Fieldwire GDPR Overview

Fieldwire and the General Data Protection Regulation (GDPR)

Fieldwire GDPR Overview

What is the GDPR?

As of May 25, 2018, the General Data Protection Regulation (“GDPR”) replaced the Data Protection Directive 95/46/EC (“Directive”) and applied directly in all countries of the European Union (“EU”). The GDPR is the most important EU data protection legislation to be enacted in decades. It significantly restricts the abilities of companies to process personal data and generally provides for stricter rules as compared to existing law.

The EU data protection law applies to the processing of personal data, which is a concept that is interpreted very broadly. Other important concepts include pseudonymized data and anonymous data.

Personal data is any information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. The GDPR specifically cites online identifiers (e.g., IP address, device unique IDs, cookie identifiers) and location data as examples of personal data.

Pseudonymized data is data that cannot be attributed to an individual without the use of additional information. They are personal data under EU data protection law, but processing pseudonymized data allows for some (limited) flexibility.

Anonymous data is information that does not relate to an identifiable person, or personal data that is de-identified in such a manner that the individual is not or no longer identifiable.

The Roles of the Data Controller and Processor

Under EU data protection law, companies can either be a data controller or a data processor.

  • Data Controller is the entity that determines the purposes (i.e., why) and means (i.e., how) of the data processing and which is mainly responsible for complying with applicable data protection rules.

  • Data Processor is the entity that acts on behalf of and under the instructions of the controller. Under the Directive, the processor’s obligations were limited to complying with the controller’s instructions and implementing appropriate data security measures. The GDPR imposes additional obligations on processors (e.g., record keeping obligations, assisting the controller with fulfilling individuals’ requests with regard to their personal data).

Fieldwire and GDPR

Fieldwire has worked diligently to enact security measures required pursuant to European Data Protection Laws. Fieldwire offers the Data Processing Addendum (DPA) as a means of meeting the adequacy and security requirements of the European Union’s General Data Protection Regulation (the “GDPR”). Instructions to opt into DPA are found here https://www.fieldwire.com/GDPRaddendum.pdf.

GDPR compliance consists of many elements. We are continually updating our documentation and agreements to align with GDPR requirements. We are continually revising our internal policies and procedures to ensure that they adhere to the GDPR standard.

All Fieldwire employees are required to complete mandatory confidentiality and privacy trainings and to sign a confidentiality agreement. Fieldwire has made sure to include specific provisions in agreements with third parties and regulates in detail the relationship between data controllers, processors and sub-processors. Fieldwire implements appropriate technical and organizational measures to ensure a level of security that is appropriate to the risk the personal data is exposed to.

Standards and Certifications

To ensure resiliency of our systems and processes, Fieldwire goes through several annual 3rd party audits.

ISO/IEC 27001

ISO/IEC 27001 is one of the most widely recognized, internationally accepted independent security standards. Fieldwire has earned ISO/IEC 27001 certification

ANAB-IAF Combined Color

SOC2/3

The American Institute of Certified Public Accountants (AICPA) SOC 2 (Service Organization Controls) and SOC 3 audit framework defines Trust Principles and criteria for security, availability, processing integrity, and confidentiality. Fieldwire has both SOC 2 and SOC 3 reports

SOC Logo

We no longer rely on the Privacy Shield as a data transfer mechanism given that the EU-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield are longer valid as a result of the Schrems II decision issued by the European Court of Justice on July 16, 2020. We continue to commit to the principles of the Privacy Shield framework given it can still provide privacy protections to users. For this reason, we continue to make a reference to the Privacy Shield in policies and agreements.

Enterprise can customers elect to review the audit reports with an NDA.

Read More

Direct information can be found in our Privacy Policy and Terms of Service

Further security information can be found below:

1,000,000+ projects worldwide

Helping the largest construction companies in the world more easily manage their job sites