Bentley’s Notice of Certification Under the Data Privacy Framework Program
Effective as of July 17, 2023
Bentley Systems, Incorporated (“Bentley”) complies with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data transferred from the European Union, the United Kingdom, and Switzerland, as applicable, to the United States in reliance on the Data Privacy Framework. Bentley has certified to the Department of Commerce that it adheres to the Data Privacy Framework Principles with respect to such data. If there is any conflict between the terms in this notice and the Data Privacy Framework Principles, the Data Privacy Framework Principles shall govern. To learn more about the Data Privacy Framework program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
Scope: this notice applies to all personal data relating to data subjects located in the European Economic Area (“EEA”), the United Kingdom, or Switzerland that is received by Bentley in the United States (collectively, the “European Data Subjects”). Bentley will comply with this notice with respect to this personal data.
Data Processed: in providing services to individuals, users, and accounts (collectively, the “Subscriber”), Bentley processes personal data collected when a Subscriber registers with us, conducts a purchase, contracts with us, and uses our products and/or services (collectively, the “Services”). The types of personal data collected, and its uses will depend on the Services, and are described in our Privacy Statement. Further, in providing these Services, Bentley processes data (including personal data) our Subscribers submit to our Services or instruct us to process on their behalf as detailed in the Data Processing Addendum.
Purposes of Data Processing: Bentley processes data submitted by Subscribers for the purpose of providing Services. To fulfill these purposes, Bentley may access the data to provide the Services, to correct and address technical or service problems, to respond to support matters, or to follow instructions of the Subscriber who submitted the data, or in response to contractual requirements.
Third-Party Transfers: Bentley may share personal data with third parties under certain circumstances described in our Privacy Statement. These third parties may access, process, or store personal data while providing their services to Bentley. Bentley maintains contracts with these third parties restricting their access, use, and disclosure of personal data in compliance with our Data Privacy Framework obligations, including the onward transfer provisions. Bentley remains liable if these third parties fail to meet those obligations and we are responsible for the event giving rise to damage.
Rights to Access and Limit Use and Disclosure: European Data Subjects have rights to access personal data about them and to limit use and disclosure of their personal data. With our Data Privacy Framework self-certification, Bentley has committed to respect those rights. If you seek to access, correct, delete, or limit use or disclosure of your personal data, please email DPO@Bentley.com. Where Bentley receives such a request and processes your personal data on behalf of a Bentley Subscriber, Bentley may refer your request to that Subscriber.
U.S. Federal Trade Commission Enforcement: Bentley’s commitments under the Data Privacy Framework are subject to the investigatory and enforcement powers of the United States Federal Trade Commission.
Compelled Disclosure: Bentley may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
Independent Dispute Resolution and Arbitration: If you have an inquiry or complaint related to Bentley’s Data Privacy Framework compliance, please email DPO@Bentley.com. Bentley will respond to your inquiry within forty-five (45) days. If Bentley cannot resolve your complaint, Bentley has designated the American Arbitration Association as an independent dispute resolution body to review your complaint at no cost to you. In the event that your complaint cannot be resolved with Bentley directly, or through the independent dispute resolution mechanism, you may be able to invoke binding arbitration through the Data Privacy Framework Panel. For more information on this option, please see Annex I of the EU-U.S. Data Privacy Framework Principles.