Latest update: October 2024
Privacy Policy – Nine Engineering as processor
1. Introduction and scope
This privacy policy governs the processing of and aims to inform you about how Nine Engineering BV (“Nine Engineering”, “we”, “us”) processes your personal data in connection with your use of our application which facilitates the administrative process of registering with our clients and/or providing physical access to the premises of our clients, branded under the name “NineID” (the “Application”) and the services associated with it.
Nine Engineering respects your privacy and is committed to protecting your personal data and your privacy in accordance with Belgian and European data protection laws, including the EU General Data Protection Regulation 2016/679 (“GDPR”) as well as any applicable national implementing and supplementing laws. Please read this privacy policy carefully. It describes not only your rights, but also the way in which you can exercise these rights.
By using our Application or by disclosing your personal data you acknowledge the manner in which Nine Engineering collects and processes your personal data as described in this privacy policy.
2. Who we are and how to contact us?
Nine Engineering is a company incorporated under Belgian law:
| Company name | Nine Engineering BV |
|---|---|
| Registered office | Stapelplein 70, bus 130, 9000, Ghent, Belgium |
| Company number | 0752.969.527 (RLE Ghent, division Ghent) |
We have appointed a Data Protection Officer, whom you can contact for questions about this privacy policy, your privacy and the processing of your personal data.
E-mail address DPO: privacy@nineid.com
3. What personal data do we process?
We process different types of personal data; this depends on the functionalities you use on our Application, the services you wish to use and on the personal data you share with us.
If we process your personal data, it will be personal data of one of the categories listed below:
- Identification and contact details (such as name and first name, phone number, email address);
- Biometric data (such as face scan and print made via your mobile phone if and to the extent you opt-in);
- Identification numbers (such as national registry number, other similar identification numbers and copy of ID card (front));
- Login details (such as username and password);
- Driver information (such as driver’s license and license plate);
- Training data (such as training results and overview of completed (e-)learnings and trainings);
- Professional information (such as profession, company you work for, job title, (company) address, company registration and VAT number);
- Social security information (such as social security number, documents required for social security declarations, including certificates, A1 and PLF documentation);
- Check-ins (such as records of check-ins and attendance on sites); and
- Any other categories of personal data uploaded in the Application, otherwise generated by the usage of the Application or as identified below under title 4.
Your personal data originates from you directly, is automatically collected by us (in case of technical or usage information) or is provided to us by your Organization.
4. For which purposes do we process personal data, on which legal basis and for how long?
4.1. General
Depending on your use of the Application our services and the information you share with us, Nine Engineering processes personal data for the purposes specified in this section 4 (if and to the extent applicable to your situation). Please note that our Application and services may evolve and more functionalities may be added from time to time. In such event, we will update the below table as necessary and your additional consent (if and to the extent required) shall be requested.
For certain processing purposes, your consent is required. The consent you give is always free and you have the right to withdraw it at any time. You can withdraw your consent by sending an email to: privacy@nineid.com. Your withdrawal of consent does not affect the processing of personal data prior to such withdrawal or our processing activities which are based on any other legal basis.
4.2. Nine Engineering as processor
We only process personal data via our Application as processor as determined by and at the instruction of our clients. This section describes for what purposes we process your personal data in the capacity of processor based on the instructions of the Nine Engineering client and organization that invited you to use our Application on its behalf (your “Organization”). Nine Engineering has entered into an agreement (the “Agreement”) with your Organization to grant you access or use the Application.
The processor (i.e. in this case Nine Engineering) is the one who acts on behalf and on the instructions of a controller (i.e. in this case Nine Engineering’s clients and your Organization).
You are typically: an Application-user that uses the Application on behalf of a client of Nine Engineering (as an employee, client or contractor of such client).
| Purpose | Type of personal data | Legal basis | Retention period |
|---|---|---|---|
| Onboarding process & verification (including to create and to ensure that you can log in, access and use the Application) via your user account. | Identification and contact data; Identification numbers; Login details; Driver information; Professional information; Other personal data required by our client | Performance of a contract | As long as necessary for the performance of the Agreement. In any event, Nine Engineering retains the data for 2 months after the termination of the Agreement with the Organization. However, the Organization may impose a shorter retention period on Nine Engineering. Please note that if your Organization requests that your account must be deleted, we will delete your account within 30 days. |
| Authentication of individuals | Identification and contact data; If applicable, Biometric data through means of a face print; Identification numbers; Login details; Driver information; Professional information; Biometric data | Performance of a contract | As long as necessary for the performance of the Agreement. In any event, Nine Engineering retains the data for 2 months after the termination of the agreement with the Organization. However, the Organization may impose a shorter retention period on Nine Engineering. Please note that if your Organization requests that your account must be deleted, we will delete your account within 30 days. |
| To keep track of completed (e-)learnings and trainings | Identification and contact details; Training data; Professional information | Performance of a contract | As long as necessary for the performance of the Agreement. In any event, Nine Engineering retains the data for 2 months after the termination of the agreement with the Organization. However, the Organization may impose a shorter retention period on Nine Engineering. Please note that if your Organization requests that your account must be deleted, we will delete your account within 30 days. |
| To facilitate executing social (security) checks of your Organization (such as, IDs, required records and documents under the Dimona, Limosa legislation, etc.) | Identification and contact details; Identification numbers; Professional information; Social security information; Check-ins; Any other documents that may be required pursuant to the social security obligations your Organisation is subject | Performance of a contract | Up to five (5) years after each executed check is carried out, unless a longer retention term is required under applicable law. |
In relation to the above processing activities, we shall process your personal data on the legal basis determined by our client (your Organization), including to enable us to perform our contractual obligations under the Agreement. The underlying legal ground determined or relied on by your Organization may depend on the specific legislation and legal obligations to which it is subject. For instance certain industries may have a legal basis to process biometric data for security purposes whereas others require your consent to process your biometric data. If you wish to receive more information regarding the legal grounds for processing, we recommend to directly contact your Organization, who is, as Controller, responsible to foresee such legal grounds in its own privacy policy.
5. Do we use cookies?
Our Application uses cookies and similar technologies. For more information, we refer to our cookie policy.
6. With who do we share your personal data?
Nine Engineering may share your personal data, as required for the purposes set forth in section 4, with:
- your Organization;
- third-party service providers (such as IT service providers, security providers, suppliers, communication and other software providers or hosting providers);
- professional advisers (such as lawyers or auditors);
- affiliated entities; and
- third parties to whom we intend or choose to sell, transfer or merge (parts of) our shares, business or assets.
Upon request, Nine Engineering shall, as soon as possible after the request, inform you of the third parties with whom your personal data have been shared by providing you a more detailed list.
In addition, we may disclose your personal information if required by law, or if we believe in good faith that such disclosure is necessary to comply with a judicial investigation, court order or to defend or safeguard our rights.
Processors and sub-processors of Nine Engineering always act under the responsibility of Nine Engineering. We always ensure that appropriate protective measures are taken when we transfer your personal data to third parties. If Nine Engineering engages (sub-)processors, this will always be done in accordance with a data processing agreement that meets the requirements of the GDPR. We require all our (sub-)processors to take appropriate technical and organizational (including security) measures to protect your personal data. In the event we disclose your personal data as described above, we will implement appropriate safeguards to ensure the integrity and confidentiality of your personal data.
Your personal data will only be made available to (sub-)processors, employees and other third parties on a “need-to-know” basis, limited to the extent necessary to perform their services.
7. Will your personal data be transferred to countries outside the EEA?
In principle, Nine Engineering does not transfer any of your personal data to countries located outside the European Economic Area (“EEA”), unless you are located outside the EEA (and are visiting our Application, use our services or otherwise provide personal data from outside the EEA).
Additionally, it is possible that Nine Engineering – through its (sub-)processors – does transfer your personal data to countries outside the EEA. In this event, Nine Engineering will only transfer your personal data outside the EEA in accordance with the applicable data protection legislation and subject to appropriate safeguards.
The EEA includes the countries of the European Union and Norway, Liechtenstein and Iceland. The GDPR requires additional safeguards if Nine Engineering transfers your personal data to countries located outside the EEA. Please contact us if you want further information on the specific mechanism(s) used when transferring personal data outside the EEA.
8. How do we protect your personal data?
Nine Engineering is recognized and approved by the Belgian Minister of Justice and the North Sea as a service provider to process biometric data in port security for which it was audited by the Belgian Centre for Cybersecurity.
Nine Engineering is committed to trying to make sure that your personal data is secure and makes all reasonable and appropriate efforts to protect your personal data. We take appropriate technical and organizational security measures to ensure a level of security in accordance with the GDPR and appropriate to foreseeable risks. Nine Engineering has implemented measures to protect your personal data against destruction, loss, misuse, unauthorized alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed. The measures taken by Nine Engineering include:
- Appointment of a Data Protection Officer and Information Security Officer
-
Implementation of an Information Security (ISMS) and Privacy Information Management System (PIMS) iaw ISO 27001:2013 and 27701:2013 standard, pursuant to which Nine Engineering holds the respective ISO certificates. The measures taken under this standard cover (non-exhaustive list):
- Encryption of the (personal) data;
- Awareness raising of personnel;
- Implementation of security policies;
- Implementation of disaster recovery or backup plans;
- Implementation of a management plan in case of security incidents;
- Implementation of privacy & security-by-design principles;
- Execution of penetration testing; and
- Annual management review of information security.
Please contact us if you would like more information on the specific measures taken by sending an email to: privacy@nineid.com.
Despite the above measures taken by us, you should be aware that there are always risks associated with sending personal data over the internet. The security and protection of your personal data can never be fully guaranteed, nor can we guarantee that unauthorized third parties will never be able to defeat those measures or use your personal data for improper purposes.
9. How long do we keep your personal data?
We will only retain your personal data for as long as reasonably necessary to fulfil the purposes determined in section 4 of this privacy policy, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
Afterwards it is still possible that your personal data can be found in our back-ups or archives, but they will no longer be actively processed in a file. Such back-ups or archives will be deleted automatically in accordance with our back-up and archiving policies.
The applicable retention periods are set out in the tables under section 4.
10. What are your rights and how can you exercise them?
Within the limits defined in Articles 15-22 of the GDPR, you have the following legal rights in relation to your personal data:
- Right of access: you have the right to obtain confirmation from us as to whether or not we are processing your personal data, to access that personal data and how and why it is being processed, as well as to receive a copy of that data.
- Right to rectification: you have the right to obtain a rectification of your personal data or to request that we complete your personal data when you become aware that we are processing incorrect or incomplete data about you.
- Right to erasure (‘right to be forgotten’): you have the right to obtain erasure of your personal data in certain specific cases.
- Right to restriction: You have the right to have the processing of your personal data restricted in certain specific cases.
- Right to portability: You have the right to obtain the personal data you have provided to us in a structured, commonly used and machine-readable form, and to transfer (have transferred) that personal data to another controller.
- Right to object: You have the right to object to the processing of your personal data on the basis of our legitimate interest for reasons relating to your specific situation.
The exercise of these rights is in principle free of charge. Only in the event of unreasonable or repeated requests a reasonable administrative fee may be charged. In said event you will be informed about the applicable fee before charging it.
In your request, make sure to clearly specify which right you wish to exercise so we can help you as efficient as possible. Please note that in some case we may require you to give more information about yourself to ensure that we are dealing with the correct person.
If you contact us to exercise your rights a response will be provided within one month. Exceptionally this may take longer (up to three months), but then you will be informed within one month of the reasons why.
However, please note that as your request relates to processing activities where we act as processor, we do not have the right to handle such request ourselves. We will forward your request to the applicable Controller (your Organization) and provide him/her the necessary assistance if this would be requested by the latter. Please contact your Organization directly if you would like to exercise any of your privacy rights or have any privacy inquiries.
If and to the extent provided for in the applicable data protection legislation, you have the right to lodge a complaint with the competent Data Protection Authority if you believe the processing of your personal data violates the applicable regulations. In Belgium, the competent authority is the Data Protection Authority (“Gegevensbeschermingsautoriteit”):
www.gegevensbeschermingsautoriteit.be
Drukpersstraat 35, 1000 Brussels, Belgium
+32 (0)2 274 48 00
We would, however, appreciate the chance to deal with your concerns before you approach the authority, so please contact us in first instance.
11. Changes to the Privacy Policy
Nine Engineering may modify this Privacy Policy at any time. Any changes we may make to our privacy policy will be indicated on the Application and when proportionate and in line with the significance of the changes, may be notified to you by email or advised to you on your next Application-visit. The date of the last amended version is listed at the top of the Privacy Policy. Please review this privacy policy periodically to stay informed of changes that may affect you. Amended versions of this privacy policy take effect fourteen (14) days after their publication on the Application, and/or other form of announcement and, if necessary, will always be submitted for approval if required under the GDPR, unless such modifications are necessary to comply with a legal requirement. In the latter case, such changes will take effect immediately.
12. Liability
If Nine Engineering has lawfully provided your personal data to a third party (other than a subprocessor), it will not be liable for the unlawful processing or use by that third party.
Nine Engineering is in any case only liable for the damage caused by the processing of personal data if it did not comply with its specific obligations under the GDPR and Nine Engineering’s liability shall not exceed an amount equal to the amounts actually paid out by our insurer for the damage causing event. Nine Engineering shall in no event be liable for any special, incidental, indirect or consequential losses or damages.
The foregoing exclusions and limitations shall only apply to the maximum extent permitted by applicable law.
13. Contact
If you have any questions or concerns regarding this Privacy Policy or the processing of your personal data by us, please do not hesitate to contact us by sending an e-mail to privacy@nineid.com.
14. Applicable law and competence
This privacy policy shall be governed, interpreted, and implemented in accordance with Belgian laws.
The Ghent courts (division Ghent) are exclusively competent to decide on any dispute that may arise from the interpretation or implementation of this privacy policy, without prejudice to the consumer’s right to present a dispute before a competent court on the basis of a mandatory statutory provision.
