Bentley GDPR Compliance Statement

January 2020

Bentley’s GDPR Compliance Statement provides information regarding the impact of the GDPR on Bentley and our customers, the steps taken by Bentley to ensure our compliance with the GDPR, and the ways in which we can assist and support our accounts and users (as data controllers) with their respective obligations under the GDPR. 

Overview of GDPR

The GDPR is the EU’s most important change in data privacy regulation in 20 years, replacing the 1995 Data Protection Directive. The GDPR has had a significant impact for all organizations doing business in the EU, as well as organizations outside the EU who offer products or services to individuals in the EU.

Compliance Efforts and Account and User Support

Bentley will comply with the GDPR in the delivery of our products and services to our users when required. We are also dedicated to helping our users comply with their respective GDPR obligations. In support of these commitments, we have made enhancements to our services, agreements, policies, and internal processes as necessary to satisfy our obligations under the GDPR.

Compliance with Customer Instructions

As a data processor, Bentley is committed to processing personal data only as instructed by applicable accounts and users. We have updated our internal policies to ensure that all Bentley colleagues who have access to personal data shall only process such personal data on behalf of and in accordance with the documented instructions of the relevant accounts and users. In addition, we have developed a standard Data Processing Agreement for use with our accounts that complies with GDPR requirements.

Data Minimization

Bentley only collects and processes the minimum personal data necessary to provide the relevant services on behalf of our users. In addition, we don’t collect or process sensitive data.

Individuals' Rights

Bentley has updated its IT systems and internal policies to assist with our obligation to respond to requests by data subjects to exercise their rights under the GDPR.


Bentley has implemented and maintains appropriate technical and organizational measures to ensure the processing of personal data meets the requirements of the GDPR, including technical and organizational measures to protect the security, confidentiality, availability and integrity of personal data (including protection against unauthorized or unlawful processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, personal data). Such technical and organizational measures may include (as appropriate based on the risk to data subjects): (a) the pseudonymisation and encryption of personal data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and (d) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing of personal data.
Bentley treats all personal data processed on behalf of our users as confidential information and ensures that all Bentley colleagues, agents and contractors engaged in the processing of personal data are informed of the confidential nature of such personal data. Bentley ensures that (a) access to personal data is limited to those performing services in accordance with the relevant account and user agreement; and (b) all such colleagues, agents and contractors are committed to confidentiality (or are under an appropriate statutory obligation of confidentiality) and receive appropriate training on their responsibilities.
Bentley will assist our accounts and users in ensuring compliance with their respective security obligations under the GDPR.

Responding to Personal Data Breaches

Bentley has updated its policies as necessary to ensure that it provides notice to accounts and users of a personal data breach without undue delay following the discovery of such personal data breach.  Bentley shall also reasonably assist and cooperate as instructed by accounts and users with any internal investigation or external investigation by third parties, such as law enforcement.

Use of Sub-Processors and Transfers Outside the EU

Bentley engages with carefully selected subprocessors. The provision of certain accounts may require us to commission additional subprocessors. In such a case, we will post additional subprocessors here.  At Bentley, security and privacy is paramount. Accordingly, we impose data protection terms on each subprocessor with which we work to maintain compliance.

EU-US Privacy Shield Framework

Bentley complies with the EU-US Privacy Shield Framework regarding the transfer and use of personal data from the EU to the US.  To view our certification, please visit

Contact Us

Please contact Bentley’s Data Protection Officer (DPO) with any questions are concerns.
Julian Waagensen
Bentley Systems International
Charlemont Exchange, 05 – 101
Charlemont Exchange, 42 Charlemont Street,
Dublin 2, D02VN88