Home / Data Processing Addendum

Data Processing Addendum

Data Processing Addendum

Version effective as of September 2021

By accepting the terms of the Agreement referring to this Data Processing Addendum (“DPA”), you (“Subscriber”) agree to the terms set forth herein, which are incorporated into the Agreement by reference.

RECITALS

Bentley and Subscriber, on behalf of itself and its Affiliates, have entered into one or more order forms, contracts and/or agreements (“Agreement”) pursuant to which Bentley has agreed to license software, products and/or provide services to the Subscriber as described in the Agreement (collectively, the Services”). Capitalized terms used but not otherwise defined in this DPA shall have the meaning ascribed to them in the Agreement. In the event of a conflict between the terms of this DPA and the terms of the Agreement, the terms of this DPA shall control with respect to such conflict. The Agreement includes any exhibits, schedules, appendices, statements of work, or other attachments made part of or incorporated into the Agreement, including this DPA.

By executing the Agreement, Subscriber enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws and Regulations, in the name and on behalf of its Affiliates, if and to the extent Bentley processes Personal Data for which such Affiliates qualify as the Controller. For the purposes of this DPA only, and except where indicated otherwise, the term Subscribershall include Subscriber and Affiliates.

In the course of providing the Services to Subscriber pursuant to the Agreement, Bentley may Process Personal Data on behalf of Subscriber and the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.

1. DEFINITIONS

 Affiliatemeans any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. Control, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

CCPAmeans the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations.

Controllermeans the entity which determines the purposes and means of the Processing of Personal Data.

Data Breachmeans a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed by Bentley pursuant to the Agreement.

Data Protection Laws and Regulationsmeans all laws and regulations, including laws and regulations applicable to the Processing of Personal Data under the Agreement as amended from time to time. For the avoidance of doubt, if Bentley’s processing activities involving Personal Data are not within the scope of a given data protection law, such law is not applicable for purposes of this DPA.

Data Subject means the identified or identifiable person to whom Personal Data relates.

GDPRmeans the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), including as implemented or adopted under the laws of the United Kingdom.

 Personal Datameans any information relating to (i) an identified or identifiable natural person and, (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws and Regulations).

Processingmeans any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Processormeans the entity which Processes Personal Data on behalf of the Controller, including as applicable any “service provider” as that term is defined by the CCPA.

Subscribermeans the entity that executed the Agreement together with its Affiliates (for so long as they remain Affiliates).

EU Standard Contractual Clauses” means the standard contractual clauses set forth in Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available here.

Subprocessormeans any Processor engaged by Bentley or Bentley’s Affiliates on behalf of Bentley.

Supervisory Authoritymeans an independent public authority which is established by an EU Member State pursuant to the GDPR or, for the United Kingdom, the Information Commissioner’s Office (“ICO”).

 

2. PROCESSING OF PERSONAL DATA

2.1. Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Personal Data, Subscriber is the Controller, Bentley is the Processor, and that Bentley will engage Subprocessors pursuant to the requirements set forth in Section 5 “Subprocessors” below.

2.2. Subscriber’s Processing of Personal Data. Subscriber shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations, including any applicable requirement to provide notice to Data Subjects of the use of Bentley as Processor. For the avoidance of doubt, Subscriber’s instructions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations. Subscriber is solely responsible for the accuracy, quality, and legality of (i) the Personal Data provided to Bentley by or on behalf of Subscriber, (ii) the means by which the Subscriber acquired the Personal Data, and (iii) the Instructions it provides to Bentley. Subscriber shall not provide or make available to Bentley any Personal Data in violation of the Agreement, or which is otherwise inappropriate for the nature of the Services and shall indemnify Bentley from all claims and losses in connection with Subscriber’s breach of applicable Data Protection Laws and Regulations.

 2.3. Bentley’s Processing of Personal Data. Bentley shall treat Personal Data as confidential information and shall Process Personal Data on behalf of and only in accordance with Subscriber’s documented instructions, unless required otherwise by a legal requirement Bentley is subject to, for the following purposes: (i) Processing in accordance with the Agreement and order form(s); (ii) Processing initiated by users in their use of the Services; (iii) Processing to comply with other documented reasonable instructions provided by Subscriber (e.g., via email) where such instructions are consistent with the terms of the Agreement, and (iv) Processing in compliance with the Data Protection Laws and Regulations. In case Bentley is subject to a legal requirement, Bentley shall inform Subscriber of that legal requirement, unless such law prohibits the same.

Subscriber hereby instructs Bentley to Process Personal Data in accordance with the foregoing and as part of Subscriber’s use of the Services.

 2.4. Bentley’s Role as a Service Provider under the CCPA. The parties acknowledge and agree that Bentley is a service provider for the purposes of the CCPA and is receiving Personal Data from Subscriber pursuant to the Agreement for a business purpose. Bentley shall not sell any such Personal Data nor retain, use or disclose any Personal Data provided by Subscriber pursuant to the Agreement except as necessary for performing the Services or otherwise as set forth in the Agreement or as permitted by the CCPA. The terms “service provider,” and “sell” are as defined in Section 1798.140 of the CCPA. Bentley certifies that it understands the restrictions of this section.

 2.5. Details of the Processing. The subject-matter of Processing of Personal Data by Bentley is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA as well as information on the transfer of Personal Data as required by Annexes I and II of the EU Standard Contractual Clauses (if applicable) are further specified in Schedule 2 to this DPA.

3. RIGHTS OF DATA SUBJECTS

 Data Subject Request. Bentley shall, to the extent legally permitted, promptly notify Subscriber if Bentley receives a request from a Data Subject to exercise the Data Subject’s right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making, each such request being a “Data Subject Request”. Considering the nature of the Processing, Bentley shall assist Subscriber by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Subscriber’s obligation to respond to a Data Subject Request under Data Protection Laws and Regulations.

4. BENTLEY PERSONNEL

 4.1. Confidentiality. Bentley shall ensure that its personnel engaged in the Processing of Personal Data are in- formed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Bentley shall ensure that such confidentiality obligations survive the termination of the personnel engagement.

4.2. Limitation of Access. Bentley shall ensure that Bentley’s access to Personal Data is limited to those personnel performing Services in accordance with the Agreement.

4.3. Data Protection Officer. Bentley has appointed a data protection officer. The appointed person may be reached at [email protected].

5.  SUBPROCESSORS

 5.1. Appointment of Subprocessors. Subscriber acknowledges and agrees that (a) Bentley’s Affiliates may be retained as Subprocessors; and (b) Bentley and Bentley’s Affiliates respectively may engage third-party Subprocessors in connection with the provision of the Services. Bentley or an Bentley Affiliate has entered into a written agreement with each Subprocessor containing data protection obligations not less protective than those in this DPA with respect to the protection of Subscriber Personal Data to the extent applicable to the nature of the Services provided by such Subprocessor.

5.2. List of Current Subprocessors, Notification of New Subprocessors, and Consent Mechanism. Bentley shall make available to Subscriber the current list of Subprocessors for the Services. Subscriber may find a maintained list of Subprocessors online here. Subscriber hereby generally authorizes Bentley and Bentley’s Affiliates to remove or add new subprocessors in accordance with this Section 5. New Subprocessors that access Subscriber’s Personal Data shall be approved by Subscriber via the following consent mechanism:

  1. Bentley shall notify Subscriber at least thirty (30) days before authorizing any new subprocessor to access Personal Data by updating the subprocessor to the list online at Bentley’s Trust Center.
  2. If Subscriber raises no reasonable objections with Bentley in writing within this thirty (30) days period, then this shall be taken as an approval of the new subprocessor by Subscriber.
  3. If Subscriber raises reasonable objections, then Bentley shall have the right to terminate the affected Service to Subscriber with fourteen (14) days’ notice unless Bentley decides to (a) continue the Service without the engagement of the Subprocessor which Subscriber objected to, (b) take sufficient steps to address the concerns raised in Subscriber’s objection or (c) in agreement with Subscriber, cease to provide (temporarily or permanently), the particular aspect of the Service that would involve use of the subprocessor. Each Subprocessor shall be bound by data protection obligations consistent with those in this Agreement.

5.3. Liability. Bentley shall be liable for the acts and omissions of its Subprocessors to the same extent Bentley would be liable if performing the services of each Subprocessor directly under the terms of this DPA, except as otherwise set forth in the Agreement.

6. SECURITY

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural per- sons, Bentley shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of Processing Personal Data. Bentley shall, at a minimum:

  • Adopt policies and standards related to information security.
  • Assign responsibility for information security management.
  • Devote adequate personnel resources to information security.
  • Perform reference or background checks on permanent employees that shall have access to personal data and as necessary for compliance requirements (where practicable and lawful in each relevant jurisdiction).
  • Require all Bentley employees to comply with a written Information Security policy.
  • Have procedures in place to prevent unauthorized access to Personal Data through the use, as appropriate, of physical and logical entry controls, secure areas for processing, and data loss prevention tools.
  • Ensure compliance with policies and standards related to data protection on an ongoing basis.

Bentley is entitled to change the technical and organizational measures at its sole discretion, provided that the overall level of security of the Services is not degraded. Additional information concerning Bentley’s technical and organizational measures are available at Bentley’s Trust Center, as updated from time to time.

7. SUBSCRIBER RIGHT TO AUDIT

 For the duration of this DPA, upon Subscriber’s request, not more than once per calendar year, and subject to non-disclosure agreement, Bentley shall provide to Subscriber the most recent audit report performed by an independent auditor so that Subscriber can reasonably verify Bentley’s compliance with its data protection obligations. Subscriber agrees to exercise any audit and inspection rights it may have solely by requesting and reviewing such audit report. After Subscriber has reviewed the foregoing, in the event that additional information is required to demonstrate compliance with Bentley’s data protection obligations, Subscriber must notify Bentley in writing, identifying specifically what obligation the report fails to demonstrate compliance with, the deficiency in the audit report, and areas for which additional information is requested. After review, Bentley may notify its independent auditor of the identified deficiencies for inclusion in the its auditing procedures. At Bentley’s discretion, Bentley shall use reasonable efforts to comply and provide Subscriber (either itself or a registered accredited auditor acting on Subscriber’s behalf, subject to non- disclosure obligations) with access to additional policies, procedures, processes, and/or supporting evidence demonstrating the operation of controls. Subscriber shall give Bentley no fewer than 30 days’ prior notice, shall not be permitted to keep any copies of additional documentation or make copies, and shall not unreasonably disrupt Bentley’s business operations. Subscriber shall be responsible for all costs of such audit, and additional charges to offset costs incurred by Bentley may apply.

8. DATA BREACH MANAGEMENT AND NOTIFICATION

Bentley agrees to notify Subscriber without undue delay upon discovery of a Data Breach. In the course of notification to Subscriber, Bentley will provide to Subscriber, as feasible, sufficient information for Subscriber to make any required notifications within the timeline required by Data Protection Laws and Regulations. Such information may include, but is not necessarily limited to: (i) the nature of the Data Breach, and the categories and approximate number of Data Subjects and Personal Data records affected; (ii) the likely consequences of the Data Breach, to the extent consequences are able to be determined; and (iii) any measures taken to ad- dress or mitigate the Data Breach.

9. RETURN AND DELETION OF PERSONAL DATA

Bentley shall retain Personal Data received from Subscriber or created on behalf of Subscriber for only so long as necessary to perform the services under the Agreement or as may otherwise be required under applicable law. Upon request from Subscriber, Bentley agrees to return or destroy the Personal Data received or created pursuant to the Agreement, to the extent permitted by applicable law.

10. LIMITATION OF LIABILITY

 The total liability of each of Subscriber and Bentley (and their respective employees, directors, officers, affiliates, successors, and assigns), arising out of or related to this DPA, whether in contract, tort, or other theory of liability is subject to the ‘Limitation of Liability’ section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together.

11. EUROPEAN SPECIFIC PROVISIONS

 11.1. GDPR. Bentley will Process Personal Data in accordance with the GDPR requirements directly applicable to Bentley’s provision of its Services.

11.2. Data Protection Impact Assessment. Bentley shall provide reasonable assistance to Subscriber in respect to any data protection impact assessments and/or prior consultations that may be required in respect of processing carried out under the Agreement, to the extent required under the GDPR.

11.3. Notification of Inspection. Bentley agrees to notify Subscriber of any inspection or audit by a Supervisory Authority concerning compliance with Data Protection Laws and Regulations to the extent related to the Services provided under the Agreement. Bentley shall cooperate with relevant Supervisory Authorities upon request by Subscriber to a reasonable extent.

11.4. Transfer mechanisms for data transfers. Bentley makes available the transfer mechanism listed in Schedule 1 which shall apply, to any transfers of Personal Data under this DPA from the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom to countries which do not ensure an adequate level of data protection within the meaning of Data Protection Laws and Regulations of the foregoing territories, to the extent such transfers are subject to such Data Protection Laws and Regulations. Furthermore, Schedule 1 contains additional terms on the application of the transfer mechanisms set forth therein.

12. MISCELLANEOUS

12.1. Legal Effect. This DPA may be executed in counterparts, each of which shall be deemed an original, but all of which together shall be deemed to be one and the same agreement. A signed copy of this DPA delivered by facsimile, e-mail, or other means of electronic transmission (to which a signed PDF copy is attached) shall be deemed to have the same legal effect as delivery of an original signed copy of this DPA.

12.2. Jurisdiction Specific Term. To the extent Bentley Processes Personal Data originating from and protected by Data Protection Laws and Regulations in one of the jurisdictions listed in Schedule 5 (Jurisdiction Specific Terms) of this DPA, the terms specified in Schedule 5 with respect to the applicable jurisdiction(s) apply in addition to the terms of this DPA.

 12.3. Conflict. In the event of any conflict or inconsistency between the body of this DPA (including any of its Schedules and Appendencies other than those of the EU Standard Contractual Clauses) and the EU Standard Contractual Clauses, the EU Standard Contractual Clauses shall prevail.

List of Schedules

Schedule 1: Transfer Mechanisms and Additional Terms for European Data Transfers  Schedule 2: Details of the Processing and Transfer of Personal Data

Schedule 3: SCC-Matrix

Schedule 4: Parties’ Contact Details and Identification of the Competent Supervisory Authority  Schedule 5: Jurisdiction Specific Terms

SCHEDULE 1 – TRANSFER MECHANISMS AND ADDITIONAL TERMS FOR EUROPEAN DATA TRANSFERS

This Schedule 1 sets forth the transfer mechanisms for the transfer of Subscriber’s Personal Data subject to the applicable data protection laws in the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom to Bentley Systems, Incorporated contact (“European Data Transfers”) as well as additional terms on the scope and application of such transfer mechanism when using the Services provided by Bentley.

European Data Transfers

This section applies to the transfer of Subscriber’s Personal Data to Bentley Systems, Incorporated when using Bentley’s Services, provided that transfer of such Personal Data is subject to the GDPR.

1.1. Application of the EU Standard Contractual Clauses

In case Subscriber’s Personal Data subject to the GDPR are transferred to Bentley Systems, Incorporated, such transfer is subject to the EU Standard Contractual Clauses. The EU Standard Contractual Clauses provide several modules which apply depending on which entity is exporting and importing Subscriber’s Personal Data.

  • Where the contractual party to this DPA is Bentley Systems International Limited, Module 3 of the EU Standard Contractual Clauses (processor to processor) applies to and between Bentley Systems International Limited as the “Data Exporter” and Bentley Systems, Incorporated as the “Data Importer” with respect to the transfer of Subscriber’s Personal Data to Bentley Systems, Incorporated. Bentley will provide Subscriber with a copy of the EU Standard Contractual Clauses concluded between Bentley Systems International Limited and Bentley Systems, Incorporated upon request.
  • Where the contractual party to this DPA is Bentley Systems, Incorporated, Module 2 of the EU Standard Contractual Clauses (controller to processor) applies to and between Subscriber as the “Data Exporter” and Bentley Systems, Incorporated as the “Data Importer” with respect to the transfer of Subscriber’s Personal Data to Bentley Systems, Incorporated. In this case, Subscriber must comply with the execution process defined in Section 1.2. of this Schedule 1.

1.2. Execution Process for Module 2 of the EU Standard Contractual Clauses

In case Module 2 of the EU Standard Contractual Clauses applies as defined in Section 1.1 of this Schedule 1, Subscriber must comply with the following execution process:

Schedule 3 contains a matrix (“SCC-Matrix”) which specifies which options provided in Module 2 of the EU Standard Contractual Clauses are applicable and where the information regarding the transfer of personal data required in the Annexes of the EU Standard Contractual Clauses are defined in the DPA.

1.3. Supplementary Measures

Bentley provides the following supplementary measures to ensure an adequate level of protection pursuant to Article 44 et seq. GDPR for Subscriber’s Personal Data transferred to Bentley Systems, Incorporated provided that Bentley is not barred under applicable law to comply with these supplementary measures:

  • Bentley shall notify the Subscriber without undue delay should any public authority request access to Subscriber’s Personal Data. Should Bentley be barred from notifying the Subscriber in a situation due to applicable law, Bentley shall without undue delay ensure that transfer of Personal Data to the country that requested the access is ceased and notify the Subscriber that it had to do so. The Parties shall enter into discussions how to mitigate the situation.
  • Bentley shall take without undue delay any available legal recourse against any data access requests by public authorities and not disclose any Personal Data until ordered so by final and binding court decision.
  • Bentley shall assist the Subscriber by providing any information to the extent reasonable if the Subscriber decides to inform the Data Subjects if their Personal Data are affected by a request on data access by a public authority.
  • Bentley will provide Subscriber on a regular basis with a transparency report about requests for access to Personal Data received from public authorities in an aggregated form, including at least information on the amount of data requests, the type of data requested, the requesting public authority and to what extent Bentley has disclosed personal data to such public authorities.
  • Bentley shall constantly monitor any legal or policy developments that might lead to its inability to comply with the obligations under the EU Standard Contractual Clauses and without undue delay inform the Subscriber of any such changes and developments.
  • Bentley hereby confirms that it has not purposefully created backdoors or similar programming that could be used to access Bentley’s systems and/or Subscriber’s personal data stored therein.

Further information relating to supplementary safeguards is available upon request.

SCHEDULE 2 – DETAILS OF THE PROCESSING AND TRANSFER OF PERSONAL DATA

This Schedule 2 specifies the information on the Processing and the transfer of Personal data in accordance with Section 2.5 of the DPA.

Description of the Processing activities and roles of the Parties

Subscriber’s use of the Bentley’s Services involves Processing of Personal Data by Bentley on behalf of the Subscriber. Any Processing of Personal Data belonging to the Subscriber is carried out by Bentley acting as Processor, whereby Subscriber is acting as Controller.

Bentley’s Processing of Subscriber’s Personal Data involves collection, transfer, storage, and other processing activities necessary to provide, maintain and update the Services provided by Bentley to Subscriber via Bentley’s systems. Any Personal Data Processed in Bentley’s systems when using the Services provided by Bentley are transferred to and stored on servers located in the USA and operated by Bentley Systems, Incorporated.

Nature and Purpose of Processing

Bentley will Process Personal Data as necessary to perform the Services pursuant to the Agreement, as further specified in the documentation, and as further instructed by Subscriber in its use of the Services.

Duration of Processing

Subject to Section 9 of the DPA, Bentley will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.

 Categories of Data Subjects 

Subscriber may submit Personal Data to the Services, the extent of which is determined and controlled by Subscriber in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:

  • Business partners and vendors of Subscriber (who are natural persons)
  • Employees, agents, advisors, freelancers of Subscriber (who are natural persons)
  • Subscriber’s users authorized by Subscriber to use the Services (who are natural persons)

Categories of Personal Data

Subscriber may submit Personal Data to the Services, the extent of which is determined and controlled by Subscriber in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:

  • Localization data Subscriber ID data
  • First and last name
  • Contact information (company, email, phone, physical business address)
  • Any Personal Data stored by the Subscriber in Bentley’s cloud environment
  • Subscriber’s Personal Data uploaded to the services in connection with the Agreement

Special categories of data (if appropriate)

Not applicable.

Frequency of the Transfer

Subscriber’s use of Bentley’s Services during the subscription term involves transfer of Personal Data on a continuous basis.

Retention Periods

Bentley retains Subscriber’s Personal Data during Subscriber’s subscription term. In case Subscriber’s subscription terms ends, Bentley ceases to transfer and Process Subscriber’s Personal Data and returns or deletes such Personal Data in accordance with the provisions set forth in this DPA.

Transfers to (sub-) processors 

Bentley is using certain (sub-) Processors when providing its Services to Subscriber. For this purpose, such (sub-) Processor may also Process Subscriber’s Personal Data. Further information on the function of these (sub-) Processors as well as the subject matter, nature and duration of the Processing carried out by these (sub-) Processors can be found in Bentley’s Trust Center.

Technical and Organizational Measures

Bentley will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data Processed in the context of providing the Services as detailed in Bentley’s Trust Center or otherwise made reasonably available by Bentley.

SCHEDULE 3 – SCC-MATRIX

This Schedule 3 only applies if Bentley Systems, Incorporated is the contractual party to this DPA and Module 2 of the EU Standard Contractual Clauses applies to and between Subscriber and Bentley Systems, Incorporated as defined in Section 1.1 of Schedule 1. Schedule 3 does not apply if Bentley Systems International Limited is the contractual party to this DPA.

This Schedule 3 specifies the selectable options as well as the necessary information on the third country transfer required under the EU Standard Contractual Clauses.

Module 2 of the EU Standard Contractual Clauses

(Controller to Processor)

Specification 
Clause 7 (Docking clause): Selection of available optionsData Exporter and Data Importer hereby agree that any entity that is not party to the EU Standard Contractual Clauses shall accede thereto as either Data Exporter or Data Importer in accordance with Section I, Clause 7 of the EU Standard Contractual Clause (“Docking Clause”) only upon Data Exporter’s and Data Importer’s explicit confirmation; such confirmation must be in writing.
Clause 9 (a) (Use of sub-processors): Selection of available optionsData Exporter and Data Importer hereby agree that Option 2 of Section II, Clause 9.a of the EU Standard Contractual Clauses applies (general authorisation for the engagement of sub-processors). For this purpose, Section 5 of the DPA applies accordingly.
Clause 11 (Redress): Selection of available optionsData Exporter and Data Importer hereby agree that the redress option set forth in Section II, Clause 11 of the SCC does not apply.
Clause 13 (Supervision), Annex I.C.: Determination of the competent supervisory authoritySee the information in Schedule 4.
Clause 17 (Governing law): Selection of available optionsData Exporter and Data Importer hereby agree that the provisions in Option 1 of Section III, Clause 17 of the EU Standard Contractual Clauses shall apply and the EU Standard Contractual Clauses shall be governed by the laws of Ireland.

Clause 18 (Choice of forum and jurisdiction):

Selection of available options

Data Exporter and Data Importer hereby agree in accordance with Section III, Clause 18 of the EU Standard Contractual Clauses that any disputes arising from the EU Standard Contractual Clauses shall be submitted to the courts of Dublin, Ireland.
Annex I.A.: Information on Data Exporter’s name, address, role and activities relevant to the data transferred, contact person’s name, position and contact detailsSee the information in Schedule 2 and Schedule 4.
Annex I.A.: Data Exporter’s signature and dateSigning the Agreement shall be deemed as signing EU Standard Contractual Clauses and its Appendix as described in Section 1.2. of Schedule 1.
Annex I.A.: Information on Data Importer’s name, address, role and activities relevant to the data transferred, contact person’s name, position and contact detailsSee the information in Schedule 2 and Schedule 4.
Annex I.A.: Data Importer’s signature and dateSigning the Agreement shall be deemed as signing the EU Standard Contractual Clauses and its Appendix as described in Section 1.2. of Schedule 1.
Annex I.B.: Categories of data subjects whose personal data is transferredSee the information in Schedule 2.
Annex I.B.: Categories of personal data transferredSee the information in Schedule 2.
Annex I.B.: Sensitive data transferred (if applicable) and applied restrictions or safeguardsSee the information in Schedule 2.
Annex I.B.: Frequency of the transferSee the information in Schedule 2.
Annex I.B.: Nature of the processingSee the information in Schedule 2.
Annex I.B.: Purpose of the data transfer and further processingSee the information in Schedule 2.
Annex I.B.: Period for which personal data will be retained, or if that is not possible, the criteria used to determine that periodSee the information in Schedule 3.
Annex I.B.: For transfer to (sub-) processor: subject matter, nature and duration of the processingSee the information in Schedule 2.
Annex I.C.: Identity of the competent supervisory authority/ies in accordance with Clause 13See the information in Schedule 4.
Annex II: Technical and organisational measuresSee the information in Schedule 2.
Annex III: Information on Sub-processors, including name, address, contact person’s name, position and contact details, description of processingNot required as Option 2 in Clause 9.a of the EU Standard Contractual Clause shall apply as specified in this Schedule 3.

SCHEDULE 4 – PARTIES‘ CONTACT DETAILS AND IDENTIFICATION OF THE COMPETENT SUPERVISORY AUTHORITY

This Schedule 4 only applies if Bentley Systems, Incorporated is the contractual party to this DPA, and Module 2 of the EU Standard Contractual Clauses applies to and between Subscriber and Bentley Systems, Incorporated as defined in Section 1.1 of Schedule 1. Schedule 4 does not apply if Bentley Systems International Limited is the contractual party to this DPA.

This Schedule 4 sets forth the contact details of the Data Exporter and the Data Importer as required by Annex I of the EU Standard Contractual Clauses to the extent these information are not already specified in this DPA and the other Schedules 1 to 3 as well as the identity of the competent supervisory authority in accordance with Article 13 of the EU Standard Contractual Clauses.

Bentley Systems, Incorporated’s contact  

Data Protection Officer: [email protected]

Subscriber’s contact person(s) and/or data protection officer (if applicable)

Name: as specified in the Agreement

Position, Title: as specified in the Agreement

Contact Details: as specified in the Agreement

Subscriber’s representative in the EU (if applicable)

Name: as specified in the Agreement

Contact Details: as specified in the Agreement

Identification of the competent supervisory authority/ies in accordance with Clause 13

Name: competent supervisory authority in the jurisdiction where the data export is established as further defined in the Agreement.

SCHEDULE 5 – JURISDICTION SPECIFIC TERMS

Australia:

  • The definition of “Data Protection Laws and Regulations” includes the Australian Privacy Principles and the Australian Privacy Act (1988).
  • The definition of “Personal Data” includes “Personal Information” as defined under Data Protection Laws and Regulations.

Brazil:

  • The definition of “Data Protection Laws and Regulations” includes the Lei Geral de Proteção de Dados (“LGPD”).
  • The definition of “Processor” includes “operator” as defined under LGPD.

Canada:

  • The definition of “Data Protection Laws and Regulations” includes the Federal Personal Information Protection and Electronic Documents Act (“PIPEDA”).
  • Bentley’s Subprocessors, as described in Section 5 (Subprocessors) of this DPA, are third parties under PIPEDA, with whom Bentley has entered into a written contract that includes terms substantially similar to this DPA. Bentley has conducted appropriate due diligence on its Subprocessors.

Israel:

  • The definition of “Data Protection Laws and Regulations” includes the Protection of Privacy Law (“PPL”).
  • The definition of “Controller” includes “Database Owner” as defined under PPL.
  • The definition of “Processor” includes “Holder” as defined under PPL.

Japan:

  • The definition of “Data Protection Laws and Regulations” includes the Act on the Protection of Personal Information (“APPI”).
  • The definition of “Personal Data” includes “Personal Information” as defined under APPI.
  • The definition of “Controller” includes “Business Operator” as defined under APPI. As a Business Operator, Bentley is responsible for the handling of personal data in its possession.
  • The definition of “Processor” includes a business operator entrusted by the Business Operator with the handling of personal data in whole or in part (also a “trustee”), as described under APPI. As a trustee, Bentley will ensure that the use of the entrusted personal data is securely controlled.

Mexico:

  • The definition of “Data Protection Laws and Regulations” includes the Federal Law for the Protection of Personal Data Held by Private Parties and its Regulations (“FLPPIPPE”).

Singapore:

  • The definition of “Data Protection Laws and Regulations” includes the Personal Data Protection Act 2012 (“PDPA”). Bentley will Process Personal Data to a standard of protection in accordance with the PDPA by implementing adequate technical and organizational measures as set forth in Section 6 (Security) of this DPA and complying with the terms of the Agreement.

Switzerland:

  • The definition of “Data Protection Laws and Regulations” includes the Swiss Federal Act on Data Protection.
  • When Bentley engages a Subprocessor under Section 5 (Subprocessor) of this DPA, it will: (a) require any appointed Subprocessor to protect Subscriber Data to the standard required by Data Protection Laws and Regulations, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR, and (b) require any appointed Subprocessor to (i) agree in writing to only process personal data in a country that the European Union has declared to have an “adequate” level of protection or (ii) only process personal data on terms equivalent to the EU Standard Contractual Clauses or pursuant to a Binding Corporate Rules approval granted by competent European Union data protection authorities.

United Kingdom (UK):

  • References in this DPA to GDPR will to that extent be deemed to be references to the corresponding laws of the United Kingdom (including the UK GDPR and Data Protection Act 2018).
  • When Bentley engages a Subprocessor under Section 5 (Subprocessor) of this DPA, it will: (a) require any appointed Subprocessor to protect Subscriber Data to the standard required by Data Protection Laws and Regulations, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR; and (b) require any appointed Subprocessor to (i) agree in writing to only process personal data in a country that the United Kingdom has declared to have an “adequate” level of protection or (ii) only process personal data on terms equivalent to the EU Standard Contractual Clauses or pursuant to a Binding Corporate Rules approval granted by competent United Kingdom data protection authorities.
  • Notwithstanding anything to the contrary in this DPA or in the Agreement (including, without limitation, either party’s indemnification obligations), neither party will be responsible for any UK GDPR fines issued or levied under Article 83 of the UK GDPR against the other party by a regulatory authority or governmental body in connection with such other party’s violation of the UK GDPR.