Skip to main content

1. General information

This Privacy Notice sets out the basis on which Nebius (“Nebius”, “we”, “us”, or “our”) processes personal data in relation to individuals (including employees, contractors, service providers, and other visitors, collectively referred to as “Data Subjects”) who enter its data centre premises. Nebius is committed to protecting and respecting the privacy of Data Subjects in accordance with applicable data protection laws, including Regulation (EU) 2016/679 of the European Parliament and of the Council (the “General Data Protection Regulation” or “GDPR”) (together, the “Applicable Data Protection Laws”). This Privacy Notice uses key terms as defined by the GDPR. Unless we explicitly state otherwise, these terms carry the same meanings and must be interpreted in accordance with the GDPR.

2. Personal data we collect

For the purposes of identity verification, access control, and security management, Nebius may collect and process the following categories of personal data:

2.1 Identification data

  • Full name
  • National ID number, passport number, or other government-issued identification details, incl. month and year of birth
  • Photograph or ID card image (if required for access badges)
  • Company name and position/title

2.2 Contact details

  • Business email address
  • Business or mobile phone number

2.3 Access control data

  • Access badge or card number
  • Date, time, and location of entry and exit
  • Records of areas accessed within the data centre
  • Visitor registration logs and escort information

2.4 Biometric data (special category data under Article 9 GDPR, where applicable)

  • Fingerprint, facial image, or other biometric template used for secure authentication

2.5 Video surveillance data

  • Video recordings and still images captured by CCTV cameras covering entrances, corridors, and security zones
  • Timestamps and locations of recordings

2.6 Vehicle information (if applicable)

  • Vehicle registration number
  • Parking permit or entry log

2.7 Administrative and audit data

  • Access authorization level or visitor type (e.g., employee, contractor, vendor, guest)
  • Purpose of visit
  • Names of hosts or responsible employees
  • Incident or security reports associated with access events

3. Why we process your personal data

The legal basis for processing personal data is the legitimate interests pursued by Nebius. In the case of special categories of personal data, such as biometric data, the processing is based on the explicit consent of the data subject and, where applicable, on an exception under Article 9(2) GDPR. The purposes of operating access control systems and security cameras, and the corresponding legitimate interests, include the following: i. Protection of health and safety — for example, to ensure the safety of employees, contractors, and visitors; ii. Protection of corporate assets — for example, to prevent or investigate unlawful entry into the premises, theft, fraud, or vandalism; iii. Organizational and operational efficiency — for example, to ensure the smooth functioning of data centre operations and compliance with security protocols. The processing of personal data by Nebius through access control systems and security cameras is conducted in accordance with all Applicable Data Protection Laws, and in line with the principles of lawfulness, fairness, transparency, necessity, proportionality, relevance, and data minimization, as well as for specific, explicit, and legitimate purposes. Furthermore, access control systems and security cameras are not used for the purpose of remote, continuous, or indiscriminate monitoring of personnel.

4. Retention of your personal data

Nebius retains personal data only for as long as necessary to fulfil the purposes described in this Privacy Notice. The exact retention period depends on the type of data, the purpose of processing, the category of data subjects involved, and applicable legal or regulatory requirements.

4.1 Video surveillance data

Video surveillance data are retained for no longer than thirty (30) days within the European Economic Area (“EEA”), except in Austria, Germany, Italy, and Sweden, where such data are retained for a maximum of seventy-two (72) hours, and for no longer than ninety (90) days outside the EEA, in each case calculated from the date of recording.

4.2 Access control and biometric data

Access control data, including biometric data, is processed to provide Data Subjects with authorized access to Nebius’s data centres and to restricted or high-security areas within those facilities. Such data are retained for no longer than three (3) years from the date of collection, unless a shorter period is required by applicable law. Nebius may retain personal data for a longer period where this is necessary for the establishment, exercise, or defence of legal claims, for example, where the data may serve as evidence of an offence or damage, or to identify a perpetrator, witness, or victim, or in response to a lawful request from law enforcement authorities. Where personal data are required for use in civil or criminal proceedings, the retention period shall extend for the duration of such proceedings and until their final and definitive conclusion, after which the data will be securely deleted or anonymized.

5. Sharing of personal data with third parties

Nebius may share or disclose personal data to specific categories of third parties, only where this is necessary and lawful, and always with appropriate contractual and technical safeguards in place.

5.1 Categories of recipients

Service providers Service providers, e.g. providers of electronic access systems, and security system maintenance.
  • Purpose: To perform operational tasks related to access control, visitor management, and security camera maintenance.
  • Details: These service providers process personal data on behalf of and under the documented instructions of Nebius, pursuant to written data processing agreements.
Law enforcement and public authorities
  • Purpose: To comply with legal obligations or respond to lawful requests, such as the investigation or prevention of criminal offences or security incidents.
  • Details: Data, including video surveillance footage, may be disclosed to competent authorities only where required by applicable law and within the limits of such legal obligations.
Data centre owners / landlords / co-location partner
  • Purpose: Where a data centre is in leased premises, personal data may be shared with the facility owner / landlord / co-location partner to ensure building security, safety compliance, and coordination of access control procedures.
Customers
  • Purpose: In limited cases, and only where necessary, Nebius may share relevant access or security information with customers whose data are processed on the data centre’s servers, for example, to assist in incident investigations or compliance inquiries.
Nebius ensures that any disclosure of personal data to third parties is carried out only where appropriate safeguards are implemented, including contractual obligations, confidentiality undertakings, and technical and organizational measures designed to protect the confidentiality, integrity, and security of the data.

6. International data transfers

The personal data collected through access control systems and security cameras may be transferred outside the EEA. In such cases, the transfer will be carried out in full compliance with the requirements of the GDPR. In particular, personal data will be transferred only:
  • On the basis of the European Commission’s Standard Contractual Clauses (Decision (EU) 2021/914); or
  • To countries that ensure an adequate level of protection of personal data, as determined by an Adequacy Decision adopted by the European Commission in accordance with Article 45 GDPR.
For example, Nebius DC Oy in Finland may share data or video footage with Nebius’s security and compliance teams located in other jurisdictions for the purposes of incident investigation, security management, or compliance monitoring, subject to the safeguards described above.

7. Data subject’s rights

You have certain rights as a data subject, including the right to access, right to data portability, right to rectification, right to withdraw consent, right to object, right to erasure, right to restriction of processing, right to lodge a complaint, and right to contact a Data Protection Authority (DPA). Please be aware that there may be limitations or exceptions to these rights, depending on the specific circumstances and legal requirements. If anything is unclear, please do not hesitate to contact us and ask any questions. Below, you can find more information about these rights and how you can exercise them.

7.1 Description of rights

  • Right of access
  • Right to data portability
  • Right to rectification
  • Right to withdraw consent
  • Right to object
  • Right to erasure (“Right to be forgotten”)
  • Right to restrict processing
  • Right to lodge a complaint
To exercise your rights, contact us at: privacy@nebius.com. Once you submit a request, we will review and respond promptly — typically within 30 days. In certain cases, we may need additional time to investigate and fulfil your request. Once completed, we will confirm our response via the email address you provided. By submitting a request, you confirm that you are the individual to whom the data relates and that you have the legal capacity and authority to act on your own behalf. We may verify your identity using the information you supply if there is any doubt. Additionally, where required by law, we may need to share your request and our response with third parties, including regulatory authorities.

8. Contact us

If you have any questions or concerns about your privacy, you may contact us or our data protection officer by writing to us at: Nebius B.V., Schiphol Boulevard 165, 1118 BG Schiphol, the Netherlands (Attn: Privacy Office), or by emailing us at privacy@nebius.com.
Web address: https://docs.nebius.com/legal/data-center-privacy-full Publication date: February 26, 2026 Effective date: February 26, 2026