Instructions on how to create a privacy statement for CAD software

The General Data Protection Regulation's (GDPR) entry into force and its application mean that the processing of personal data should be performed particularly carefully. The regulation was created to protect private individuals and grant them rights. The regulation provides different organizations with an opportunity to perform an inventory on their current data repositories and develop a long-term strategy concerning the methods of storing important, accurate and up-to-date information relevant to their business. The accuracy of data is particularly significant as the capacities for storing data are increasing and multiplying. Different systems that store data can also overlap, resulting in conflicting data entries.

Depending on the product, Vertex CAD software enable storing GDPR-required data in projects. Such data can include, for example, customer data stored on project cards.

The data stored in the projects will accumulate into a GDPR-compliant register.

More detailed information about the descriptions of files and privacy statements can be found on the Data Protection Ombudsman website: http://www.tietosuoja.fi/fi/index/materiaalia/lomakkeet/rekisteri-jatietosuojaselosteet.html


Controller

The controller of the design software suite is the organization that holds its user permissions (company or community). Vertex Systems Oy is the technical supplier of the software suite according to a separate maintenance contract, but it is not the controller.

Company name, business ID

Address details


Contact person in matters concerning the register

The contact person in matters concerning the register is:

Designated person

Contact information (including email, telephone number)

The contact person is responsible for replying to inquiries related to the register, for instance.


Name of the register

Give the personal register a name that can be used to identify the register and that indicates its purpose. You can use the name of the Vertex CAD software product you are using as the name of the register, e.g., Vertex BD, Vertex G4 or Vertex InD design software.


The purpose of the processing of personal data

The purpose of the processing of personal data in the design software is the management of the data in the projects designed with the software. Such data includes the system's customer data and other personal data.

The purpose of the processing of personal data indicates the function of the personal register in the controller's organization. Personal data can be processed, for example, to maintain customer, service or employment relationships.


Data content of the register

The data content regarding Vertex BD and InD systems may include the following

  • Customer data: Customer name, email address, street address, telephone number(s) and possible additional information.
  • Other data: The name, address, telephone numbers and email address of the Architect, Constructor, Designer, Lead Designer, Representative, Salesperson, Price Estimator, Construction Manager in Charge, Electrical Engineer, Site Manager or HVAC Designer.

The data content regarding Vertex G4 and G4 Plant systems and Vertex ED and HD systems may include the following, for example:

  • Customer data: Customer name and contact information (address, telephone number(s), email addresses) and the customer's contact persons (name, position, telephone number and email address) and possible additional data.
  • System user data: Name, telephone numbers, email addresses and street address.

If it is possible that these data are stored in your database, please take this into account when creating the privacy statement.

The data content of the register depends on your method of using different possibilities enabled by the CAD software suite, so the actual data content must be confirmed case-specifically.

The data content regarding other personal data can vary. Typically, there is a designated contact person in the project or customer data and their contact details such as email address, telephone number and street address. For example, the processed personal data can be the buyer's or designer's details entered into the project's details. It serves the controller's interest to store only necessary data in the system that cannot be acquired in any other manner. This minimizes the occurrence of overlapping or even conflicting data entries.

The design software does not perform automatic profiling or further processing of the data content.

The statement indicates the data or categories of data on the data subject that can be stored. The person's identification data must be categorized (e.g., name and contact information). Concerning other data, a description of the category of data or group is sufficient (e.g., data concerning the services ordered by the customer and data related to their provision and invoicing). The data can be grouped together with headings.


Regular sources of data

The data collected in the Vertex design software are generated by the controller's activities upon forming employment or customer relationships, for instance. The data can be retrieved directly from the data subject or from other systems such as Vertex Flow and DS. If such integrations have been implemented, the details of this integration must be included in this section.


Regular disclosure of data

Disclosure of data to partners

The data will be disclosed if your company's design projects are handed over to partners or subcontractors. Typical cases include part manufacturing by subcontractors or structural or HVAC design performed by subcontractors. Before transferring data to your partners, we recommend that you enter into an agreement about the terms of service, or in the case of existing partnerships, update the existing terms of service to clarify possible issues regarding responsibility. The personal data in the project are stored as part of the project and its transfer file. Such data include, for example, the designer and customer data transferred to the project card.

System integrations

If your company's CAD software is integrated with the Vertex Flow or DS data management systems, this connection is considered to be a regular disclosure of data. If such integrations have been implemented, the details of this integration must be included in this section. Remember also to provide a description of the disclosure of data to CAD in the corresponding Flow or DS privacy statement.


Transfer of data outside the EU or EEA

Are the personal data transferred outside the European Union or the European Economic Area? If Vertex CAD projects are transferred outside the EU or EEA, the disclosure of data outside the European Union or the European Economic Area is considered to apply as defined in this section.


The principles of register protection

The CAD software are installed either locally on the user's device or on a server to be used over a network connection.

Local installation: In the case of a local installation, the data privacy is based on the restricted access rights set at the level of the operating system (Windows). Organizations should set personal Windows user IDs for each user on workstations equipped with CAD. Generic Windows user IDs should be avoided. Access to personal data via CAD can thus be restricted and managed.

Server installation: As in the case of local installation. Workstations should require logging in with a personal user ID.

The protection of manual materials such as print-outs can be described by stating that the materials are stored in locked premises. Regarding data processed by means of IT, the methods of protecting the data from parties outside the organization and how the rights to access the data have been restricted within the organization must be indicated. Describe the general principles of protection. Do not reveal any details that might compromise the data security. It is also advisable to indicate whether the personal data stored in the register are under a statutory obligation of confidentiality in this section.


Right of inspection and the right to request the rectification or erasure of data

With certain exceptions, the General Data Protection Regulation ensures that data subjects have the right to request the rectification or erasure of their personal data or the right to be forgotten. Provide a description of how the request must be submitted and where it is required to be addressed to. For example, the request may be required to be submitted to the controller in writing.

In principle, all data subjects have the right to inspect their personal data or request the rectification of the data.

Other rights concerning the processing of personal data

According to the General Data Protection Regulation, storing personal data in a register is subject to the data subject's explicit consent. If customer data are stored in the system, the consent of the persons stored in the system must be acquired. This consent must be documented and demonstrable: when and how the consent has been given or acquired.


Children's privacy

Children under 16 are in a special position regarding data privacy that needs to be considered in the description of the file. Such a situation might arise, for example, if your organization decides to hire employees for the summer and/or trainees through the work practice program who have access to the system.