Data protection agreement

Last Updated Date: April, 2026, Version 1.0

Definitions

For the purposes of this DPA:

  • 'Personal Data' means any information relating to an identified or identifiable natural person, as defined under GDPR Article 4(1).

  • 'Processing' has the meaning given in GDPR Article 4(2).

  • 'Data Controller' means the Client, who determines the purposes and means of processing personal data.

  • 'Data Processor' means SSC Global BV, which processes personal data on behalf of the Controller.

  • 'GDPR' means Regulation (EU) 2016/679 (General Data Protection Regulation).

  • 'Sub-processor' means any third party engaged by SSC to process personal data in connection with an engagement.

Scope and Purpose of Processing

SSC processes personal data solely to deliver the agreed coaching or behaviour change services described in the Engagement Confirmation. Processing is limited to what is strictly necessary for that purpose.

Categories of data subjects

  • Client employees, leaders, and participants enrolled in SSC programmes.

  • Client-nominated contacts for administrative and billing purposes.

Categories of personal data typically processed

  • Professional information: name, job title, organisation, work email address.

  • Engagement data: session notes, pre-session questionnaire responses, and coaching observations (where applicable and with participant consent).

  • Diagnostic data: where the Client shares third-party assessment results (e.g. Hogan, LCP, 360° data) with SSC for session preparation purposes.

SSC does not process special category data (as defined in GDPR Article 9) unless explicitly agreed in writing and subject to additional safeguards.

Instructions for Processing

SSC processes personal data only on documented instructions from the Client. The Engagement Confirmation constitutes the primary set of instructions. The Client may issue additional written instructions during the engagement, provided they are consistent with the agreed scope.

If SSC believes that any instruction infringes applicable data protection law, it will inform the Client promptly.

Confidentiality of Processing

SSC ensures that all personnel authorised to process personal data are subject to binding confidentiality obligations. Access to personal data is restricted to those who require it for the performance of the engagement.

Security Measures

SSC implements appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include, but are not limited to:

  • Encrypted storage and transmission of personal data.

  • Access controls limiting data access to authorised personnel only.

  • Regular review of security practices proportionate to the risk and nature of data processed.

SSC will notify the Client without undue delay upon becoming aware of a personal data breach that affects data processed under this DPA.

Sub-processors

SSC may engage third-party sub-processors to support the delivery of services. Where sub-processors handle personal data, SSC ensures they are bound by data protection obligations no less stringent than those set out in this DPA.

Current sub-processors may include providers of: video conferencing platforms, secure document storage, and email communication tools. A list of current sub-processors is available on request.

SSC will provide the Client with reasonable advance notice of any intended change to sub-processors. The Client may object in writing within 10 business days. Where a Client objects and SSC cannot accommodate the objection, either party may terminate the affected engagement on reasonable notice.

Data Subject Rights

SSC will assist the Client, as far as reasonably practicable, in responding to data subject requests exercising rights under GDPR (including access, rectification, erasure, portability, and objection). Where data subjects contact SSC directly, SSC will redirect such requests to the Client without undue delay.

Data Protection Impact Assessments

SSC will provide reasonable assistance to the Client where a Data Protection Impact Assessment (DPIA) is required under GDPR Article 35, insofar as the processing activities of SSC are relevant to such assessment.

Retention and Deletion

SSC retains personal data only for as long as necessary to deliver the agreed services, or as required by applicable law. Unless agreed otherwise:

  • Session materials and notes are retained for a maximum of 24 months following the conclusion of an engagement.

  • Billing and contact information is retained for 7 years in accordance with Dutch accounting requirements.

Upon expiry of the retention period, or upon the Client's written request, SSC will securely delete or anonymise personal data and confirm in writing that this has been completed.

International Transfers

SSC operates primarily from the Netherlands (EU) and processes data within the European Economic Area (EEA) wherever possible. Where personal data is transferred outside the EEA (for example, in the context of APAC client engagements or tools hosted outside the EEA), SSC ensures such transfers are subject to appropriate safeguards, including Standard Contractual Clauses (SCCs) as approved by the European Commission.

Audit Rights

The Client may, upon reasonable written notice of at least 30 days, request an audit of SSC's data processing activities relevant to this DPA. Audits will be conducted at the Client's expense, no more than once per calendar year, and in a manner that does not unreasonably disrupt SSC's operations.

SSC may satisfy audit requests by providing relevant certifications, third-party audit reports, or written attestations where available.

Term and Termination

This DPA is effective from the date of the relevant Engagement Confirmation and remains in force for the duration of the engagement. Upon termination, SSC's obligations under Clauses 4, 9, and 10 survive for as long as SSC retains any personal data.

Governing Law

This DPA is governed by the laws of the Netherlands. The parties submit to the jurisdiction of the competent Dutch courts for any disputes arising from this DPA.

Entire Agreement

This DPA, together with the Terms and Conditions and the Engagement Confirmation, constitutes the entire agreement between the parties with respect to the processing of personal data and supersedes all prior agreements or understandings on this subject.