Bentley GDPR Compliance Statement
Bentley’s GDPR Commitment
GDPR is an opportunity to build a stronger data protection foundation for the benefit of all. Bentley is committed to ensuring that our products and services are GDPR compliant.
GDPR Compliance Statement
Bentley has prepared this statement to provide our customers with information regarding the impact of the GDPR, the steps taken by Bentley to ensure our compliance with the GDPR, and the ways in which we can assist and support our accounts and users (as data controllers) with their respective obligations under the GDPR.
Overview of GDPR
The General Data Protection Regulation (“GDPR”) is a comprehensive data protection law that regulates the use of personal data of EU residents and provides individuals rights to exercise control over their data. The GDPR does not only apply to European companies, it extends to any organization worldwide that targets or offers services or products to EU residents.
The GDPR requires companies to be transparent and accountable for their use of personal data, and to be able to demonstrate this to both regulators and the individuals concerned. There is no requirement for personal data to stay in the EU, but transfers outside of the European Economic Area are restricted, meaning that unless the European Commission has assessed the country’s privacy regime and declared it to be “adequate”, the data must be further protected by contract, or other EU-approved means. For any transfers to non-adequate countries, Bentley’s Data Processing Addendum incorporates such EU-approved means, namely the European Commission’s standard contractual clauses. Customers can rely on these protections to transfer EU personal data using our services.
Continue reading below to learn more about Bentley’s GDPR compliance.
Compliance, Account & User Support
Bentley complies with the GDPR in the delivery of our products and services to our users. We are also dedicated to helping our users comply with their respective GDPR obligations. In support of these commitments, we have established and resourced a specialized team including a dedicated Data Protection Officer. Further, we have made enhancements to our services, agreements, policies, and internal processes as necessary to satisfy our obligations under the GDPR.
Compliance With Customer Instructions
As a data processor, Bentley is committed to processing personal data only as instructed by applicable accounts and users. We have updated our internal policies to ensure that all Bentley colleagues who have access to personal data shall only process such personal data on behalf of and in accordance with the documented instructions of the relevant accounts and users. In addition, we have incorporated our Data Processing Addendum into our agreements to ensure that our accounts and users comply with GDPR requirements.
Bentley fulfills different roles in respect of different data but is committed to meeting and exceeding its obligations under the GDPR.
Bentley only collects and processes the minimum personal data necessary to provide the relevant services on behalf of our users. In addition, we do not knowingly collect and/or process sensitive or special categories of personal data.
Data Protection Impact Assessment
As a data processor, Bentley is committed to supporting our customers in respect of data protection impact assessments including data transfer impact assessments and/or prior consultations that may be required. As a data controller, Bentley complies with its obligations under the GDPR and our data protection team regularly complete privacy impact assessments where personal data is used or collected.
Data Protection Training And Awareness
Bentley ensures that all of our colleagues are aware of their obligations under the GDPR and complete annual training on their role-specific responsibilities. Our commitment to data protection training and awareness supports Bentley’s commitment to meeting and exceeding our obligations under the GDPR.
Bentley has updated its IT systems and internal policies to assist with our obligation to respond to requests by data subjects to exercise their rights under the GDPR.
Bentley has implemented and maintains appropriate technical and organizational measures to ensure the processing of personal data meets the requirements of the GDPR, including technical and organizational measures to protect the security, confidentiality, availability and integrity of personal data (including protection against unauthorized or unlawful processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, personal data). Such technical and organizational measures may include (as appropriate based on the risk to data subjects): (a) the pseudonymisation and encryption of personal data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and (d) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing of personal data.
Bentley treats all personal data processed on behalf of our users as confidential information and ensures that all Bentley colleagues, agents and contractors engaged in the processing of personal data are informed of the confidential nature of such personal data. Bentley ensures that (a) access to personal data is limited to those performing services in accordance with the relevant account and user agreement; and (b) all such colleagues, agents and contractors are committed to confidentiality (or are under an appropriate statutory obligation of confidentiality) and receive appropriate training on their responsibilities.
Bentley will assist our accounts and users in ensuring compliance with their respective security obligations under the GDPR.
Bentley has obtained a number of security certifications, which provide third-party assurance that Bentley has implemented security best practices.
Learn more about Bentley’s Security.
Right To Audit
Bentley regularly completes internal and external audits for a variety of reasons including to support our industry standard attestations and certifications. Our Data Processing Addendum details our approach to audit rights which allow customers to verify Bentley’s compliance with its data protection obligations including our obligations under the GDPR.
Responding To Personal Data Breaches
Bentley has updated its policies as necessary to ensure that it provides notice to accounts and users of a personal data breach without undue delay following the discovery of such personal data breach. Bentley shall also reasonably assist and cooperate as instructed by accounts and users with any internal investigation or external investigation by third parties, such as law enforcement.
Use of Sub-Processors
Bentley engages with carefully selected subprocessors. The provision of certain accounts may require us to commission additional subprocessors. In such a case, we will post additional subprocessors here. At Bentley, security and privacy is paramount. Accordingly, we impose data protection terms on each subprocessor with which we work to maintain compliance.
Cross Border Data Transfers
Bentley has maintained its Privacy Shield Certification but has long offered our accounts the opportunity to avail of the latest European Commission’s standard contractual clauses which have now been incorporated into our Data Processing Addendum. Bentley has issued a statement regarding Privacy Shield & Cross Border Data Transfers.
Law Enforcement Requests
Bentley is legally required to disclose data that it hosts when it receives valid legal process from a law enforcement authority with jurisdiction. Our Data Processing Addendum details our policies and practices regarding government requests for data about our accounts and users.
Please contact Bentley’s Data Protection Officer (DPO) with any questions or concerns.
Data Protection Officer
Bentley Systems International
Charlemont Exchange, 05 – 101
Charlemont Exchange, 42 Charlemont Street,
Dublin 2, D02VN88