Skip to main content

1. Who we are

Nebius (“we”, “us”) operates data centres. This notice explains how we process personal data of individuals who enter our data centre premises (employees, contractors, visitors).

2. What personal data we collect

We may collect and process:
  • Identification and contact details
  • Access control data (badge details, entry/exit logs)
  • CCTV footage
  • Biometric data (where used for access control)
  • Vehicle information (if applicable)
  • Administrative and audit data
We process personal data to:
  • protect health and safety;
  • ensure physical security of our data centres;
  • prevent and investigate security incidents.
The legal basis is our legitimate interests. Biometric data is processed based on your explicit consent and applicable Article 9 GDPR exceptions.

4. CCTV and access control

CCTV and access control systems are used only for security purposes. They are not used for continuous or indiscriminate monitoring of personnel.

5. How long we keep your data

  • CCTV footage: up to 30 days in the EEA (or 72 hours in certain countries); up to 90 days outside the EEA.
  • Access control and biometric data: up to 3 years, unless a shorter period applies.
Data may be retained longer if required for legal claims or law enforcement purposes.

6. Who we share data with and international transfers

We may share data with:
  • security and access control service providers;
  • data centre owners or landlords;
  • public authorities where legally required.
Data may be transferred outside the EEA with appropriate GDPR safeguards (e.g. Standard Contractual Clauses).

7. Your rights

You have rights under the GDPR, including the right to access, rectification, erasure, restriction of processing, objection, data portability, and the right to withdraw consent (where applicable). How to exercise your rights To exercise your rights or ask questions about how we process your personal data, contact us at: privacy@nebius.com. We will respond without undue delay and generally within 30 days. You also have the right to lodge a complaint with a data protection authority, including your local authority or Nebius’s lead authority, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

8. Contact details and full Privacy Notice

For more details, including how to exercise your rights, please see our full Privacy Notice for data centers. Contact us: privacy@nebius.com or Schiphol Boulevard 165, 1118 BG Schiphol, the Netherlands (Attn: Privacy Office).