bwod as a data processor

Blomberg Web og Design AS (bwod) delivers development, operation and support of websites and online stores on behalf of our customers.
This document explains our role as data processor according to GDPR art. 28. 28. It is a summary of practice and does not replace the individual data processing agreement (DPA) we enter into with customers.

Short version: We only process personal data when it is necessary to deliver agreed services, and always on the instruction of the customer (data controller). We prioritize security, minimal data access and clean processes.

Last updated: 16.09.2025

Roles and responsibilities

  • Data controller: Our customer (website owner). Determines the purposes and means of the processing.
  • Data processor: bwod. Performs technical processing only as instructed by the customer.
  • Sub-processors: Third parties we use to provide the Service (e.g. web hosting, email/SMTP, backup).

What we can process

Depending on the site’s features, we may technically be able to access:

  • Technical data: IP addresses in server logs, user agent, timestamps (operational/security/troubleshooting).
  • Form data: Information sent via contact form/registration form (if the customer has this).
  • Online store data: Order data, customer profiles, transaction log (if WooCommerce or similar is installed).
  • Integrations: Data flowing to/from third parties (e.g. newsletters, booking systems, tracking data) to the extent we provide technical assistance.

If the customer only has a simple info page, this is typically limited to technical logs at the web host.

Purpose and basis for processing

  • Purpose: Delivery of agreed services (development, operation, maintenance, troubleshooting, security).
  • Basis: The data processing agreement (DPA) with the customer and the customer’s lawful basis vis-à-vis the data subjects.

Our security measures (overall)

  • Minimization of access (only when needed, time-limited where possible, separate admin users).
  • Strong passwords, secure sharing of keys/access.
  • Updated software (WordPress, themes, extensions).
  • Controlled backups (via customer/host), recovery tests when needed.
  • Procedures for incident management and notification of deviations.

Sub-processors

Typical sub-processors we or the customer use to operate a WordPress installation:

  • Web hosting/hosting: Storage of files, database and logs.
  • E-mail/SMTP: Sending system mail from the website.
  • Backup/backup: Storage of backups (often provided by hosting or the customer themselves).
  • Plugin suppliers: If support access/troubleshooting is required.

Specific suppliers may vary per customer. The individual customer’s DPA and/or supplier agreements regulate this in more detail.

Data processing outside the EU/EEA

bwod does not transfer data outside the EU/EEA unless the customer requests or uses third-party services that involve this (e.g. Mailchimp, certain cloud providers or marketing tools). The customer is the data controller and must ensure legal transfer (standard contracts, risk assessment, etc.). We provide technical assistance when needed.

Storage and deletion

  • We do not store data longer than necessary to perform the assignment.
  • Upon termination of customer relationship: Data is deleted or returned according to agreement, unless further retention is required by law.
  • Server logs are normally handled by the web host according to their routines (retention).

Incidents and deviations

In case of suspected unauthorized access, loss or exposure of personal data, we will notify the customer without undue delay and assist with deviation and damage control measures.

Rights for data subjects

Access, correction, deletion, data portability, etc. are handled by the customer (data controller). We provide technical assistance at the customer’s request.

Customer’s responsibility (data controller)

  • Establish a valid basis for processing and inform the data subjects (privacy statement/cookie policy).
  • Enter into a data processing agreement (DPA) with bwod and relevant sub-processors.
  • Conduct necessary assessments (risk, DPIA if needed, transfer to third countries).

Wording customers can use in their privacy policy

Customers who wish to refer to this page in their privacy policy can use a sentence like:

We use Blomberg Web og Design AS (bwod) as data processor for operation and maintenance.

Contact us

Blomberg Web og Design AS (bwod)
Org.nr: 928 469 802
E-mail: [email protected]

Notice: This document is informative. The legally binding regulation takes place in the individual data processing agreement (DPA) between bwod and each customer.