Privacy Policy –
Nine Engineering as processor

Last update: [04.03.2022]

1. Introduction and scope

This privacy policy ("Privacy Policy") governs the processing of your personal data in connection with your use of our application, NineID (the "Application") and the services associated with it.

Nine Engineering BV, a public limited company incorporated under Belgian law, with registered office at Stapelplein 70 box 103, 9000 Ghent, Belgium, with company number 0752.969.527, RLE Ghent, section Ghent ("Nine Engineering", "we", "us"), acts as data processor in the context of this processing.

Our client, the organization that invites you to use our application (the “Organization”), acts as data controller in the context of this processing.

Your personal data and your privacy will be protected by Nine Engineering in accordance with Belgian and European data protection laws, including the EU General Data Protection Regulation 2016/679 (“GDPR”) as well as any applicable national implementing and supplementing laws.

Please read this Privacy Policy carefully. It describes not only your rights, but also the way in which you can exercise these rights.

Nine Engineering has appointed a Data Protection Officer, who you can contact at any time for questions concerning your privacy and the processing of your personal data. If you have any questions regarding our data processing activities, you can reach our Data Protection Officer by e-mail at

2. What personal data do we process and for what purposes?

Depending on the selection of data made by the Organization Nine Engineering can process one or more of the following personal data elements of users of the Application for the following purposes:

Purpose Type of personal data Legal basis Retention period
1. Onboarding process and verification - Personal identification data (name, surname, address, e-mail address, telephone number)
- Copy of ID card (front)
- Driver’s license and license plate
- Training certificates
- E-learning training results
- Face images
- Other personal data required by our client
Legitimate interests Nine Engineering retains the data for 2 months after the termination of the agreement with the Organization. However, the Organization may impose a shorter retention period on Nine Engineering.
2. Authentication of individuals via biometric data - Biometric data (face print) Your explicit consent Nine Engineering retains the data for 2 months after the termination of the agreement with the Organization. However, the Organization may impose a shorter retention period on Nine Engineering.

Nine Engineering may process your personal data only if it relies on an appropriate legal basis determined by our client as data controller. We briefly explain the applicable legal grounds below.

  • The applicable legal basis for the first and third purpose is our legitimate interests to authenticate individuals for security purposes. 

Given the nature of the personal data, Nine Engineering (and its client) considers that the processing will not adversely affect your fundamental rights and/or freedoms. You can always object to processing based on this legal ground by contacting us at

  • The applicable legal basis for the second purpose is your consent

The consent you give is always free and you have the right to withdraw your consent at any time, free of charge, and without this having any negative implications for you. You may withdraw your consent by contacting the Organization A withdrawal of consent does not affect the processing of personal data prior to such withdrawal.

3. With whom do we share your personal data?

Your personal data may be shared by Nine Engineering with the following third parties:

Third party Processing activities Categories of personal data Territory of third party
Hetzner Storing data All data Europe
Scaleway Storing data All data Europe
Rapidmail Transmitting data Email address Europe
Messagebird Transmitting data Telephone number Europe

Nine Engineering will only share personal data that is relevant and necessary. We always ensure that appropriate protective measures are taken when we transfer your personal data to third parties. For example, we will, where appropriate, enter into a transfer agreement or a processor agreement, which sets out restrictions on the use of your personal data and obligations in relation to the security of your personal data.

If you would be redirected to another website via the Application, other terms and conditions, privacy and cookie policies may apply. We therefore recommend that you read these additional terms and conditions carefully.

Your personal data and your profile will not be lent or sold to third parties without your prior express consent.

4. Will your personal data be transferred to countries outside the EEA?

Nine Engineering does not transfer any of your personal data to countries located outside the European Economic Area ("EEA").

The European Economic Area ("EEA") includes the countries of the European Union and Norway, Liechtenstein and Iceland. The GDPR requires additional safeguards if Nine Engineering transfers your personal data to countries located outside the EEA.

5. How do we protect your personal data?

Nine Engineering takes appropriate technical and organizational security measures to ensure a level of security appropriate to the specific risks we have identified. We thus protect your personal data against destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed.

The measures include:

  • Appointment of a Data Protection Officer and Information Security Officer
  • Implementation of an Information Security (ISMS) iaw ISO 27001:2013. The implementation of this standard covers (non-exhaustive list):

o   Encryption of the (personal) data;

  • o   Awareness raising of personnel;
  • o   Security policy;
  • o   Disaster recovery or backup plan;
  • o   Management plan in case of security incidents;
  • o   Privacy & security-by-design principles;
  • o   Penetration testing; and
  • o   Annual management review of information security.

Despite the aforementioned measures taken by Nine Engineering, you should be aware that there are always risks involved in transmitting personal data over the Internet. The security and protection of your personal data can never be fully guaranteed.

More information about our security measures is available upon simple request.

6. What are your rights and how can you exercise them?

Within the limits defined in Articles 15-22 of the GDPR, you have the following legal rights in relation to your personal data: 

  • Right of access: you have the right to obtain confirmation from us as to whether or not we are processing your personal data, to access that personal data and how and why it is being processed, as well as to receive a copy of that data. 
  • Right to rectification: you have the right to obtain a rectification of your personal data or to request that we complete your personal data when you become aware that we are processing incorrect or incomplete data about you. 
  • Right to erasure ('right to be forgotten'): you have the right to obtain erasure of your personal data in certain specific cases.
  • Right to restriction: You have the right to have the processing of your personal data restricted in certain specific cases. 
  • Right to portability: You have the right to obtain the personal data you have provided to us in a structured, commonly used and machine-readable form, and to transfer (have transferred) that personal data to another controller. 
  • Right to object: You have the right to object to the processing of your personal data on the basis of our legitimate interest for reasons relating to your specific situation.

You can exercise the above rights by sending an email to

The exercise of these rights is in principle free of charge. Only in the event of unreasonable or repeated requests we may charge a reasonable administrative fee. 

We always try to answer your requests or questions as quickly as possible. It is possible that we will first ask you for proof of identity in order to verify your identity.

You have the right to lodge a complaint with the competent Data Protection Authority if you believe the processing of your personal data violates the applicable regulations. In Belgium, the competent authority is the Data Protection Authority (,, Drukpersstraat 35, 1000 Brussels).

If you believe our business has violated the applicable regulations, we would like to have the opportunity to deal with any issues, so we kindly ask you to contact us first before contacting the Authority.

7. Changes to the Privacy Policy

Nine Engineering may modify this Privacy Policy at any time. The date of the last amended version is listed at the bottom of the Privacy Policy. Changes will be published in the Application and, if applicable, will be submitted for approval.

8. Liability

If Nine Engineering has lawfully provided your personal data to a third party (other than a subprocessor), it will not be liable for the unlawful processing or use by that third party.

9. Contact

If you have any questions or concerns regarding this Privacy Policy or the processing of your personal data by us, please do not hesitate to contact us by sending an e-mail to

Latest update: [09.02.2023]