1. Introduction
This privacy policy (hereinafter referred to as “Privacy Policy”) applies to the processing activities by 9altitudes Business Analytics B.V. and its affiliated entities (hereafter ‘Dynalogic’s).
9altitudes Business Analytics BV has its headquarters at Landjuweel 1, 3905 PE Veenendaal (the Netherlands) and is registered in the Dutch Chamber of Commerce for Enterprises under number 60753978 (contact).
It is part of the 9altitudes holding, which is a group of companies specializing in digital transformation and innovation, comprising various companies located in multiple countries (hereafter: the 9altitudes Group).
The protection of your privacy and handling your personal data in a responsible manner are of paramount importance at Dynalogic.
Therefore, Dynalogic treat personal data carefully and provide appropriate security. In this Privacy Policy, Dynalogic determines how it handles personal data.
1.1. Scope
This Privacy Policy applies to the handling of all personal data of customers and users of Dynalogic’s Birds BI Fabric Workload software (hereafter: Dynalogic’s software) and other personal data processed by data subjects, both digital and non-digital, within Dynalogic.
This Privacy Policy is based on the privacy rules that arise from the General Data Protection Regulation (GDPR).
This Privacy Policy does not apply to the handling of personal data of employees as this is documented in a dedicated Privacy Policy for Employees, which is made available internally to employees at Dynalogic.
1.2. Review and update
This Privacy Policy is maintained by the Corporate Privacy Officer (hereinafter referred to as “CPO”) of Dynalogic.
The Privacy Policy shall be updated to reflect changes in law and regulations, the organization or information systems and such changes shall be communicated to all relevant stakeholders affected.
2. Laws and Regulations
For the protection of privacy within organisations in Europe, the General Data Protection Regulation (GDPR) came into effect on 25 May 2018. Additional legislation applies in the various European member states.
This legislation, together with the European Data Protection Board (EDPB) Guidelines and the guidelines of national Data Protection Authorities together with national data protection legislation forms the basis for this Privacy Policy.
2.1. What are personal data?
Personal data are data that can be traced back to a person and be identified, directly or indirectly. This can be done based on a name, an identification number, location data or one or more elements that characterise the physical, physiological, genetic, psychological, economic, cultural or social identity of that individual.
Different types of personal data can be distinguished:
1. General personal data
These are data associated with everyday use. Examples of general personal details are names, telephone numbers, e-mail addresses and birth dates.
2. Sensitive data
These are data that have a major impact on the privacy of the individual, but that are not special categories of personal data. Common sensitive data types are information about a person's financial situation, authentication credentials (such as passwords), photos and video and information about a person’s private life.
3. Special categories of personal data
These are data that have a major influence on someone's privacy. These special details are mentioned separately in the GDPR. As a rule, special categories of personal data may not be processed, unless the grounds for exemption laid down in the law are met.
2.2 The General Data Protection Regulation (GDPR)
Dynalogic complies with the following rules of thumb of the GDPR:
1. Purpose limitation
Personal data may only be collected for specific and legitimate purposes, and not further processed for purposes that are incompatible.
2. Legitimate basis
Any use of personal data must be based on a legitimate basis from the GDPR. These bases are: unambiguous consent of the person involved, the execution of an agreement, compliance with a legal obligation, the protection of a vital interest or a legitimate interest of Dynalogic. We comply with the General Data Protection Regulation (GDPR) and other applicable laws and regulations concerning the processing of personal data.
3. Quality and data minimisation
Personal data should be, as far as possible, accurate, adequate and relevant. No more data will be processed than is necessary for the purpose of the processing. We regard all personal data as confidential information, which is subject to a duty of confidentiality. Internally, work is done on the basis of the need-to-know principle, which means that employees and suppliers only gain access to data, insofar as these data are necessary for the performance of their duties.
4. Storing and destroying data
The processed data will not be stored longer than necessary to achieve the goal or as long as needed for legal obligations.
5. Transparency
The person whose personal data is being processed must be able to see who is processing data and for what purposes. Dynalogic actively informs the data subject about the data processing via this Privacy Policy, Cookie Policy and our Employee Privacy Policy.
6. Appropriate security
Dynalogic has a security obligation and has taken appropriate technical and organisational measures to protect personal data.
7. Rights of data subjects
The individual whose personal data are processed has the right to become acquainted with the processed personal data. In some cases, they have the right to correct or delete the personal data. In certain cases, a data subject may also oppose processing or restrict processing.
8. Reporting obligation for data breaches
When we detect a data breach of personal data, we analyse the severity of the breach within 72 hours and depending on the nature and extent of the breach may report the data breach to the Local Data Protection Authority and/or the data subjects involved.
9. Data Processing
Agreements
With suppliers who process personal data on behalf of Dynalogic, we conclude a data processing agreement in which we regulate the obligations of parties and rights of data subjects under the terms of the GDPR.
10. Privacy by Design and Privacy by Default
Dynalogic takes protective measures and data protection principles into account from the design phase of a new product and/or service, project or process, onwards. We make sure that settings are so implemented that they protect privacy by default.
3. Purposes and Conditions for Data Processing
3.1. Purposes
Dynalogic processes personal data for the following purposes and on the following legal grounds:
| Processing Activity | Purpose | Legal Ground |
|---|---|---|
| Brand protection | The handling of disputes and the exercise of auditing | Necessary to fulfil a legal obligation; Necessary for the pursuit of a legitimate interest |
| Client management | For customer service purposes; Testing and implementing software applications | Necessary for the performance of the agreement; Necessary for the pursuit of a legitimate interest; Consent required |
| Compliance | Management of compliance for GDPR, Whistleblowing and other legal obligations | Necessary to fulfil a legal obligation |
| Computer systems | Processing of personal data exclusively aimed at the maintenance, management, security, use and proper functioning of computer systems or computer programs within Dynalogic | Necessary for the performance of the agreement |
| Cookies | Essential cookies, necessary for the functioning of the website; Non-essential cookies are not being used | Necessary for the pursuit of a legitimate interest; |
| CRM | Customer relations and (direct) marketing; Access control to our digital services; Maintaining contacts with the customers or suppliers | Necessary for the performance of the agreement; Necessary for the pursuit of a legitimate interest |
| Financial reporting | For tax and transparency obligations and reporting for budgeting purposes | Necessary for the performance of the agreement; Necessary to fulfil a legal obligation |
| Incident tracking (external) for Customer Service | Processing of incoming and outgoing documents. You can think of, for example, mail registration and e-mail archiving | Necessary for the performance of the agreement |
| Insurance | Insurance management | Necessary for the performance of the agreement; Necessary to fulfil a legal obligation |
| Marketing & Sales | To existing customers via Newsletter and commercial emails to existing Customers based on Soft Opt-in | Necessary for the pursuit of a legitimate interest; Consent required |
| Tax filing | The management of annual accounts for tax purposes | Necessary to fulfil a legal obligation |
3.2. Legal Grounds
Dynalogic does not process more personal data than is necessary for the purposes and legal grounds mentioned in the abovementioned clause 3.1.
Processing of personal data only takes place if one or more of the following points apply:
a) The processing of data is necessary for the performance of an agreement in which the data subject (person to whom the data relates) is or wishes to be a party;
b) The processing of data is necessary for the pursuit of a legitimate interest of Dynalogic, in so far as that interest outweighs the privacy rights of data subjects (e.g. cases such as internal management, marketing and fraud prevention);
c) Data processing is necessary to fulfil a legal obligation. d) If none of the above applies, then the person concerned must give written, explicit, informed and freely given consent. This means, that it must be clear to the person concerned what permission is given for, what the data are needed for, how the data are handled and that the person concerned is free to refuse permission.
4. Data Transfer to Third Parties and Processors
Dynalogic does not rent or sell any personal data to third parties. Dynalogic has taken the necessary contractual and organisational measures, to ensure that the personal data will only be used by the third party for the above purposes.
4.1. 9altitudes Entities (internal)
Dynalogic can exchange data with other entities within the 9altitudes Group based on data sharing agreements from one data controller to another data controller. The exchange of information must take place within the legal framework and will not comprise more personal data than is strictly necessary intra-group on a need-to-know basis.
In such data sharing agreements, it is stipulated what data we exchange, for what purpose, on what legal basis, what security we apply, how the liability is settled, and how we exercise the rights of those involved. In this way we create the frameworks that are needed to be able to exchange personal data with our group entities.
A full list of all 9altitudes entities can be found here: Legal notices | 9altitudes.
4.2. (Sub)-Processors (external)
A lot of processing of personal data is outsourced to us by our customers. In that case we are the processor and the customer is controller, as they determine which personal data is processed. The obligations of both parties relating to the GDPR are laid down in data processing agreements.
Dynalogic also use services by external parties, which makes them (sub) processors to us. Examples of processors are hosting parties, ICT and software suppliers, service providers providing statistical research and analysis, contractors who have access to our system or who have a copy of the database, but also suppliers who take care of (part of) marketing.
These suppliers have access to the personal data in, for example, our systems or make the backups for us and store the data for us, which will not comprise more personal data than is strictly necessary on a need-to-know basis. In a data processing agreement, Dynalogic has made agreements with these parties, about how they should handle our personal data.
In such agreements, it is stipulated which data will be processed, for what purpose, on what legal basis, and what securities to be applied. Dynalogic remains responsible for the data processing that these parties carry out on our behalf.
4.3. Legal Obligation (external)
Dynalogic is legally obliged to provide personal information to third parties in certain cases. Consider, for example, the provision of data to the tax authorities on the basis of legislation and regulations. Another example is providing data to police authorities in the context of a criminal investigation. In the latter case, personal data will only be provided if there is a statutory regulation which states that the data must be provided (for example, on the order of the examining prosecutor).
5. Rights of the Data Subject
A privacy helpline has been set up for handling of privacy issues. Customers or employees who have questions, comments or complaints (including requests as further set out in clauses 5.2-5.7 and 5.9) about the processing of personal data can contact privacy@9altitudes.com. Data subjects have the right to inspect, correct and delete their own personal data, as well as the right to object to a particular processing and/or to limit the processing (except for exceptions).
Requests must be made in writing, including by e-mail and will be handled by the CPO. Within four weeks of receiving the request, the CPO decides whether and to what extent the request is being met and informs the person concerned. A rejection of the request must be motivated.
In the event that an application for removal or correction is granted, Dynalogic will inform parties to whom the data of data subjects have been provided about the exercise of the right, unless this is impossible or requires a disproportionate effort.
5.1. Obligation to Inform
At the moment we collect personal data, we provide the following information to the person concerned:
- The processing purposes for which the personal data are intended;
- The recipients or categories of recipients of the personal data;
- The period during which the personal data will be stored;
- The rights that the person concerned has. Exceptions to the information requirement may apply.
5.2. Right to Access
Data subjects have the right to request their own personal data, which are known to us, to ask for the purposes for which this data is used and with whom this data is shared. Data subjects also have the right to receive a copy thereof. If data from a third party are included in the file in which the data subject wishes to be inspected, this data will be protected, unless explicit permission is granted for inspection by this third party.
5.3. Right to Rectification
Data subjects have the right to have data corrected or supplemented. Correcting or supplementing information is only possible if the data is incorrect or incomplete - think for example of a telephone number or bank details. The data subject will always have to specify which data should be adjusted and for what reason.
5.4. Right to Erasure
The data subject has the right to obtain data exchange of his/her personal data without unreasonable delay, and Dynalogic is obliged to do so, among other things in one of the following cases:
- The personal data are no longer required for the purposes for which they were collected;
- The personal data have been processed unlawfully;
- The person concerned withdraws his or her consent (if the processing is based on this).
5.5. Right to Object
Data subjects have the right to oppose any processing or provision to a particular recipient. To this end, the person concerned must provide (compelling) personal circumstances. The right of objection may be used by data subjects when they believe that their data is being processed incorrectly.
Should a data subject wish to make use of this right, Dynalogic will first have to assess whether the application is justified. This is done by weighing the individual interests against its own interests. The starting point is that the right of opposition may not disadvantage Dynalogic disproportionately.
5.6. Right to Restriction
The person concerned has the right to obtain the limitation of the processing in, among other things, the following cases:
- The accuracy of the personal data is disputed by the data subject;
- The controller no longer needs the personal data for processing purposes, but the data subject needs it for the establishment, exercise or substantiation of a legal claim.
5.7. Right to Data Portability
The data subject has the right to receive the personal data concerning him or her, which he or she has provided to Dynalogic, in a structured, commonly used and machine-readable (digital) format.
5.8. Right to Lodge a Complaint
The data subject has the right to be lodge a complaint to his/her national Data Protection Authority . See for the contact information below at 6.2 Local Data Protection Authority.
5.9. Right not to be subject to automated decision-making
The data subject has the right not to be subject to a decision based solely on automated processing, including profiling and may demand human intervention in the decision-making process.
6. International Data Transfers
6.1. Standard Contractual Clauses (SCC’s)
Personal data in the EU is protected by the General Data Protection Regulation, but other countries may not have necessary the same standards on privacy or protection of personal data. It may be necessary that a Dynalogic entity requires access to personal data to process and/or store these Personal data. This entity may be located within or outside the EEA. For these purposes, all Dynalogic entities located outside the EEA, such as in Turkey and in Brazil, have concluded an internal agreement including EU Standard Contractual Clauses in accordance with the data protection principles.
Dynalogic abides by the standard provisions regarding data protection (SCC’s) within the meaning of Article 46 (2) (c) and (d) GDPR in the name and on behalf of Dynalogic. For the record, in that case Dynalogic is the data exporter (as defined in the SCC’s) and any non-EEA entity is the data importer (as defined in the SCC’s).
Data subjects can obtain a copy of the guaranteed measures upon written request by sending a mail to privacy@9altitudes.com.
6.2. Local Data Protection Authorities
The Local Data Protection Authorities are national supervisors for the GDPR. Data Protection Authority have, in addition to an investigative power, also the power to hand out fines. Furthermore, the authorities conduct research into privacy-related topics, provide advice to both organisations and stakeholders, and are the reporting point for data breaches.
Following the one-stop-shop principle according to article 62 of the GDPR, Dynalogic only has to deal with one lead supervisory authority. The Belgium authority is the lead supervisory authority for Dynalogic (Belgian Data Protection Authority - rue de la Presse 35, 1000 Brussels - contact@apd-gba.be - +32 (0)2 274 48 00 ).
Below, you will find a summary of other relevant Local Data Protection Authorities concerning the processing of the personal data:
- The Netherlands
Dutch Data Protection Authority / PO Box 93374 2509 AJ Den Haag;
https://autoriteitpersoonsgegevens.nl/nl/meldingsformulier-klachten
+31 708888500; - Slovenia
Slovenian Information Commissioner (IPRS) / Dunajska cesta 22, SI-1000 Ljubjana ;
Gp.ip@ip-rs.si / +386 1 230 97 30; - Spain
Spanish Data Protection Authority (AEPD) / St Jorge Juan 6, 28001 Madrid;
+34 900 293 183; - Portugal
Comissao Nacional de Protecacao de Dados (CNPD) / Av D. Carlos I, 134, 1° 12000-651 Lisboa;
Geralécnpd.pt / +351 21 392 84 00; - France
Commission Nationale de l’informatique et des libertés (CNIL) / 3 Pl. de Fontenoy, 75007 Paris, France;
info@cnil.fr / +33 1 53 73 22 22; - Denmark
Datatilsynet (Danish Data Protection Authority) / Carl Jacobsens Vej 35, 2500 Valby;
dt@datatilsynet.dk / +45 33 19 32 00.
7. Retention Period
Dynalogic does not store personal data longer than legally permitted and is necessary for the realisation of the purposes for which the personal data are processed. How long certain data is stored depends on the nature of the data, the purposes for which it is processed and the applicable national data retention period. The retention period can therefore differ per purpose and per Dynalogic entity.
The reference point for storing personal data is in general the legal retention period. Such a period is often up to 10 years after the end of an agreement or 5 years after the last processing for which the information was originally obtained. If the law does not prescribe a period, the archiving will be internally determined keeping in mind the principle of data minimisation.
The personal data will be retained for the following subsequent periods:
| Categories of Documents | Data Retention Period |
|---|---|
| Sensitive corporate data | 5 years, counting from the creation or loss of relevance in case of documents that are or remain in force for an indefinite period. |
| Corporate documents | 5 years following the closing of the liquidation |
| CRM / Customer Data | 10 years, counting from the day following the end of the contract |
| Cookies | Retention period depends on applicable cookie. For more information, see Cookie Policy. |
| Incident tracking (external / internal) | 2 years, following the day of the incident |
| Prospection (contact form) | 3 years, following the day of last contact |
| Bank payments management | 7 years, counting from the day following the end of the contract |
| Accounting documents | 3-7 years, counting from 1st of January of the year following the closure of the financial year. |
| Fiscal documents/td> | 7 years, counting from 1st of January following the last year / financial year of use. |
When the retention periods have expired, Dynalogic ensures that the personal data are destroyed in a secure manner. Dynalogic understands the importance of the fact that that the destruction of the personal data is done with care.
8. Cookies
Dynalogic uses cookies on its website which may process personal data. We treat such personal data carefully and provide appropriate security. Which cookies we use, for which purposes and how long they are stored on your browser is described in our Cookie Policy accessible on our website www.9altitudes.com/cookie-policy. In relation to the customers and users of the Dynalogic’s software Dynalogic only uses essential Cookies.
It is permitted to collect non-personal and anonymous data when our website is visited and to anonymize personal data. These data do not allow to identify an individual person and these data may be shared with third parties, including for statistical purposes.
As you first access our website a cookie banner appears requesting that you accept, refuse or manage the use of our cookies. By accessing the website you accept the use of cookies in accordance with the terms of this Cookie Policy.
9. Measures for the Protection of Personal Data
Dynalogic gives priority to the security of personal data. The data stored is therefore protected by technical and organisational measures to effectively prevent loss or misuse by third parties to safeguard and protect personal data, against unauthorized or unlawful processing and against accidental destruction, loss, access, misuses, damage and any other unlawful forms of processing of the personal data in our possession.
You also have an important role to play in securing your personal data, e.g. by keeping your PC up-to-date and keeping your login data confidential and secure.
Employees who process this personal data are obliged to observe confidentiality. Technical safety measures to protect the personal data are checked regularly and, if necessary, adapted to the latest state of the art techniques.
Dynalogic has a data breach protocol in case of an intentional or unintentional breach or loss of personal data.
10. Complaints
Complaints and disputes about the application, implementation and / or interpretation of these regulations, the application of privacy laws and regulations can be submitted in writing and motivated to the CPO to privacy@9altitudes.com.
The person concerned will, if necessary, receive an invitation within two weeks of receipt to explain the complaint. The person concerned will receive a decision on the complaint within four weeks of receipt of the complaint, or within two weeks of the explanation.
11. Changes to the Privacy Policy
This Privacy Policy may be updated periodically to reflect changes in our personal data practices. Dynalogic will post a prominent notice on the Website as a notification of any significant changes to our Privacy Policy and indicate at the top of the notice the date at which it was last amended.
If one or more clauses from this Privacy Policy are declared partially or completely null and void or non-binding by judicial intervention, this will not affect the validity of the other clauses or the validity of the entire Privacy Policy. If the clause(s) in question wish to be amended or replaced, the amended or new clause must be as closely aligned as possible with the clause(s) declared void or non-binding. The failure to demand strict compliance with the provisions of this Privacy Policy shall not be construed as any waiver or rejection thereof.
Any dispute or claim relating to the processing of personal data and the Privacy Policy or any data mentioned herein is governed by Dutch law and falls under the exclusive jurisdiction of the courts and tribunals of Veenendaal (the Netherlands).
Last update on: 28/03/2025
12. Contact
If you have any questions or comments regarding this Privacy Policy, please contact the CPO via privacy@9altitudes.com.