uses a sub-processor to carry out specific
    processing activities on behalf of the controller, the processor shall, by contract or other
    legal act under Union or Member State law, impose on the
    sub-processor the same data protection obligations as those set out in these
    Clauses, in particular providing the necessary guarantees that the sub-processor will
    implement the technical and organizational measures in such a way that the processing complies
    with the requirements of these Clauses and the GDPR.

    The data processor is therefore responsible for demanding that the sub-processor at least complies
    with the data processor’s obligations under these Clauses and the GDPR.
  5. The sub-processor agreement(s) and any subsequent amendments thereto shall – at the data controller’s
    request – be sent in copy to the data controller, who thereby has the opportunity to ensure that similar
    data protection obligations arising from these Clauses are imposed on the sub-processor.
    Provisions on commercial terms that do not affect the data protection law content of the
    sub-processor agreement shall not be sent to the data controller.

  6. Deleted

  7. If the sub-processor does not fulfill its data protection obligations, the processor remains fully
    liable to the controller for the fulfillment of the sub-processor’s obligations. This does
    not affect the rights of the data subjects resulting from the GDPR, in particular Articles 79 and 82
    of the Regulation, vis-à-vis the controller and the processor, including the sub-processor.

8. Transfer to third countries or international organizations

  1. Any transfer of personal data to third countries or international organizations may only be made by
    the data processor on the basis of documented instructions from the data controller and must always be made in
    accordance with Chapter V of the General Data Protection Regulation.

  2. Where the transfer of personal data to third countries or international organizations, which the processor
    has not been instructed to carry out by the controller, is required by Union or
    Member State law to which the processor is subject, the processor shall inform the
    controller of that legal requirement prior to processing, unless that law prohibits such
    notification for reasons of important public interest.

  3. Without documented instructions from the controller, the data processor may not, within the framework of
    , implement these Terms and Conditions:

    a. Transfer personal data to a controller or processor in a third country or an international
    organization

    b. Entrust the processing of personal data to a sub-processor in a third country

    c. Process the personal data in a third country

  4. The controller’s instructions regarding the transfer of personal data to a third country, including the
    possible transfer basis in Chapter V of the GDPR on which the transfer is based, must
    be indicated in Annex C.6.

  5. These Clauses shall not be confused with standard contractual clauses within the meaning of
    Article 46(2)(c) and (d) of the GDPR and these Clauses cannot constitute a
    basis for the transfer of personal data within the meaning of Chapter V of the GDPR.

9. Assistance to the controller

  1. The data processor shall, taking into account the nature of the processing, assist the controller as far as possible by
    using appropriate technical and organizational measures to fulfill the controller’s
    obligation to respond to requests for the exercise of the data subject’s rights as laid down in Chapter III of the
    GDPR.

    This means that the data processor must, as far as possible, assist the data controller in connection with the
    data controller ensuring compliance with:

    a. the obligation to provide information when personal data is collected from the data subject
    b. the obligation to provide information if personal data has not been collected from the data subject
    c. the right of access
    d. the right to rectification
    e. the right to erasure (“right to be forgotten”)
    f. the right to restriction of processing
    g. the duty to inform in connection with rectification or erasure of personal data or
    restriction of processing
    h. the right to data portability
    i. the right to object
    j. the right not to be subject to a decision based solely on automated processing
    including profiling

  2. In addition to the data processor’s obligation to assist the data controller in accordance with Clause 6.3,
    shall, taking into account the nature of the processing and the information
    available to the data processor, further assist the data controller:

    a. the obligation of the controller to report the personal data breach to the competent
    supervisory authority, the Danish Data Protection Agency, without undue delay and, where feasible, no later than 72 hours after becoming
    aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons


    b. the controller’s obligation to notify the data subject without undue delay of a personal data
    breach when the breach is likely to result in a high risk to the rights and freedoms of natural
    persons

    c. the obligation for the controller to carry out a pre-processing analysis of the personal data protection impact of the intended
    processing operations (a data protection impact assessment)

    d. the controller’s obligation to consult the competent supervisory authority, the Danish Data Protection Agency, prior to
    processing if a data protection impact assessment shows that the processing would result in
    high risk in the absence of measures taken by the controller to mitigate the risk.

  3. The parties shall specify in Annex C the necessary technical and organizational measures with
    which the data processor shall assist the data controller and to what extent and scope. This applies to the
    obligations arising from Clause 9.1. and 9.2.

10. Personal data breach notification

  1. The data processor shall notify the data controller without undue delay after becoming aware
    that a personal data breach has occurred.

  2. The data processor’s notification to the data controller shall, if possible, take place no later than 24 hours after the data
    controller has become aware of the breach, so that the data controller can comply with its obligation to report
    the personal data breach to the competent supervisory authority, cf. the General Data Protection Regulation
    Article 33.

  3. In accordance with Clause 9.2.a, the processor shall assist the controller in making
    the notification of the breach to the competent supervisory authority. This means that the processor shall assist in
    providing the following information, which, according to Article 33(3), shall be included in the controller’s
    notification of the breach to the competent supervisory authority:

    a. the nature of the personal data breach, including, where possible, the categories and
    approximate number of data subjects affected and the categories and approximate number of personal data
    records affected

    b. the likely consequences of the personal data breach

    c. the measures that the controller has taken or proposes to take to address the
    personal data breach, including, where applicable, measures to mitigate its possible
    adverse effects.

  4. The Parties shall specify in Annex C the information that the Processor shall provide in connection with its
    assistance to the Controller in its obligation to notify personal data breaches to the
    competent supervisory authority.

11. Deletion and return of data

  1. Upon termination of the personal data processing services, the data processor is obliged to
    delete all personal data that has been processed on behalf of the controller and confirm to
    the controller that the data has been deleted, unless EU or Member State law
    prescribes the storage of the personal data.

12. auditing, including inspection

  1. The Data Processor shall provide the Controller with all information necessary to demonstrate compliance with
    Article 28 of the GDPR and these Clauses and shall
    enable and contribute to audits, including inspections, conducted by the Controller or another auditor
    authorized by the Controller.

  2. The procedures for the controller’s audits, including inspections, with the processor and
    sub-processors are detailed in Appendix C.7. and C.8.

  3. The data processor is obliged to grant supervisory authorities that, according to applicable legislation, have access to
    the data controller’s or data processor’s facilities, or representatives acting on behalf of
    the supervisory authority, access to the data processor’s physical facilities against proper identification.

13. Agreement of the parties on other matters

  1. The parties may agree on other provisions relating to the service concerning the processing of personal data
    , such as liability for damages, as long as these other provisions do not directly or indirectly conflict with the
    provisions or impair the fundamental rights and freedoms of the data subject
    arising from the General Data Protection Regulation.

14. Entry into force and termination

  1. The provisions shall enter into force on the date on which the Controller puts the platform into use

  2. Either party may demand renegotiation of the Terms if changes in legislation or inappropriateness in
    the Terms give rise to this.

  3. The provisions apply for the duration of the personal data processing service. During
    this period, the Terms cannot be terminated unless other provisions regulating the provision of the
    service regarding the processing of personal data are agreed between the parties.

  4. If the provision of the services relating to the processing of personal data ceases and the personal data is
    deleted or returned to the controller in accordance with Clause 11.1 and Appendix C.4, the
    Clauses may be terminated with written notice by either party.

15. contact persons at the controller and the processor

  1. The Data Controller (Customer) must provide the contact person at the start of the project.

  2. The parties are obliged to keep each other informed of changes concerning contact persons.

  3. Contact to the Data Processor can be made to the following:
    Name: Jesper Ring
    Position: CEO
    Phone number: +45 5077 8840
    E-mail: jr@openframe.org

16. Remuneration for assistance under this agreement

  1. Openframe is entitled to separate remuneration according to consumption for assistance/assistance in relation to the
    data controller’s obligations and claims covered by §6.3, §7.5, §9, §10, §11 and §12 of the Data Processing Agreement
    including associated appendices.

Appendix A – Information about the processing

A.1. Purpose of the processing of personal data by the processor on behalf of the controller

The purpose of the processing of personal data is to make the collection and storage of documentation in the controller’s construction processes easy, fast and efficient.

A.2. The processing of personal data by the processor on behalf of the controller relates primarily to (nature of the processing)

The main objective is to provide an IT system that makes the collection, storage and dissemination of information on construction processes to and from relevant stakeholders efficient.

A.3. The processing includes the following types of personal data of the data subjects

Contact details, including name, email, telephone number of the registered users.

Project information, including information on buildings, construction conditions, construction plans, as well as text and comments that users can enter in free text fields.

Documentary information, including specific information on construction projects.

A.4. The processing includes the following categories of data subjects

    • Employees of the controller

    • Stakeholders in the construction project including employees of authorities, advisors, consultants, clients, contractors and others involved in the construction process

A.5. The processing of personal data by the processor on behalf of the controller may begin after the entry into force of these Provisions. The duration of the treatment is as follows

Until the Agreement is terminated

Appendix B – Sub-processors

B.1. Authorized sub-processors

Upon entry into force of the Provisions, the Controller has authorized the use of the following sub-processors

NAME CVR ADDRESS DESCRIPTION OF TREATMENT
VNTRS consulting AB Göransgatan 63, 112 38 Stockholm, Sweden Technical development of Openframe In Use and Openframe Build
Amazon Web Services, Danish branch of Amazon Web Services EMEA SARL, Luxembourg 39009323 Lyskær 3 C 1 tv, 2730 Herlev Storage of information, data storage. Including storage of files and database, development and operation of web application and running background processes
Google Workspace
Google LLC, Google Ireland Limited.DK branch:
28866984 Sankt Petri Passage 5, 2., 1165 Copenhagen K Used for document management, presentations, email communication, etc.
Visma e-conomic a/s 29403473 Langebrogade 11411 Copenhagen K, Denmark E-conomic is used as an accounting system for postings, invoicing, etc.
Hubspot 2 Canal Park Cambridge, MA 02141 United States CRM system – marketing email management, sales leads, support management and more.
Teamtailor Östgötagatan 16, 116 21 Stockholm, Sweden Used to manage the recruitment process and career site
Microsoft Clarity Microsoft Azure Cloud Services 13612870 Kanalvej 7, 2800 Kongens Lyngby, Denmark Used to analyze the use of the platform through recordings and heatmaps
TwentyThree 30070860 Sortedam Dossering 7E, 2200 Copenhagen, Denmark Used for hosting a webinar
ScaleUp Finance 43196308 Nyropsgade 41, 1602 Copenhagen, Denmark Used for external accounting

B.2. Notification for the approval of sub-processors

When using new sub-processors, this is notified within 14 days before the start of use.

Appendix C – Instructions for processing personal data

C.1. Subject matter/instruction of the treatment

The data processor’s processing of personal data on behalf of the data controller is carried out by the data processor performing the following:

The Data Processor provides a digital platform “Frame” for handling data related to the Data Controller’s construction projects. The platform is designed to efficiently manage processes, communication, assessments, calculations, documentation, etc. based on the data uploaded and entered by the users in each project.

Data controllers themselves invite users from their own and other organizations to each project and encourage each user to work with the agreed data. In this context, the controller is responsible for instructing all users on how to process data, what data may be uploaded and processed and with whom it may be shared.

The data controller’s users access the platform themselves via a browser and their own usernames and passwords, which is why the data processor does not independently access project data unless the data controller or the data controller’s invited users request this via Openframe ApS’ support function.

Personal data

Data can be in the form of profile information for each user, uploaded documents and files, and entries in free text fields.

Profile information

For each user, at least the e-mail address used as username is registered. This username must not be changed, as it is the controller’s wish to be able to identify a user’s actions in each project. In addition, a user can voluntarily provide their name, telephone number, address, title and organization/company.

It is the controller who instructs users on the correct handling of these

personal data. In reports and log files, the user must be identifiable by email address (or by name if entered), so that it is recorded who has made the specific entry or action.

Other profile information must be accessible to other users in a specific project or to

The controller’s employees have the right to do so, but must be able to delete or modify the data if the user so wishes.

A user’s data must be deleted together with other data when a project is terminated by the controller. A project must be automatically deleted when the controller has not paid for the platform/service for 3 consecutive months.

Uploaded documents and files

Users are free to upload documents and files and it is the data controller who instructs users on the correct handling of personal data in this context. Users must not be able to delete uploaded documents and files themselves, as these must be available in the project for documentation purposes, but the data controller may instruct the data processor to delete specific documents and files.

Uploaded documents and files must be deleted together with other data when a project is closed by the data controller. A project must be automatically deleted when the controller has not paid for the platform/service for 3 consecutive months.

Entry in free text fields

Users are free to enter personal data in free text fields in the platform. It is the controller who instructs users on the correct handling of personal data in this context. Users must be able to delete and change text in free text fields via the project’s designated Sustainability Manager, so that the new/corrected text appears in the reports going forward from the time of correction. Entries should continue to be visible in log files.

Inputs in free text fields must be deleted together with other data when a project is closed by the data controller. A project shall be automatically deleted when the Customer has not paid for the platform/service for 3 consecutive months.

Special categories of personal data

Openframe ApS shall not handle special categories of personal data for the data controller. The controller is responsible for instructing invited users on the correct handling of personal data.

Updates to the platform

The data processor is instructed to inform the data controller and users about new features/updates of the platform that may have an impact on what data is processed and how data is processed. This information should be provided through, for example, e-mails to users. All users must be informed of this fact via a user agreement when they create their profile on the platform.

The processor must have formal procedures in place to ensure that updates are assessed and implemented in a timely manner.

For critical security updates, the processor must have procedures in place to ensure that these can – as far as possible – be completed within 48 hours.

C.2. Security of treatment

The level of security must reflect:

That the service processes personal data. The service must be provided with a level of security that minimizes the risks that personal data can be misused or that data subjects’ rights are otherwise violated. However, the processing concerns only a few personal data of the data subjects and the total amount of personal data is limited. No information is collected in special categories, information on criminal convictions or information such as CPR numbers. Furthermore, it is assessed that the information collected could only be misused to a very limited extent. It is important that personal data is not freely accessible and that access to the platform is protected against unauthorized access and that data transmitted is protected as far as possible.

The data processor is then entitled and obliged to make decisions about the technical and organizational security measures to be implemented to establish the necessary (and agreed) level of security.

However, the processor shall – in any event and as a minimum – implement the following measures agreed with the controller

    • Users of the Openframe platform only have access to their own data and data necessary for the performance of their tasks.
    • All passwords registered in the platform are stored and transmitted in either encrypted form or by replacing them with a hash code.
    • All communication between users and Openframe’s system is encrypted via. https protocols.
    • Openframe’s platform uses a verified certificate.
    • Access to personal data shall be restricted to necessary staff of the processor.
    • The Processor’s own staff may only access personal data via personal passwords or keys.
    • Data is stored on Amazon Web Services (AWS) secured cloud platforms in the EU.

C.3 Assistance to the controller

The Processor shall, to the extent possible and within the scope and extent set out below, assist the Controller in accordance with Clause 9.1 and 9.2 by implementing the following technical and organizational measures

In the context of the controller’s duty of information, the system will have the possibility to display a text to new users. This text is prepared by the controller and it is the controller’s responsibility to ensure that it is accurate.

If the processor receives requests from the data subjects, such as access, rectification, erasure or other requests, these are forwarded to the controller. In many cases, the controller will then be able to process the request itself. If necessary, the processor will, on instruction, assist the controller with the processing of requests if the controller requests this in writing.

C.4 Retention period/deletion routine

Personal data are kept until the controller requests the erasure of individual data or until the contract for the provision of the service is terminated.

Upon termination of the personal data processing service, the processor shall delete the personal data in accordance with clause 11.1, unless the controller – after signing these provisions – has changed the controller’s initial choice. Such changes shall be documented and kept in writing, including electronically, in relation to the provisions.

Personal data in CRM, subscription management and accounting systems shall be deleted on request if the contractual relationship is terminated.

C.5 Location of treatment

The processing of personal data covered by the Clauses may not, without the prior written authorization of the controller, be carried out in locations other than the following

    • Within the EU

C.6 Instructions on the transfer of personal data to third countries

C.7 Procedures for audits, including inspections, by the controller of the processing of personal data entrusted to the processor

The parties agree that there is no need for external audit opinions. However, the controller may, once a year, ask the processor for a statement on the processor’s compliance with the GDPR, data protection provisions of other Union or Member State law and these Clauses.

In addition, the controller or a representative of the controller shall have the right to carry out inspections, including physical inspections, of the premises from which the processor carries out the processing of personal data, including physical locations and systems used for or in connection with the processing. Such inspections may be carried out whenever the controller deems it necessary.

Any costs incurred by the controller in relation to a physical inspection shall be borne by the controller. However, the processor is obliged to allocate the resources (mainly time) necessary for the controller to carry out its inspection.

C.8 Procedures for audits, including inspections, of the processing of personal data entrusted to sub-processors

The Data Processor shall once a year, at its own expense, obtain evidence of the Sub-Processor’s compliance with the GDPR, data protection provisions in other Union or Member State law and these Clauses.

The Parties agree that the following types of documentation, statements or reports may be used in accordance with these provisions:

    • Sub-processor’s own declarations regarding compliance with the GDPR and information security.
    • Audit reports or audit opinion on GDPR compliance and information security carried out by an independent third party.

Appendix D – The parties’ regulation of other matters

Other matters are regulated in the parties’ agreement for the provision of the service.


[1] References to “Member State” in these provisions shall be understood as referring to “EEA Member States”.