Skip to main content

Q1: Does GDPR apply to Nebius?

A1: Nebius B.V. (“Nebius/We”) provides the Nebius AI Cloud Services. Nebius B.V. is subject to the GDPR, since we are headquartered in the EU and hence GDPR applies to us directly (our registered address Schiphol Boulevard 165, 1118 BG Schiphol, the Netherlands). Under the GDPR terms, Nebius B.V. acts as a separate Data Controller with respect to provisioning of the core Nebius AI Cloud Services. See our Privacy Notice here, the Privacy Notice forms part of our Terms of Use that you accept when you register with Nebius. We also act as Data Processor to our customers, who are separate data controllers, should they create user accounts (the controllership pertains to the governance of the user accounts and corresponding data). See our Data Processing Agreement (DPA) here, the DPA forms part of our Terms of Use that you accept when you register with Nebius.

Q2: How Nebius enables data subject rights/digital rights?

A2: Nebius is committed to comply with the requirements of the GDPR and Data Act pertaining to personal and non-personal data (digital rights). See details about how we comply with the Data Act in Q #4. As explained above in Q #1, Nebius acts as a Data Controller and Data Processor with respect torendering the AI Cloud Services, see details on how we enable and support digital rights below.

Enabling digital rights as a Data Controller

When Nebius acts as a Data Controller, Nebius is responsible for enabling data to exercise their rights under the GDPR, (also being referred to as digital rights in Nebius Account Console). Our customers can reach out to Nebius via support contacts or may use the official privacy or security email addresses available on our Privacy Notice, our website, our trust center, etc. Please note, that in any case customers will be asked to login into the Nebius Account and submit a digital right request related ticket via Console for authentication purposes. We can’t proceed with the request if we are unable to verify your identity. Please note, that the next step will be to assess whether you are authorized to request data access, data portability (under the GDPR and Data Act) or get your data deleted. Only authorized persons can proceed with the requests (admin user group, see our documentation regarding authorized users here). When we start processing your data erasure request, we may encounter situation when there is either:
  • a debt associated with your Nebius Account;
  • and/or you have active projects associated with your account,
in these cases we will not be able to proceed your request until you pay the debt or delete resources. When we start processing your request and we notice that you are not authorized to proceed (you are not authorized admin), we will reject the request and kindly ask you to contact your admin to assist with the request. You will be always informed about the current stage of your request, and we will complete your request in no longer than 1 month from the receipt of your request.

Supporting digital rights as a Data Processor

When Nebius acts as a Data Processor to our customers, Nebius is not directly responsible for enabling the data subject rights (also being referred to as digital rights). Our customers, who are Data Controllers can reach out to Nebius via support contacts or may use the official privacy or security email addresses available on our Privacy Notice, our website, our trust center, etc. In case we receive a request from a user, who is not authorized admin, we will defer to the admin to assist with the request (as we are obliged pursuant to the Data Processing Agreement). You will be always informed about the current stage of your request, and we will complete your request in no longer than 1 month from the receipt of your request.

Q3: Who is the Authorized person to proceed with the request?

A3: Only authorized persons (admin user group) can proceed with the requests, see our documentation regarding authorized users here. If you are a customer who is an individual/physical person you assigned with an admin/DSR admin role by default, if you invite other users to your Account, please note that rules applicable to customers who are legal persons will apply to your Account. If you are a customer who is a company/legal person (having an Account with multiple users) you are responsible for assigning admin/DSR admin role by default.

Q4: How Nebius complies with the Data Act?

A4: Nebius is subject to the Data Act, since we provide cloud services. The Data Act mandates that companies providing cloud services shall provide personal and non-personal data to their customers on request in a machine-readable format to ensure data portability and to ensure possibility to use multi cloud seamlessly. Hence, Nebius enables the data portability right under the Data Act (both personal and non-personal data are in scope of this right). See the details in Nebius Data Act Compliance FAQs.

Q5: How will Nebius enable digital rights and deliver the data as a result of the data access and data portability (digital rights) under the GDPR and Data Act?

A5: Based on your request in the submitted ticket via your Account in Console you can select the one the of following requests (you need to be an authorized person to proceed, see details in Q#2):
  1. Data Erasure/Account Cancellation;
  2. Data Access/Data Portability – personal data (GDPR);
  3. Data Portability – personal and non-personal data (Data Act);
  4. Other.
Ad 1) In case you are an authorized person and if there no debt and no resources, you will be able to proceed with this request. Please note that pursuant to GDPR Art. 17 we continue to process some of your personal data in order to allow us to establish and provide defense of legal claims and for the purpose of compliance with accounting/tax related legal obligations, even after completion of your data erasure request. Ad 2) and Ad 3) Provided you are an authorized person, you can request a copy of your personal/o data in case we are a Data Controller with respect to the data in question. Or you will be asked to contact your admin if we are a Data Processor with respect to the data in question (in case you are not an admin). We will deliver the personal data to you via Console, where you will be able to access the tenant where all the data from relevant services will be made available to you for the period of 7 days. In case you have requested also non-personal data, you will receive a notification via Console in relation to your ticket, where you will be informed how can you download the non-personal data associated with your account in a machine-readable format. Our documentation regarding non-personal data download can be found here, if you are an admin you can proceed at any time with this download. Ad 4) In case you would like to exercise any other data subject right under the GDPR or you have other type of request pertaining to digital rights, please select “Other” in the ticketing system available in your Account in Console and describe your request.

Q6: How Nebius supports its Customers’ GDPR compliance when acting as a Data Processor?

A6: Nebius conducts the following activities to achieve compliance with the rules of the GDPR:
  1. Maintains a data inventory (GDPR Art. 30 Records of Processing activities);
  2. Performs vendor/third party onboarding due diligence checks, (GDPR Art. 28); proper contracting with third parties (DPA, Joint-Controllership agreement where applicable);
  3. Ensures lawful data transfers and duly executes SCCs or applies appropriate data transfer mechanisms with the data importers, who act as the third parties
  4. Provides due assistance with Your/Customer vendor onboarding due diligence and proper contracting, see the template of our DPA here.
  5. Duly supports the enablement of data subject rights exercised by data subjects;
  6. duly supports the enablement of specific data retention periods depending on each jurisdiction where our customers/data controllers operate:
  7. Implements a robust cybersecurity program to maintain confidentiality, integrity and availability of the data pursuant to our technical and organizational measures (TOMs), which form part of our Data Processing Agreement.
  8. If required by You, Provides assistance with a Data Protection Impact Assessment (DPIA) to satisfy the requirements of Art. 35 GDPR;
  9. Ensures implementation of the Privacy by Design and Privacy by Default through the information lifecycle. See more details about our approach on our Trust Center page.
Web address: https://docs.nebius.com/legal/digital-rights/gdpr-compliance-faqs Publication date: September 12, 2025
Effective date: September 12, 2025