Data Processing Agreement   

This data processing agreement (“Data Processing Agreement”) supplements the (Master) Service Agreement or the Engagement Letter (“Agreement”) and Briddge’s General Terms and Conditions (“General Terms and Conditions”) and is entered into between:

(1) Briddge B.V., a company having its principal place of business on Kabelweg 37, 1014 BA Amsterdam, the Netherlands, registered with the Chamber of Commerce under number 51446030, hereby duly represented by Jurren de Groot, (“Processor”).

and 

(2)                                                                              , a company having its principal place of business in                                                  , registered with the Chamber of Commerce under number                     , hereby duly represented by                                       (“Controller”).

Processor and Controller are also collectively referred to as ‘Parties’.

Unless otherwise defined herein, all capitalised terms shall have the meaning given to them in the Agreement.

1. DEFINITIONS

     1.1. “Controller”, “Processor”, “Sub-processor”, “data subject”, “personal data”, “processing” and “appropriate technical and organisational measures” shall be interpreted in accordance with the GDPR.

     1.2. “Data Protection Legislation” means the GDPR, the Dutch GDPR Implementation Act (Uitvoeringswet AVG - “UAVG”) and any legislation and/or regulation implementing or made pursuant to them, or which amends, replaces, re-enacts or consolidates any of them, and all other applicable laws relating to processing of personal data and privacy that may exist in any relevant jurisdiction, including, where applicable, the guidance and codes of practice issued by supervisory authorities.

     1.3. “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).

     1.4. “Relevant Law” means any legislation of the European Union, or of a Member State of the EU or EEA.

     1.5. “Data Breach” means any accidental, unauthorised or unlawful destruction, loss, alteration, or disclosure of, or access to the personal data that the Processor processes in the course of providing the Services.

     1.6. “Services” mean the Services as defined in the Agreement and further detailed in Schedule 1 to this Data Processing Agreement.

     1.7. “Standard Contractual Clauses” mean the standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR, adopted by the European Commission under Commission Implementing Decision (EU) 2021/914.

2.  PROCESSING OF PERSONAL DATA

     2.1. The Parties agree that the provisions of this Data Processing Agreement shall apply to the personal data the Processor processes in the course of providing the Services.

     2.2. The objective of this Data Processing Agreement is to ensure that the processing for the purpose of the Services as defined in the Agreement where Briddge acts as Processor is in compliance with the Data Protection Legislation and the instruction of the Controller. The obligations and rights of the Controller are as set out in the Data Processing Agreement. Schedule 1 of the Data Processing Agreement sets out the nature, purpose and duration of the processing, the types of personal data the Processor processes, and the categories of data subjects whose personal data is processed as covered by this Data Processing Agreement. Briddge may also process Personal Data for other Services under the Agreement in the capacity as Controller as further set out in Briddge’s Privacy Statement, as it is amended/updated from time to time.

     2.3. Each Party shall notify to the other the point of contact for any issues related to data protection arising out of or in connection with the Agreement.

     2.4. When the Processor processes personal data in the course of providing the Services the Processor will:

          2.4.1. be responsible for complying with all Data Protection Legislation applicable to its provision of the Services in its role as Processor. However, the Processor is not responsible for compliance with any laws applicable to the Controller;

          2.4.2. process the personal data only in accordance with the documented instructions from the Controller as set out in the Data Processing Agreement or as agreed between the Parties from time to time. If the Processor is required to process the personal data for any other purpose by Relevant Law to which the Processor is subject, the Processor will inform the Controller of this requirement first, unless such law(s) prohibit this on important grounds of public interest; and

          2.4.3. without any obligation to perform a legal examination, notify the Controller immediately if, in the Processor's opinion, an instruction for the processing of personal data given by the Controller violates applicable Data Protection Legislation. The Processor shall be entitled to suspending performance of the Services until the Controller confirms or modifies such instruction.

3. CONFIDENTIALITY

     3.1. The Processor shall ensure that personnel authorised to process the personal data are subject to a binding duty of confidentiality in respect of such personal data.

4. ASSISTANCE TO BE PROVIDED

     4.1. At the Controller’s request and cost, the Processor shall assist the Controller, always taking into account its role as a Processor and the nature of the processing:

          4.1.1. by implementing appropriate technical and organisational measures;

          4.1.2. in so far as is possible, in fulfilling the Controller’s obligations to respond to requests from data subjects exercising their rights by forwarding such requests to the Controller. The request will then be dealt with by the Controller. The Processor may inform the data subject hereof; and

          4.1.3. in ensuring compliance with its obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the information available to the Processor and provided that this support does not result in any breach of confidentiality obligations towards third-parties.

5. TECHNICAL AND ORGANISATIONAL MEASURES

     5.1. The Processor shall implement and maintain appropriate technical and organisational measures to protect the personal data against unauthorised or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure.

     5.2. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction, damage or theft of the personal data and having regard to the nature of the personal data which is to be protected. As a minimum, these should include the requirements set out in Schedule 2.

     5.3. The Controller is solely responsible for making an independent determination as to whether these technical and organisational measures meet the Controller's requirements, including any of its security obligations under applicable Data Protection Legislation. The Controller acknowledges and agrees that, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing of personal data as well as the risks to individuals, the security practices and policies implemented and maintained by the Processor provide a level of security appropriate to the risk with respect to its personal data.

     5.4. The Controller furthermore understands and agrees that these measures are subject to technical progress and development and the Processor is therefore expressly allowed to implement adequate alternative measures.

6. DATA BREACH

     6.1. In the event of a Data Breach, the Processor will:

          6.1.1. take action immediately to investigate the Data Breach and to identify, prevent, and mitigate the effects of the Data Breach and to remedy the Data Breach;

          6.1.2. notify the Controller without undue delay and provide the Controller with a detailed description of the Data Breach including, as far as reasonably possible:

               6.1.2.1. the likely impact of the Data Breach;

               6.1.2.2. the categories and approximate number of data subjects affected and their country of residence and the categories and approximate number of records affected;

               6.1.2.3. the risk posed by the Data Breach to individuals; and

               6.1.2.4. the measures taken or proposed to be taken by the Processor to address the Data Breach and to mitigate its adverse effects.

          6.1.3. provide timely updates and any other information the Controller may reasonably request relating to the Data Breach; and

          6.1.4. not release or publish any filing, communication, notice, press release, or report concerning the Data Breach without the Controller's prior written approval except where required to do so by Relevant Law.

     6.2. The Controller is solely responsible for complying with any Data Breach notification obligations applicable to the Controller and fulfilling any third-party notifications obligations related to any Data Breach.

7. SUB-PROCESSORS    

     7.1. The Processor may use its affiliates or other third-parties to provide certain parts of the Services (“Sub-processors”) on the Controller’s behalf. The Controller authorizes the Processor to engage Sub-processors for the purposes of processing personal data under the Data Processing Agreement. A list of Sub-processors approved by the Controller as at the date of the Data Processing Agreement can be found in Schedule 3.

     7.2. The Processor can at any time remove or appoint a Sub-processor at its own discretion provided that the Processor informs Controller with at least 30 days prior notice of the change and the Controller does not object to such change within 14 days of receiving the notification. If the Controller objects to the appointment of a new Sub-processor for legitimate and reasonable reasons within such period, the Processor shall use reasonable efforts to make available to Controller a change in the Services to avoid the processing of Controller’s personal data by the objected-to Sub-processor for Controller’s consideration and approval. In the meantime, the Processor may provide the Services with the assistance of the objected-to Sub-processor if this is needed for the continuity of the Services. If the Processor is unable to make available such change within a reasonable period of time, which shall not exceed 90 days, or the Controller does not approve any such changes proposed by Processor, the Controller may, by providing written notice to the Processor, terminate the Agreement.

     7.3. Any Sub-processors that are engaged by the Processor for the provision of the Services shall be subject to contractual terms which are no less protective than those in the Data Processing Agreement and as required by Data Protection Legislation. For the avoidance of doubt, where Sub-processors fail to fulfil obligations under the sub-processing agreement or any applicable Data Protection Legislation, the Processor will remain fully liable to the Controller for the fulfilment of the Processor's obligations.

8. THIRD COUNTRY TRANSFERS

     8.1. Any transfer of personal data to a third country outside the EU/EEA or an international organisation by Processor shall be done only on the basis of documented instructions from the Controller as set out in the Data Processing Agreement or as agreed between the Parties from time to time and provided that the conditions of Chapter V GDPR have been fulfilled.

     8.2. The Controller understands and agrees that where the Processor engages a Sub-processor outside of the EU/EEA in accordance with Clause 7 for carrying out specific processing activities (on behalf of the Controller), personal data may be transferred to a third country outside of the EU/EEA. In that event the Processor and the Subprocessor shall ensure compliance with Chapter V of the GDPR, in the absence of an adequacy decision by the European Commission pursuant to Article 45(3) GDPR or another valid data transfer mechanism, by using Standard Contractual Clauses.

9. AUDIT

     9.1. The Processor shall keep accurate and up-to-date records relating to the processing of the personal data by the Processor and make these records and other information necessary to demonstrate compliance with the Processor’s obligations under this Data Processing Agreement available to the Controller at its reasonable request and at its own cost.

     9.2. During the term of the Agreement, the Processor will allow the Controller and its respective auditors or authorised agents to conduct audits or inspections provided that no such audit or inspection has been conducted in the preceding 24 months. The Controller always has the right to conduct an audit or inspection in the event of a suspected material breach of the Data Protection Legislation. The Processor shall provide all reasonable assistance in order to facilitate the Controller in exercising its audit rights under this clause.

     9.3. The Controller will provide the Processor with at least 30 business days’ notice prior to such an audit or inspection, which will be conducted at a time mutually agreed between the Parties, with the understanding that it will be conducted during normal business hours and it will not materially disrupt the Processor’s business.

     9.4. The Controller will bear the costs for the audit or inspection, including compensating the Processor for the cost of the internal resources required to conduct the onsite audit (based on time and materials according to the then current fee list), unless the audit shows a material breach of the Data Processing Agreement by the Processor with substantial consequences for the rights and freedoms of the Data Subjects concerned.

     9.5. If the Controller's request for information or access relates to a Sub-processor, or information held by a Sub-processor which the Processor cannot provide to the Controller itself, the Processor will submit a request for additional information in writing to the relevant Sub-processor. The Controller acknowledges that access to the Sub-processor's premises or to the information about the Sub-processor's previous independent audit reports is subject to agreement from the relevant Sub-processor, and that the Processor cannot guarantee access to that Sub-processor’s premises or audit information.

     9.6. The purpose of an audit pursuant to this clause is to verify that the Processor and its Sub-processors are processing personal data in accordance with the obligations under the Data Protection Agreement.

10. DELETION AND RETURN OF DATA

     10.1. At the end of the Services or the termination of the Agreement, upon the Controller's request, the Processor shall securely destroy or return personal data to the Controller, and delete existing copies as soon as reasonably possible, unless Relevant Law requires storage of such personal data.

11. LIABILITY

     11.1. Any liability of the Processor arising out of or in connection with this Data Processing Agreement, shall follow and be exclusively governed by the liability provisions in the General Terms and Conditions.

     11.2. The Controller represents and warrants that it has obtained all required (explicit) consents and/or another legal basis to process the relevant personal data. Furthermore, the Controller represents and warrants that the contents are not unlawful and do not infringe any rights of a third-party. In this context, the Controller indemnifies the Processor of all claims and actions of third-parties related to the processing of personal data without (explicit) consent and/or legal basis under this Data Processing Agreement.

12. MISCELLANEOUS

     12.1. This Data Processing Agreement shall automatically terminate upon any termination or expiration of the Agreement.

     12.2. The Data Processing Agreement and the implementation thereof will be governed by Dutch law. Any dispute arising between the Parties in connection with and/or arising from this Data Processing Agreement will be referred to the competent Dutch court in the district where the Processor has its registered office.

     12.3. The Data Processing Agreement may not be terminated in the interim and may only be amended by the Parties subject to mutual agreement.

     12.4. If there is any conflict between any provision of the Data Processing Agreement, the Agreement, and/or the General Terms and Conditions, this Data Processing Agreement shall prevail.

IN WITNESS WHEREOF, the Parties have caused this Data Processing Agreement to be executed by their duly authorized representatives.

(Controller)	Briddge B.V. (Processor)
	Jurren de Groot
	20 September 2024
---------------------------- Signature	Jurren de Groot  ---------------------------- Signature

 

Schedule 1

Data processing information

Processing activity: (International and/or Dutch) payroll services

Nature and purpose of processing operations

The personal data processed will be processed as follows (please specify):

• The Processor provides the coordination and processing of Dutch and/or international payroll administration and related services as further set out in the Agreement.
• The Processor stores, uses, transfers and analyses the Controller’s personal data in its internal systems in order to provide the payroll services requested.
• The Processor (or its Sub-processor) takes care of relevant reporting requirements to the tax authorities and governmental institutions as required by law and takes care of the transfer of funds to the employees’ bank accounts if agreed upon.
• The personal data may also be used in order to process requests for employment benefits (for example: statutory sick pay, maternity benefit).

Categories of Data Subjects

The personal data processed concern the following categories of Data Subjects (please specify):

The employees of the Controller

 Categories of personal data

The personal data processed concern the following categories of personal data:

• Name, postal address, and email address;
• Identification documents (e.g. passport);
• Social security number and related information;
• Date and place of birth;
• Gender;
• Marital status;
• Nationality;
• Bank account details;
• Pension details;
• Employment data (dates of employment, FTE, employee benefits);
• Data relating to absences (vacation, sick leave, forms of (statutory) leave).

 Special categories data

The Processor does not intentionally collect special categories of personal data but this could be inferred from made payments (for example, sick pay).

Duration of Processing

The personal data shall be processed for the term of the Agreement or for such longer or shorter period as the Processor provides data processing services under the Agreement.

 

Processing activity: Sick leave management services

Nature and purpose of processing operations

The personal data processed will be processed as follows (please specify):

• The Processor provides the coordination and processing sick leave management services.
• The Processor stores, uses, transfers and analyses the Controller’s personal data in its internal systems in order to provide the services requested.
• The Processor takes care of relevant reporting requirements to governmental institutions and Occupational Health & Safety Service as required by law.
• The personal data may also be used in order to process requests for employment benefits (for example: statutory sick pay, maternity benefit).

 

Categories of Data Subjects

The personal data processed concern the following categories of Data Subjects (please specify):

The employees of the Controller

 Categories of personal data

The personal data processed concern the following categories of personal data:

• Name, postal address, telephone number and email address;
• Social security number and related information;
• Date of birth;
• Gender;
• Nationality;
• Employment data (dates of employment, FTE, salary and employee benefits);
• Data relating to absences (vacation, sick leave, forms of (statutory) leave);
• Health-related data (reports from company doctor etc.).

Special categories data

The Processor processes health-related personal data for the purpose of providing services related to the re-integration or guidance of employees with regard to sickness or incapacity for work. This exception to the prohibition of processing sensitive data is based on the exception as documented in Art. 9(2)h GDPR in combination with Art. 30 part 1 b of the Dutch GDPR Implementation Act (Uitvoeringswet Algemene verordening gegevens-bescherming). Please note that health-related personal data is not the same as medical data as this last category is only processed by the Occupational Health & safety Provider.

Duration of Processing

The personal data shall be processed for the term of the Agreement or for such longer or shorter period as the Processor provides data processing services under the Agreement.

 

Schedule 2

Technical and organisational measures

Technical and organisational measures are undertaken in order to ensure the ongoing protection of personal data and to ensure the continued confidentiality, availability and integrity of Briddge’s services. These, amongst others, include the following measures:

Organisational Measures

Policies and Procedures: Briddge has robust policies and procedures in place that ensures our employees are well informed regarding their obligations specifically in relation to the handling of data and exact procedures to follow in case of the occurrence of a breach.

Awareness & Training: Briddge is committed to instilling a culture of awareness regarding data protection and security. A designated employee has been appointed to oversee the implementation of GDPR in the company and to ensure that the latest legislations and information regarding data awareness is well understood and implemented. Furthermore, employees are obliged to complete an annual training that ensures a comprehensive understanding of GDPR.

Management Information & Reporting: Top management is part of a designated GDPR project group (Privacy Control Board) that meets frequently.  In addition to ensuring that management has a complete understanding of the state of data awareness and any data breaches, this ensures adequate resources and support is made available in order to ensure internal policies and procedures are upheld and that necessary trainings are followed.

Review & Audits: Annual internal audits are conducted by a designated employee that monitors and evaluates whether all departments have a thorough understanding of which data is processed, how it is processed, how consent is obtained, what the legal basis is for the collection and processing of information, what the retention period is and what the consequence of a data leak is and how to report it. The ongoing review of functions against procedures and regulations ensures that they remain efficient and applicable.

Clean Desk Policy and document storage: Our employees are committed to upholding a clean desk policy in order to protect sensitive information and to remain in compliance with data protection laws. Our clean desk policy is aligned with our security-driven work habits. Subsequently all sensitive documentation is stored in such a way, that only authorized individuals are able to access this data.

Technical measures

Cyber Security: Our service provider for all IT matters are ISO 27001 certified and therefore adhere to the highest standards of data protection as prescribed by GDPR. ISO 27001 is focused on the availability, integrity and confidentiality of data, people and processes.

Passwords: Employees are only able to login onto the network via a Microsoft Authenticator app which ensures that only authorized persons are able to access Briddge information.

Email Encryption: Briddge implements email encryption which implies that the content of email messages is encrypted in order to protect potentially sensitive information from being read by anyone other than the intended recipients.

Privacy Management System: Briddge has a privacy management system in place that ensures that all data breaches are captured, correctly processed, and archived. This ensures that we are able to adequately address any security weak points through the creation of realistic risk profiles and an up-to-date documentation register.

Secure Printing: Print jobs can only be collected by using a personal ID card after a user has registered and authenticated this card with a unique ID and password.

IT Policy: All employees are required to review our elaborate internal IT Policy that advises on best practices for maximum IT Security and data protection.

BYOD (Bring you own device) & Remote Access: Employees are only able to log onto their workstations remotely by an encrypted workplace application on their desktop/laptop that ensures a uniform level of security.

Building Security: Briddge is housed in a secure multi-level office building with surveillance and out of business hours, only individuals with a personal pass can enter the building. Our office can at all times only be accessed by security badges and visitors are escorted at all times.

Disposal: The correct and secure disposal of data sensitive paperwork and devices are embedded within our working processes in order to ensure that GDPR requirements are met in this regard. A knowledgeable employee is appointed in cases where the complete erasure of personal data is requested.

 

Schedule 3

List of approved Sub-processors

Sub-processor	Location	Processing activity
Exact HR & Salaris Gemak	Delft, Netherlands	IT system for payroll processing in the Netherlands
International payroll processing partners	Various	Payroll processing outside of the Netherlands*

 

* We have an extensive list of international payroll processing partners that we use in the various countries outside of the Netherlands. These could be based either in- or outside of the EU and EEA. Please ask your client manager if you wish to receive a company specific overview of which partners we use for the processing of your (employees’) personal data or send an email to gdpr@briddge.com.