Privacy Policy – 29 July 2024
This "Privacy Policy" regulates the processing of your personal data by co-controllers: COMPLI B.V., Chamber of Commerce number 88171833, located at John M. Keynepleis 10, 1060 EP in Amsterdam, hereinafter referred to as: "Compli".
Please read this Privacy Policy carefully, as it contains essential information about how your personal data is processed. This privacy policy is inextricably linked to the Joint Controllers Regulations in the appendix.
General provisions
Compli is offered to your employer, client, contractor and/or manager (hereinafter: "Client") to ensure that persons working on a project comply with the applicable laws and regulations as well as to provide access and attendance registration.
The Client will then make the use of Compli available to you before the start of the work. This means that the Client is a 'Controller' within the meaning of the General Data Protection Regulation (hereinafter: "GDPR") with regard to the Personal Data processed by Compli ('the means').
GDPR Concepts
• "Personal Data" means any information relating to an identified or identifiable natural person;
• "Processing": any operation or set of operations concerning personal data, including collection, transmission, recording, dissemination, organisation, making available, storage, alignment, adaptation, combination, alteration, restriction, retrieval, erasure, consultation, use and destruction;
• 'Data subjects': the person to whom personal data relates.
Scope
This Privacy Policy applies to all processing, fully or partially automated, of personal data. It also applies to the non-automatic processing of personal data contained in a filing system or intended for that purpose. The Privacy Policy applies to anyone who carries out work on a project where COMPLI is applied.
Purpose and processing of personal data
The purpose of this policy is to:
1. protect the privacy of data subjects whose personal data is processed against misuse and against incorrect processing of personal data; and
2. prevent personal data from being processed for a purpose other than the purpose for which it was collected; and
3. to guarantee the rights of data subjects.
Only those personal data that have been lawfully obtained are processed. Processing of the personal data will only take place for the following categories of processing:
a) correct administration of third parties in accordance with the applicable laws and regulations;
b) access and attendance administration to a location/project.
Compli processes Personal Data as soon as a Compli profile is created by a 'Client', and the Personal Data of the person who will be working on a project on behalf of the 'Client'.
Security
Compli shall take all appropriate technical and organisational measures to protect Personal Data against loss or any form of unlawful processing.
Compli takes appropriate technical and organisational measures to prevent the loss or unlawful processing of personal data. These measures guarantee an appropriate level of security, taking into account the risks involved in the processing and the nature of the data to be protected. The measures are also aimed at preventing unnecessary collection and further processing of personal data.
Confidentiality
Anyone who obtains Personal Data of which he knows or can reasonably suspect the confidential nature and who is not already subject to a duty of confidentiality with regard to the personal data by virtue of profession, position or statutory regulation, is obliged to maintain confidentiality. This does not apply if any statutory provision obliges him to publish or if the need for publication arises from his task in the implementation of these regulations.
Anyone who is notified of a (possible) data breach is obliged to report this to Compli without delay. COMPLI will immediately notify the data subject of a data breach if the breach is likely to have adverse consequences for his or her privacy and will report it to the Dutch Data Protection Authority via the following link: https://datalekken.autoriteitpersoonsgegevens.nl
Data Subject Rights
1. The data subject has the right to access processed data relating to his or her person (right of access).
2. The data subject shall have the right to rectification of inaccurate Personal Data concerning him or her or the right to provide a supplementary statement where the processing is carried out on the basis of incomplete data. The Data Controller is obliged to inform any recipient to whom Personal Data has been disclosed of any rectification, unless this is impossible or requires a disproportionate effort.
3. In certain cases, the controller is obliged to erase Personal Data of the data subject without undue delay (right to erasure) at the request of the data subject. This is the case, among other things, if:
a) the personal data are no longer necessary for the purposes of the data processing;
b) the data subject withdraws his or her consent and there is no other legal basis for processing;
c) the data subject objects to the processing;
d) the Personal Data has been unlawfully processed.
4. The data subject has the right to data portability of his or her Personal Data.
5. The data subject has the right to restriction of processing (i.e. that the Personal Data may not be processed (temporarily), if:
a) the Personal Data may be inaccurate;
b) the processing is unlawful but the data subject does not yet want it erased;
c) the Personal Data is no longer necessary for the purpose for which it was collected, but the data subject still needs it for a legal claim;
d) object to the processing of the Personal Data.
Within one month of receipt of the request from the data subject, the controller will inform him in writing of the execution of the request. This also happens if the request will not be carried out. A refusal to comply with the request will be motivated and the data subject will be informed of the possibility of submitting a complaint to the Dutch Data Protection Authority. If more time is needed to respond to the request, the data subject will be informed within one month. The additional time required will be a maximum of two months.
If a data subject is of the opinion that the provisions of the GDPR as elaborated in this Privacy Policy are not being complied with, the data subject can lodge an objection with Compli, via privacy@compli.nl. Compli will analyse the objection together with the other controllers as described in the Joint Controllers Regulations.
If the complaint submitted does not lead to a result acceptable to the data subject, he can turn to the Dutch Data Protection Authority or to the competent court.
Duration of the processing
The personal data are stored and processed by the controller for a period that is necessary in function of the purposes of the processing.
Applicable law and disputes
Dutch law applies exclusively to this Privacy Policy and any agreement between you and Compli and any dispute in connection with this Privacy Policy or the use of Compli will be submitted to the competent court of Amsterdam.
Entry into force
This Privacy Policy came into effect on 08 October 2025.
ANNEX: JOINT CONTROLLERS REGULATION
General
The Joint Controllers [hereinafter referred to as "Joint Controllers"] use the SaaS platform "Compli". During the mutual cooperation, they will share and process Personal Data within the Compli platform.
There are Joint Controllers within the meaning of Article 26 of the GDPR, because one or more Controllers jointly determine the purpose and means of the Processing(s).
The Regulation has been drawn up because the Joint Controllers wish, in the context of the careful Processing of Personal Data, to make agreements about the division of roles and the associated obligations under the GDPR, in particular the facilitation of the rights of the data subjects and the fulfilment of the information obligations to data subjects.
GDPR definitions
: the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
Party: any Company in the chain that, on the basis of an agreement, has work carried out for the intended purpose (the Project)
Customer: The Party that has entered into a user agreement with Compli
Company in the chain: The Party that has entered the Customer and invites it to use Compli to register its Employees, or other Companies in the chain, in the context of complying with the applicable legal obligations.
Employee(s): the employees engaged by the Parties and other persons whose work falls under the responsibility of the Party in question and who are engaged by that Party for the implementation of the Agreement.
Data subject/Data subject: A natural person whose personal data is processed in Compli.
Project: A specific assignment for which the Client uses Companies in the chain.
Regulation: the present Regulation on Joint Controllers, as referred to in Article 26 of the GDPR.
Division of roles
1. Compli• Developing, hosting, maintaining and improving the Compli platform.
• Assessing the accuracy and authenticity of the data entered.
• Providing support to the users of the platform.
• Storing the personal data for archiving.
• Have the right to share Personal Data in Compli with the Parties after explicit and digitally obtained permission from the employer, via the holder of the company account.
• Compli also takes care of the technical and organizational security of the Compli platform.
2. Compli's
Customer• Adding and managing Projects.
• Registering a Company in the chain.
• Entering Personal Data of own Employees into Compli.
• Updating the Personal Data of the relevant
• Processing the Personal Data of the Companies in the chain for the intended purpose (the Project).
3. The Company in the chain
• Registering a Company in the chain.
• Entering Personal Data of own Employees into Compli.
• Updating the Personal Data of the relevant
• Processing the Personal Data of the Companies in the chain for the intended purpose (the Project).
Obligations and responsibilities of each Party
The following describes the way in which the Parties enter into their obligations and responsibilities among themselves.
A) Technical and organizational security measures
Compli is responsible for implementing appropriate technical and organizational security measures with regard to the SAAS platform.
The Client and the Companies in the chain are responsible for implementing appropriate technical and organisational security measures with regard to the activities within their organisation.
B) Point of contact for a Data subject/Data Subject
:The employer is the first point of contact for the Data subject/Data Subject if he/she wishes to invoke his/her privacy rights (pursuant to Articles 12-23 of the GDPR). In addition, the person concerned can also turn to Compli.
C) Transfer of responsibility to Compli
When a Company in the chain ceases to exist for any reason, Compli becomes the Data Controller for the Personal Data of the relevant Company in the chain. In this case, Compli will retain the Personal Data in accordance with the statutory retention period at the latest.
D) Obligation to report a data breach (art. 33 and art. 34 GDPR)
In the event of (a suspicion of) a Personal Data breach, the Party with whom the (suspected) breach has occurred is responsible for reporting this to the other Joint Controllers, as soon as possible after the (suspected) breach has been detected.
After the discovery of a Data Breach, everyone undertakes to keep the others informed of the mitigating measures that are being taken or have been taken in order to limit the scope of the Data Breach or to be able to avoid it in the future.
Everyone has the right to report a data breach to the Dutch Data Protection Authority.
E) Data Protection Impact Assessment
If, by reason of its nature, scope, context and purposes, data processing may pose a significant risk to the rights and freedoms of natural persons, the Parties shall carry out a data protection impact assessment for the data processing operation in question.
F) Register of processing activities
Each Party is individually responsible for recording the processing activities in an appropriate register.
Liability
Each Joint Controller remains responsible for (the processing of) the Personal Data that it has entered. Each Joint Controller is only liable for damage arising from or related to an attributable failure to comply with this Arrangement. Each Joint Controller must at all times comply with applicable laws and regulations regarding the Processing of Personal Data, failing which they may be held liable.
Duty
of confidentialityThe Joint Controllers impose a duty of confidentiality on each other and the commitment that they will use all Personal Data and related information only for the intended purpose and by virtue of their role, as stated above.
The Joint Controllers also impose this duty of confidentiality on all (legal) persons to be engaged by them, including but not limited to Employees, Processors, Third Parties and other Recipients of Personal Data.
Prohibited Acts
The Joint Controllers are not permitted to:
– Take and share screenshots of screens/pages in Compl
– Share
logins and passwords– Share personal data with unauthorized persons
Duration
This Joint Controller Rule will remain in force as long as the personal data entered for the purpose of a Project is present in the Compli platform.
Privacy Policy
Each Data Subject/Data Subject will have the opportunity to read the Compli Privacy Policy at every check-in. Compli will provide all the necessary information as required by the GDPR.
Final provision
This Joint Controller Scheme is inextricably linked to the Privacy Policy that can be found on Compli's web page, and is therefore accessible to all data subjects. With this privacy policy, Compli aims to comply with its obligation to transparently Process Personal Data as well as the manner in which and for the benefit of which this Processing(s) takes place.
ANNEX: Description of the data processing
Description of data processing
Compli offers a SAAS solution for the administration of external workers for the purpose of complying with applicable laws and regulations.
Legal basis for the processing
Legal obligation in the context of:
– Sequential liability
– Hirer's liability
– Foreign Nationals
Employment Act – Posting Workers (Employment Conditions in the European Union
) Act – The Placement of Workers by Intermediaries Act
Legitimate interest in the context of:
– Attendance registration on a Project
– Increasing security awareness by examining or uploading certificates of a Data Subject
Categories of
– Customer's
Workforce– Enterprise's Workforce in the Chain
Type of data that is processed from Data subject/Data Subject
– Name
– Company name
– Language for communication
– Telephone number– Email
– Home address
– Residence address if it differs from the home address
– Citizen service number
– Data from identity document (type, document number,
Copy of identity document
– Copy of residence permit
– Copy of work permit
– Copy of proof of work permit
exception– Copy of reported certificate Posted Workers
– Copy of A1 certificate (Certificate of Coverage)
– Copy of Certificate of Coverage foreign social security institution
– Copy of certificates
– Date and time check-in
– Date and time check-out
– GPS coordinates of smartphone
Data retention period
The data is stored in accordance with the tax retention periods.
Sub-processors
– Klippa: Intelligent Document Processing API
Privacy Policy – 29 July 2024
This "Privacy Policy" regulates the processing of your personal data by co-controllers: COMPLI B.V., Chamber of Commerce number 88171833, located at John M. Keynepleis 10, 1060 EP in Amsterdam, hereinafter referred to as: "Compli".
Please read this Privacy Policy carefully, as it contains essential information about how your personal data is processed. This privacy policy is inextricably linked to the Joint Controllers Regulations in the appendix.
General provisions
Compli is offered to your employer, client, contractor and/or manager (hereinafter: "Client") to ensure that persons working on a project comply with the applicable laws and regulations as well as to provide access and attendance registration.
The Client will then make the use of Compli available to you before the start of the work. This means that the Client is a 'Controller' within the meaning of the General Data Protection Regulation (hereinafter: "GDPR") with regard to the Personal Data processed by Compli ('the means').
GDPR Concepts
• "Personal Data" means any information relating to an identified or identifiable natural person;
• "Processing": any operation or set of operations concerning personal data, including collection, transmission, recording, dissemination, organisation, making available, storage, alignment, adaptation, combination, alteration, restriction, retrieval, erasure, consultation, use and destruction;
• 'Data subjects': the person to whom personal data relates.
Scope
This Privacy Policy applies to all processing, fully or partially automated, of personal data. It also applies to the non-automatic processing of personal data contained in a filing system or intended for that purpose. The Privacy Policy applies to anyone who carries out work on a project where COMPLI is applied.
Purpose and processing of personal data
The purpose of this policy is to:
1. protect the privacy of data subjects whose personal data is processed against misuse and against incorrect processing of personal data; and
2. prevent personal data from being processed for a purpose other than the purpose for which it was collected; and
3. to guarantee the rights of data subjects.
Only those personal data that have been lawfully obtained are processed. Processing of the personal data will only take place for the following categories of processing:
a) correct administration of third parties in accordance with the applicable laws and regulations;
b) access and attendance administration to a location/project.
Compli processes Personal Data as soon as a Compli profile is created by a 'Client', and the Personal Data of the person who will be working on a project on behalf of the 'Client'.
Security
Compli shall take all appropriate technical and organisational measures to protect Personal Data against loss or any form of unlawful processing.
Compli takes appropriate technical and organisational measures to prevent the loss or unlawful processing of personal data. These measures guarantee an appropriate level of security, taking into account the risks involved in the processing and the nature of the data to be protected. The measures are also aimed at preventing unnecessary collection and further processing of personal data.
Confidentiality
Anyone who obtains Personal Data of which he knows or can reasonably suspect the confidential nature and who is not already subject to a duty of confidentiality with regard to the personal data by virtue of profession, position or statutory regulation, is obliged to maintain confidentiality. This does not apply if any statutory provision obliges him to publish or if the need for publication arises from his task in the implementation of these regulations.
Anyone who is notified of a (possible) data breach is obliged to report this to Compli without delay. COMPLI will immediately notify the data subject of a data breach if the breach is likely to have adverse consequences for his or her privacy and will report it to the Dutch Data Protection Authority via the following link: https://datalekken.autoriteitpersoonsgegevens.nl
Data Subject Rights
1. The data subject has the right to access processed data relating to his or her person (right of access).
2. The data subject shall have the right to rectification of inaccurate Personal Data concerning him or her or the right to provide a supplementary statement where the processing is carried out on the basis of incomplete data. The Data Controller is obliged to inform any recipient to whom Personal Data has been disclosed of any rectification, unless this is impossible or requires a disproportionate effort.
3. In certain cases, the controller is obliged to erase Personal Data of the data subject without undue delay (right to erasure) at the request of the data subject. This is the case, among other things, if:
a) the personal data are no longer necessary for the purposes of the data processing;
b) the data subject withdraws his or her consent and there is no other legal basis for processing;
c) the data subject objects to the processing;
d) the Personal Data has been unlawfully processed.
4. The data subject has the right to data portability of his or her Personal Data.
5. The data subject has the right to restriction of processing (i.e. that the Personal Data may not be processed (temporarily), if:
a) the Personal Data may be inaccurate;
b) the processing is unlawful but the data subject does not yet want it erased;
c) the Personal Data is no longer necessary for the purpose for which it was collected, but the data subject still needs it for a legal claim;
d) object to the processing of the Personal Data.
Within one month of receipt of the request from the data subject, the controller will inform him in writing of the execution of the request. This also happens if the request will not be carried out. A refusal to comply with the request will be motivated and the data subject will be informed of the possibility of submitting a complaint to the Dutch Data Protection Authority. If more time is needed to respond to the request, the data subject will be informed within one month. The additional time required will be a maximum of two months.
If a data subject is of the opinion that the provisions of the GDPR as elaborated in this Privacy Policy are not being complied with, the data subject can lodge an objection with Compli, via privacy@compli.nl. Compli will analyse the objection together with the other controllers as described in the Joint Controllers Regulations.
If the complaint submitted does not lead to a result acceptable to the data subject, he can turn to the Dutch Data Protection Authority or to the competent court.
Duration of the processing
The personal data are stored and processed by the controller for a period that is necessary in function of the purposes of the processing.
Applicable law and disputes
Dutch law applies exclusively to this Privacy Policy and any agreement between you and Compli and any dispute in connection with this Privacy Policy or the use of Compli will be submitted to the competent court of Amsterdam.
Entry into force
This Privacy Policy came into effect on 08 October 2025.
ANNEX: JOINT CONTROLLERS REGULATION
General
The Joint Controllers [hereinafter referred to as "Joint Controllers"] use the SaaS platform "Compli". During the mutual cooperation, they will share and process Personal Data within the Compli platform.
There are Joint Controllers within the meaning of Article 26 of the GDPR, because one or more Controllers jointly determine the purpose and means of the Processing(s).
The Regulation has been drawn up because the Joint Controllers wish, in the context of the careful Processing of Personal Data, to make agreements about the division of roles and the associated obligations under the GDPR, in particular the facilitation of the rights of the data subjects and the fulfilment of the information obligations to data subjects.
GDPR definitions
: the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
Party: any Company in the chain that, on the basis of an agreement, has work carried out for the intended purpose (the Project)
Customer: The Party that has entered into a user agreement with Compli
Company in the chain: The Party that has entered the Customer and invites it to use Compli to register its Employees, or other Companies in the chain, in the context of complying with the applicable legal obligations.
Employee(s): the employees engaged by the Parties and other persons whose work falls under the responsibility of the Party in question and who are engaged by that Party for the implementation of the Agreement.
Data subject/Data subject: A natural person whose personal data is processed in Compli.
Project: A specific assignment for which the Client uses Companies in the chain.
Regulation: the present Regulation on Joint Controllers, as referred to in Article 26 of the GDPR.
Division of roles
1. Compli• Developing, hosting, maintaining and improving the Compli platform.
• Assessing the accuracy and authenticity of the data entered.
• Providing support to the users of the platform.
• Storing the personal data for archiving.
• Have the right to share Personal Data in Compli with the Parties after explicit and digitally obtained permission from the employer, via the holder of the company account.
• Compli also takes care of the technical and organizational security of the Compli platform.
2. Compli's
Customer• Adding and managing Projects.
• Registering a Company in the chain.
• Entering Personal Data of own Employees into Compli.
• Updating the Personal Data of the relevant
• Processing the Personal Data of the Companies in the chain for the intended purpose (the Project).
3. The Company in the chain
• Registering a Company in the chain.
• Entering Personal Data of own Employees into Compli.
• Updating the Personal Data of the relevant
• Processing the Personal Data of the Companies in the chain for the intended purpose (the Project).
Obligations and responsibilities of each Party
The following describes the way in which the Parties enter into their obligations and responsibilities among themselves.
A) Technical and organizational security measures
Compli is responsible for implementing appropriate technical and organizational security measures with regard to the SAAS platform.
The Client and the Companies in the chain are responsible for implementing appropriate technical and organisational security measures with regard to the activities within their organisation.
B) Point of contact for a Data subject/Data Subject
:The employer is the first point of contact for the Data subject/Data Subject if he/she wishes to invoke his/her privacy rights (pursuant to Articles 12-23 of the GDPR). In addition, the person concerned can also turn to Compli.
C) Transfer of responsibility to Compli
When a Company in the chain ceases to exist for any reason, Compli becomes the Data Controller for the Personal Data of the relevant Company in the chain. In this case, Compli will retain the Personal Data in accordance with the statutory retention period at the latest.
D) Obligation to report a data breach (art. 33 and art. 34 GDPR)
In the event of (a suspicion of) a Personal Data breach, the Party with whom the (suspected) breach has occurred is responsible for reporting this to the other Joint Controllers, as soon as possible after the (suspected) breach has been detected.
After the discovery of a Data Breach, everyone undertakes to keep the others informed of the mitigating measures that are being taken or have been taken in order to limit the scope of the Data Breach or to be able to avoid it in the future.
Everyone has the right to report a data breach to the Dutch Data Protection Authority.
E) Data Protection Impact Assessment
If, by reason of its nature, scope, context and purposes, data processing may pose a significant risk to the rights and freedoms of natural persons, the Parties shall carry out a data protection impact assessment for the data processing operation in question.
F) Register of processing activities
Each Party is individually responsible for recording the processing activities in an appropriate register.
Liability
Each Joint Controller remains responsible for (the processing of) the Personal Data that it has entered. Each Joint Controller is only liable for damage arising from or related to an attributable failure to comply with this Arrangement. Each Joint Controller must at all times comply with applicable laws and regulations regarding the Processing of Personal Data, failing which they may be held liable.
Duty
of confidentialityThe Joint Controllers impose a duty of confidentiality on each other and the commitment that they will use all Personal Data and related information only for the intended purpose and by virtue of their role, as stated above.
The Joint Controllers also impose this duty of confidentiality on all (legal) persons to be engaged by them, including but not limited to Employees, Processors, Third Parties and other Recipients of Personal Data.
Prohibited Acts
The Joint Controllers are not permitted to:
– Take and share screenshots of screens/pages in Compl
– Share
logins and passwords– Share personal data with unauthorized persons
Duration
This Joint Controller Rule will remain in force as long as the personal data entered for the purpose of a Project is present in the Compli platform.
Privacy Policy
Each Data Subject/Data Subject will have the opportunity to read the Compli Privacy Policy at every check-in. Compli will provide all the necessary information as required by the GDPR.
Final provision
This Joint Controller Scheme is inextricably linked to the Privacy Policy that can be found on Compli's web page, and is therefore accessible to all data subjects. With this privacy policy, Compli aims to comply with its obligation to transparently Process Personal Data as well as the manner in which and for the benefit of which this Processing(s) takes place.
ANNEX: Description of the data processing
Description of data processing
Compli offers a SAAS solution for the administration of external workers for the purpose of complying with applicable laws and regulations.
Legal basis for the processing
Legal obligation in the context of:
– Sequential liability
– Hirer's liability
– Foreign Nationals
Employment Act – Posting Workers (Employment Conditions in the European Union
) Act – The Placement of Workers by Intermediaries Act
Legitimate interest in the context of:
– Attendance registration on a Project
– Increasing security awareness by examining or uploading certificates of a Data Subject
Categories of
– Customer's
Workforce– Enterprise's Workforce in the Chain
Type of data that is processed from Data subject/Data Subject
– Name
– Company name
– Language for communication
– Telephone number– Email
– Home address
– Residence address if it differs from the home address
– Citizen service number
– Data from identity document (type, document number,
Copy of identity document
– Copy of residence permit
– Copy of work permit
– Copy of proof of work permit
exception– Copy of reported certificate Posted Workers
– Copy of A1 certificate (Certificate of Coverage)
– Copy of Certificate of Coverage foreign social security institution
– Copy of certificates
– Date and time check-in
– Date and time check-out
– GPS coordinates of smartphone
Data retention period
The data is stored in accordance with the tax retention periods.
Sub-processors
– Klippa: Intelligent Document Processing API
Privacy Policy – 29 July 2024
This "Privacy Policy" regulates the processing of your personal data by co-controllers: COMPLI B.V., Chamber of Commerce number 88171833, located at John M. Keynepleis 10, 1060 EP in Amsterdam, hereinafter referred to as: "Compli".
Please read this Privacy Policy carefully, as it contains essential information about how your personal data is processed. This privacy policy is inextricably linked to the Joint Controllers Regulations in the appendix.
General provisions
Compli is offered to your employer, client, contractor and/or manager (hereinafter: "Client") to ensure that persons working on a project comply with the applicable laws and regulations as well as to provide access and attendance registration.
The Client will then make the use of Compli available to you before the start of the work. This means that the Client is a 'Controller' within the meaning of the General Data Protection Regulation (hereinafter: "GDPR") with regard to the Personal Data processed by Compli ('the means').
GDPR Concepts
• "Personal Data" means any information relating to an identified or identifiable natural person;
• "Processing": any operation or set of operations concerning personal data, including collection, transmission, recording, dissemination, organisation, making available, storage, alignment, adaptation, combination, alteration, restriction, retrieval, erasure, consultation, use and destruction;
• 'Data subjects': the person to whom personal data relates.
Scope
This Privacy Policy applies to all processing, fully or partially automated, of personal data. It also applies to the non-automatic processing of personal data contained in a filing system or intended for that purpose. The Privacy Policy applies to anyone who carries out work on a project where COMPLI is applied.
Purpose and processing of personal data
The purpose of this policy is to:
1. protect the privacy of data subjects whose personal data is processed against misuse and against incorrect processing of personal data; and
2. prevent personal data from being processed for a purpose other than the purpose for which it was collected; and
3. to guarantee the rights of data subjects.
Only those personal data that have been lawfully obtained are processed. Processing of the personal data will only take place for the following categories of processing:
a) correct administration of third parties in accordance with the applicable laws and regulations;
b) access and attendance administration to a location/project.
Compli processes Personal Data as soon as a Compli profile is created by a 'Client', and the Personal Data of the person who will be working on a project on behalf of the 'Client'.
Security
Compli shall take all appropriate technical and organisational measures to protect Personal Data against loss or any form of unlawful processing.
Compli takes appropriate technical and organisational measures to prevent the loss or unlawful processing of personal data. These measures guarantee an appropriate level of security, taking into account the risks involved in the processing and the nature of the data to be protected. The measures are also aimed at preventing unnecessary collection and further processing of personal data.
Confidentiality
Anyone who obtains Personal Data of which he knows or can reasonably suspect the confidential nature and who is not already subject to a duty of confidentiality with regard to the personal data by virtue of profession, position or statutory regulation, is obliged to maintain confidentiality. This does not apply if any statutory provision obliges him to publish or if the need for publication arises from his task in the implementation of these regulations.
Anyone who is notified of a (possible) data breach is obliged to report this to Compli without delay. COMPLI will immediately notify the data subject of a data breach if the breach is likely to have adverse consequences for his or her privacy and will report it to the Dutch Data Protection Authority via the following link: https://datalekken.autoriteitpersoonsgegevens.nl
Data Subject Rights
1. The data subject has the right to access processed data relating to his or her person (right of access).
2. The data subject shall have the right to rectification of inaccurate Personal Data concerning him or her or the right to provide a supplementary statement where the processing is carried out on the basis of incomplete data. The Data Controller is obliged to inform any recipient to whom Personal Data has been disclosed of any rectification, unless this is impossible or requires a disproportionate effort.
3. In certain cases, the controller is obliged to erase Personal Data of the data subject without undue delay (right to erasure) at the request of the data subject. This is the case, among other things, if:
a) the personal data are no longer necessary for the purposes of the data processing;
b) the data subject withdraws his or her consent and there is no other legal basis for processing;
c) the data subject objects to the processing;
d) the Personal Data has been unlawfully processed.
4. The data subject has the right to data portability of his or her Personal Data.
5. The data subject has the right to restriction of processing (i.e. that the Personal Data may not be processed (temporarily), if:
a) the Personal Data may be inaccurate;
b) the processing is unlawful but the data subject does not yet want it erased;
c) the Personal Data is no longer necessary for the purpose for which it was collected, but the data subject still needs it for a legal claim;
d) object to the processing of the Personal Data.
Within one month of receipt of the request from the data subject, the controller will inform him in writing of the execution of the request. This also happens if the request will not be carried out. A refusal to comply with the request will be motivated and the data subject will be informed of the possibility of submitting a complaint to the Dutch Data Protection Authority. If more time is needed to respond to the request, the data subject will be informed within one month. The additional time required will be a maximum of two months.
If a data subject is of the opinion that the provisions of the GDPR as elaborated in this Privacy Policy are not being complied with, the data subject can lodge an objection with Compli, via privacy@compli.nl. Compli will analyse the objection together with the other controllers as described in the Joint Controllers Regulations.
If the complaint submitted does not lead to a result acceptable to the data subject, he can turn to the Dutch Data Protection Authority or to the competent court.
Duration of the processing
The personal data are stored and processed by the controller for a period that is necessary in function of the purposes of the processing.
Applicable law and disputes
Dutch law applies exclusively to this Privacy Policy and any agreement between you and Compli and any dispute in connection with this Privacy Policy or the use of Compli will be submitted to the competent court of Amsterdam.
Entry into force
This Privacy Policy came into effect on 08 October 2025.
ANNEX: JOINT CONTROLLERS REGULATION
General
The Joint Controllers [hereinafter referred to as "Joint Controllers"] use the SaaS platform "Compli". During the mutual cooperation, they will share and process Personal Data within the Compli platform.
There are Joint Controllers within the meaning of Article 26 of the GDPR, because one or more Controllers jointly determine the purpose and means of the Processing(s).
The Regulation has been drawn up because the Joint Controllers wish, in the context of the careful Processing of Personal Data, to make agreements about the division of roles and the associated obligations under the GDPR, in particular the facilitation of the rights of the data subjects and the fulfilment of the information obligations to data subjects.
GDPR definitions
: the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
Party: any Company in the chain that, on the basis of an agreement, has work carried out for the intended purpose (the Project)
Customer: The Party that has entered into a user agreement with Compli
Company in the chain: The Party that has entered the Customer and invites it to use Compli to register its Employees, or other Companies in the chain, in the context of complying with the applicable legal obligations.
Employee(s): the employees engaged by the Parties and other persons whose work falls under the responsibility of the Party in question and who are engaged by that Party for the implementation of the Agreement.
Data subject/Data subject: A natural person whose personal data is processed in Compli.
Project: A specific assignment for which the Client uses Companies in the chain.
Regulation: the present Regulation on Joint Controllers, as referred to in Article 26 of the GDPR.
Division of roles
1. Compli• Developing, hosting, maintaining and improving the Compli platform.
• Assessing the accuracy and authenticity of the data entered.
• Providing support to the users of the platform.
• Storing the personal data for archiving.
• Have the right to share Personal Data in Compli with the Parties after explicit and digitally obtained permission from the employer, via the holder of the company account.
• Compli also takes care of the technical and organizational security of the Compli platform.
2. Compli's
Customer• Adding and managing Projects.
• Registering a Company in the chain.
• Entering Personal Data of own Employees into Compli.
• Updating the Personal Data of the relevant
• Processing the Personal Data of the Companies in the chain for the intended purpose (the Project).
3. The Company in the chain
• Registering a Company in the chain.
• Entering Personal Data of own Employees into Compli.
• Updating the Personal Data of the relevant
• Processing the Personal Data of the Companies in the chain for the intended purpose (the Project).
Obligations and responsibilities of each Party
The following describes the way in which the Parties enter into their obligations and responsibilities among themselves.
A) Technical and organizational security measures
Compli is responsible for implementing appropriate technical and organizational security measures with regard to the SAAS platform.
The Client and the Companies in the chain are responsible for implementing appropriate technical and organisational security measures with regard to the activities within their organisation.
B) Point of contact for a Data subject/Data Subject
:The employer is the first point of contact for the Data subject/Data Subject if he/she wishes to invoke his/her privacy rights (pursuant to Articles 12-23 of the GDPR). In addition, the person concerned can also turn to Compli.
C) Transfer of responsibility to Compli
When a Company in the chain ceases to exist for any reason, Compli becomes the Data Controller for the Personal Data of the relevant Company in the chain. In this case, Compli will retain the Personal Data in accordance with the statutory retention period at the latest.
D) Obligation to report a data breach (art. 33 and art. 34 GDPR)
In the event of (a suspicion of) a Personal Data breach, the Party with whom the (suspected) breach has occurred is responsible for reporting this to the other Joint Controllers, as soon as possible after the (suspected) breach has been detected.
After the discovery of a Data Breach, everyone undertakes to keep the others informed of the mitigating measures that are being taken or have been taken in order to limit the scope of the Data Breach or to be able to avoid it in the future.
Everyone has the right to report a data breach to the Dutch Data Protection Authority.
E) Data Protection Impact Assessment
If, by reason of its nature, scope, context and purposes, data processing may pose a significant risk to the rights and freedoms of natural persons, the Parties shall carry out a data protection impact assessment for the data processing operation in question.
F) Register of processing activities
Each Party is individually responsible for recording the processing activities in an appropriate register.
Liability
Each Joint Controller remains responsible for (the processing of) the Personal Data that it has entered. Each Joint Controller is only liable for damage arising from or related to an attributable failure to comply with this Arrangement. Each Joint Controller must at all times comply with applicable laws and regulations regarding the Processing of Personal Data, failing which they may be held liable.
Duty
of confidentialityThe Joint Controllers impose a duty of confidentiality on each other and the commitment that they will use all Personal Data and related information only for the intended purpose and by virtue of their role, as stated above.
The Joint Controllers also impose this duty of confidentiality on all (legal) persons to be engaged by them, including but not limited to Employees, Processors, Third Parties and other Recipients of Personal Data.
Prohibited Acts
The Joint Controllers are not permitted to:
– Take and share screenshots of screens/pages in Compl
– Share
logins and passwords– Share personal data with unauthorized persons
Duration
This Joint Controller Rule will remain in force as long as the personal data entered for the purpose of a Project is present in the Compli platform.
Privacy Policy
Each Data Subject/Data Subject will have the opportunity to read the Compli Privacy Policy at every check-in. Compli will provide all the necessary information as required by the GDPR.
Final provision
This Joint Controller Scheme is inextricably linked to the Privacy Policy that can be found on Compli's web page, and is therefore accessible to all data subjects. With this privacy policy, Compli aims to comply with its obligation to transparently Process Personal Data as well as the manner in which and for the benefit of which this Processing(s) takes place.
ANNEX: Description of the data processing
Description of data processing
Compli offers a SAAS solution for the administration of external workers for the purpose of complying with applicable laws and regulations.
Legal basis for the processing
Legal obligation in the context of:
– Sequential liability
– Hirer's liability
– Foreign Nationals
Employment Act – Posting Workers (Employment Conditions in the European Union
) Act – The Placement of Workers by Intermediaries Act
Legitimate interest in the context of:
– Attendance registration on a Project
– Increasing security awareness by examining or uploading certificates of a Data Subject
Categories of
– Customer's
Workforce– Enterprise's Workforce in the Chain
Type of data that is processed from Data subject/Data Subject
– Name
– Company name
– Language for communication
– Telephone number– Email
– Home address
– Residence address if it differs from the home address
– Citizen service number
– Data from identity document (type, document number,
Copy of identity document
– Copy of residence permit
– Copy of work permit
– Copy of proof of work permit
exception– Copy of reported certificate Posted Workers
– Copy of A1 certificate (Certificate of Coverage)
– Copy of Certificate of Coverage foreign social security institution
– Copy of certificates
– Date and time check-in
– Date and time check-out
– GPS coordinates of smartphone
Data retention period
The data is stored in accordance with the tax retention periods.
Sub-processors
– Klippa: Intelligent Document Processing API
Copyright © 2026 Compli
Copyright © 2026 Compli
Copyright © 2026 Compli