BuildSafe Data Processing Agreement
Download latest version
- The Customer according to the Agreement (”Customer” or “Data Controller)
- BuildSafe Sweden AB, reg.no. 559001-9179 (”BuildSafe” or “Data Processor”)
The Customer and BuildSafe are hereinafter jointly referred to as “Parties” and individually as a “Party”.
- This Data Processing Agreement (“Data Processing Agreement“) includes provisions regarding the Processing of Personal Data carried out by BuildSafe on behalf of the Customer in accordance with the agreement entered into by BuildSafe and the Customer relating to services provided by BuildSafe to the Customer (the “Agreement“).
- By signing the Agreement, the Customer and BuildSafe will be bound by this Data Processing Agreement, which forms an integrated part of the Agreement.
- The Customer determines the purposes and means of Processing the Personal Data. Therefore, in accordance with Applicable Data Protection Regulations (as defined below), the Customer is the Data Controller responsible for the Processing.
- When providing services under the Agreement, BuildSafe will Process Personal Data on behalf of the Customer. In accordance with the Applicable Data Protection Regulations BuildSafe therefore acts as Data Processor for the Processing.
- Applicable Data Protection Regulations require that the Data Processor and Data Controller enter into a written agreement regarding the Data Processor’s Processing of Personal Data on behalf of the Data Controller. For the purposes of complying with this obligation, the Parties have entered into this Data Processing Agreement in accordance with Applicable Data Protection Regulations.
- In the event that the Customer purchases other services provided by BuildSafe which results in BuildSafe Processing Personal Data on behalf of the Customer, the additional Processing shall be described in an Appendix to this Data Processing Agreement. The terms of this Data Processing Agreement shall then also apply in relation to such further Processing of Personal Data in connection with such additional services.
3. General Data Protection Regulation
On 27 April 2016, the European Parliament and the Council adopted the Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (” GDPR”). The provisions of this Data Processing Agreement are intended to reflect the provisions of the GDPR and satisfy the requirements following GDPR regarding data processing agreements.
In this Data Processing Agreement, the following terms shall have the following meanings:
“Agreement Date” means the date when the Agreement has been approved by the Customer
“Processing” means any operation or set of operations which is performed on Personal data, whether by automatic means or not. Examples of Processing are collection, storage, modification, disclosure by transmission or otherwise making available, alignment or combination, blocking and deletion.
“Personal Data” refers to personal data as defined in the Applicable data protection regulations and which the Data Processor, or the Data Processor’s subcontractors, processes on behalf of the Data controller.
”Data Subject” mean the natural person to whom the Personal Data relates.
”Applicable Data Protection Regulations” refers to the GDPR including laws, ordinances and regulations that from time to time supplements the GDPR.
Other terms in this Data Processing Agreement shall, unless otherwise stated, have the same meaning as in the Agreement or, if applicable, be interpreted in accordance with Applicable Data Protection Regulations.
5. The responsibility of the Data Processor for the Processing under the Data Processing Agreement
- The Data Processor undertakes to only Process Personal Data in accordance with Data Controller’s instructions under this Data Processing Agreement, the Data Processor’s from time to time applicable policies relating to the Processing of Personal Data and written instructions given by the Data Controller, unless such Processing is required by applicable law, whereby the Data Processor shall inform the Data Controller of the legal requirement before the Processing (provided that such information is not prohibited by applicable law).
- The Data Processor undertakes to process Personal Data in accordance with the from time to time Applicable Data Protection Regulations, and to promptly comply with decisions and judgments issued by the Swedish Data Protection Authority, other competent authority or court of law as soon as possible.
- The Data Processor also undertakes to:
- not without prior written consent from the Data Controller, transfer or make available Personal Data to a third party (who is not a sub-processor);
- keep all Personal Data strictly confidential and ensure that persons authorized to Process Personal Data have undertaken to observe confidentiality; and
- upon request of the Data Controller provide relevant information and documentation describing what measures the Data Processor have taken in order to fulfil the requirements under the Data Processing Agreement.
- Should the Data Processor be of the view that an instruction provided by the Data Controller infringes Applicable Data Protection Regulations; the Data Processor shall immediately cease the Processing of Personal Data based on the instructions and notify the Data Controller, and thereafter await further instructions.
- The Data Processor shall, without undue delay, notify the Data Controller when the Data Processor is made aware of a security incident involving unauthorized, unintentional or unlawful access, destruction or alteration of Personal Data at the Data Processor, and inform the Data Controller of other circumstances in connection with the Data Processor’s Processing of the Personal Data which can be considered to be of significant importance to the Data Controller.
- The Data Processor may engage sub-processors to Process Personal Data on behalf of the Data Controller.
- Should the Data Processor engage a sub-processor, the Data Processor shall enter into a written agreement with the sub-processor that imposes obligations on the sub-processor correspondent to, and no less restrictive than, the Data Processors undertakings according to this Data Processing Agreement and from time to time applicable instructions regarding the Processing of Personal Data from the Data Controller.
- The Data Processor shall notify the Data Controller at least two (2) weeks before a sub-processor starts to process Personal Data. The Data Controller is entitled to object to the Personal Data being Processed by the sub-processor in cases where it is justified with regard to Applicable Data Protection Regulations. Should the Data Controller object to Personal Data being Processed by a sub-processor, the Data Processor shall not provide the parts of the Service concerning the Processing performed by the sub-processor, but shall otherwise provide the other parts of the Service under the Agreement.
7. The responsibilities of the Data Processor towards the Data Controller
- The Data Processor shall to the extent possible assist the Data Controller to meet requests from Data Subjects pursuant to Applicable Data Protection Regulations, such as rectification, deletion and restriction of the Processing of Personal Data and access to Personal Data.
- Data Processor shall assist the Data Controller to the extent possible with regard to the information available to the Data Processor in order for the Data Controller to be able to fulfil its obligations to, inter alia, report personal data breaches to the supervisory authority and the Data Subject, carry out data impact assessments regarding data protection and consult with the supervisory authority, in accordance with Applicable Data Protection Regulations.
8. Transfer of Personal Data outside of the EU and EEA
The Data Processor may transfer Personal Data outside the EU / EEA provided that the transfer is carried out in accordance with Applicable Data Protection Regulations and that the Data Processor takes all necessary measures to ensure that such transfer is permitted under Applicable Data Protection Regulations, e.g. by entering into the Commission’s standard contractual clauses (SCC). The Data Processor shall have the right to enter into such standard contract clauses on behalf of the Data Controller.
9. Disclosure of Personal Data
- Should the Data Subject request access to or information about the Data Processor’s Processing of the Data Subject’s Personal Data, the Data Processor shall forward such a request to the Data Controller.
- The Data Processor does not have the right to disclose or provide access to the Data Subject’s Personal Data to third parties. Should a request for such disclosure be directed at the Data Processor, the Data Processor shall forward the request to the Data Controller. Should the request originate from an authority, court or similar third party to whom the Data Processor has an obligation to disclose the Personal Data, the Data Processor shall not be obliged to inform the Data Controller of such request, disclosure or access.
10. Right to audits and inspections
- The Data Controller has the right, upon request and at no extra cost, to receive a written report from the Data Processor, which specifies what measures the Data Processor has taken to fulfil the obligations set out in the Data Processing Agreement.
- The Data Controller is entitled, through an independent third party, to perform an audit and inspect the Data Processor’s Processing of Personal Data and to verify that the Data Processor’s Processing of Personal Data is carried out in accordance with the Data Processing Agreement and in accordance with Applicable Data Protection Regulations. For the avoidance of doubts, an inspection under this Section 10 shall only comprise such information that is strictly necessary in order to determine the Data Processor’s compliance with Applicable Data Protection Regulations and this Data Processing Agreement. The inspection shall under no circumstances comprise any other information, e.g. regarding Data Processor’s business operations. The Data Controller shall, however, submit a written notification of the inspection to the Data Processor no later than seven (7) days before the inspection. Inspections shall take place during normal working hours.
- The Data Controller shall ensure that the independent third party performing the audit is bound by confidentiality in relation to any and all information that the third party receives in the context of an audit.
- Each Party shall bear its own costs for the inspections in accordance with Section 2.
11. Technical and organizational measures
- The Data Processor shall implement appropriate technical and organizational measures in order to protect and safeguard the Personal Data that is Processed against Personal Data Breaches. Such measures shall be taken with consideration to (i) the technical possibilities available, (ii) the costs of implementing the measures, (iii) the particular risks associated with the Processing, and (iv) the degree of sensitivity of the Personal Data Processed. Such measures include, but are not limited to, keeping logs of the data, having adopted a security policy, a secure IT environment, and physical security measures and security procedures.
- The Data Processor shall only grant access to Personal Data to such employees or other persons where a disclosure is necessary in order for the Data Processor to be able to fulfil the obligations under the Agreement. The Data Processor further undertakes to ensure that all of the Data Processor’s employees and other persons who gain access to Personal Data undertake to comply with the provisions of this Data Processing Agreement. The Data Processor shall furthermore ensure that information on any access to the Personal Data is documented in logs to such extent and in such a way that it can be controlled without delay if any unauthorized person, and in such case who, received or gained access to the Personal Data.
- The above-mentioned technical and organizational measures shall include, but not be limited to:
- implementation of a company-wide security policy and instructions for Processing of Personal Data within the Data Processor’s organization.
- recurrent training of employees and other personnel involved in the Processing of the Personal Data, regarding the security policy as well as instructions and other Applicable Data Protection Regulations.
- establishment of a secure IT environment, including, inter alia, the required security procedures, encryption systems, user authorization and back-up routines, including storage of back-up copies.
- implementation of the necessary physical safety measures, such as entry control systems, fire, water and burglar alarms, etc.
12. Limitation of liability
- The Parties are liable jointly and severally in relation to claims from Data Subjects related to the Processing of the Data Subject’s Personal data. The Party that compensates a Data Subject shall be entitled to a right to recourse in accordance with the provisions of Article 82 of the GDPR.
- The Parties agree that neither Party shall be obliged to compensate the other Party for administrative fines imposed by a supervisory authority or court under Applicable Data Protection Regulations.
- The Parties shall, to a reasonable extent, provide information to the other Party which may be useful in the context of a supervisory matter or court proceedings initiated against the other Party.
- The Data Processor’s aggregate liability under this Data Processing Agreement shall be limited in accordance with the Agreement.
- The Parties agree that the fee or fees paid by the Data Controller to the Data Processor in accordance with the Agreement includes compensation for the Data Processor’s obligations under the Data Processing Agreement. Should the Data Controller request measures which go beyond this Data Processing Agreement and what is required according to Applicable Data Protection Regulations, the Data Processor shall be entitled to compensation for such measures.
14. Term and termination
- This Data Processing Agreement shall be effective as of the Agreement Date and shall remain effective for the duration of the Agreement. Premature termination of the Agreement means that this Data Processing Agreement shall be terminated automatically.
- Upon termination of the Agreement, and in accordance with the Data Controller’s instructions, the Data Processor shall, without undue delay, return or upon the Data Controller’s request delete all Personal Data (including any copies) that are covered by the Agreement. The return, or destruction, if applicable, shall be made in such a way that the Data Processor subsequently does not have access to such Personal Data. The Data Processor shall thereafter certify in writing to the Data Controller that Personal Data has been returned or destroyed. If the Data Controller has not provided instructions in accordance with this Section 14.2 within thirty (30) days of the termination of the Agreement, the Data Processor is entitled to irrevocably delete the Personal Data.
15. Agreement documents and amendments
- Additions and amendments to this Data Processing Agreement shall be made in writing and duly signed by both Parties to be valid.
- In the event of non-conformity between other documents within the Agreement and the Data Processing Agreement concerning the Processing of Personal Data, the provisions of this Data Processing Agreement shall take precedence to the extent that this Data Processing Agreement provides a stronger protection for the Personal Data Processed.
- This Data Processing Agreement constitutes the entire agreement between the Parties regarding the matters covered by the Data Processing Agreement and replaces all previous written or oral commitments.
16. Governing law and dispute resolution
Any dispute, controversy or claim arising out of or in connection with this Data Processing Agreement shall be finally settled by arbitration in accordance with the Rules for Expedited Arbitration of the Arbitration Institute of the Stockholm Chamber of Commerce. The seat of arbitration shall be Stockholm and the language to be used in the proceedings shall be Swedish, unless the Parties have agreed otherwise. The dispute and this Data Processing Agreement shall be governed by Swedish law.
1. Categories of Data Subjects
On behalf of the Data Controller, the Data Processor shall Process Personal Data on the following categories of Data Subjects:
- Users of the Service,
- Contact persons at the Customer, and
- People working or present at the Customers office.
2. Categories of Personal Data
On behalf of the Data Controller, the Data Processor shall Process the following categories of Personal Data:
- personal identification number,
- copy of identity card or similar proof of identification,
- copy of occupational permits, licenses or certificates,
- e-mail address,
- function in the project,
- phone number,
- period of assignment,
- copy of signature,
- contact information to the closest relative
- phone number
- e-mail address
- any potential discrepancies/observations/accidents/incidents the person experiences or is involved in (may include health data),
- different types of responsibility for actions and performance measures at the work place,
- technical data, which may include the URL through which you gain access to the web site, your IP-address, unique device ID, language, and
- location data.
3. Purposes with the Processing
On behalf of the Data Controller, the Data Processor shall Process Personal Data for the following purposes:
- name, in order to identify areas of responsibility and compile contract information,
- e-mail address, in order for us to send an invite to the Service, to send messages and notifications and to information about updates,
- function in the project, in order to inform other users about official areas of responsibilities and competences in the Service,
- username, in order to ensure that un-authorised persons do not gain access to the Service,
- phone number, in order to fulfil requirements for complete contact information when documenting inspections, and to be able to communicate with persons officially authorised for emergency preparedness,
- employer to identify a person to contact for all active companies at the work place, sort the respective organization’s areas of responsibilities and follow up on each supplier’s work,
- photo to identify a specific person at the work place, in the position of a formal role or in connection with emergency preparedness,
- photos of people who are at construction site for the purpose of managing notifications and reports related to the workplace,
- technical data to improve and develop the Service, and new services and products, and to analyze your use of the Service, in order to ensure the technical functions of the Service and to prevent the use of the Services in violation of the Agreement, and
- location data for language settings, time zone, being able to identify location for reported risks, and identifying related projects.
As of the date the Data Processing Agreement comes into effect the Data Processor engages the following sub-processors to Process Personal Data on behalf of the Data Controller:
- BuildSafe Tech
- Amazon Web Services
- Branch Metrics