Who is responsible for processing your personal data?

Who is responsible for processing your personal data?

This Privacy Notice ("Notice") applies to the processing of personal data of employees, subcontractors and former employees by the ML6 group. The data controller is the ML6 group entity with which you have signed your employment or subcontracting agreement. Depending on your country of engagement, this is one of the following entities, each operating under the trade name ML6:

Who is covered by this Notice?

This Notice applies to:

• Employees. Any individual who is or has been employed by ML6 under an employment contract, regardless of contract type (open-ended, fixed-term, internship, student contract or otherwise).
• Subcontractors and external contributors. Any individual who provides services to ML6 on the basis of a subcontracting, freelance, consultancy or similar arrangement, including individuals working through their own company. Where personal data of such individuals is processed by ML6 in connection with their assignment, this Notice applies to them in the same way as to ML6 employees.
• Former employees and former subcontractors. Once your relationship with ML6 ends, parts of this Notice continue to apply, in particular for the purposes of complying with our legal obligations, responding to data-subject rights, defending legal claims, enforcing post-contractual commitments (such as non-disclosure or non-compete) and providing reference letters or successor-employer information.

Where this Notice refers to “you” or “your”, it covers all categories above unless the context makes clear that a specific category is meant.

Why do we use your personal data?

The types of information we collect and use

We collect and use personal data that concerns you in connection with the management of your working relationship with ML6. We may collect the following categories of personal data and other information related to you:

• Identification and contact data. Your name, photograph (where you have provided it for an internal directory or a similar use), gender, date and place of birth, civil status, nationality, languages, private address, private email address, private phone number, emergency contacts, and copies of identification documents (passport or national ID).
• Family-related data. Where lawful and necessary for benefits administration, social-security declarations or insurance enrolment: information about your dependents (spouse, civil partner, children), such as name, date of birth and national identifier.
• Right-to-work and immigration data. Passport, national ID, residence permit, work permit, visa, diplomas, professional qualifications, and any other document required to verify your right to work in Belgium or in any other country of assignment.
• Employment and contract data. Your employee or subcontractor identifier, contract type, start and end dates, years of experience, job title, department, line manager, work location, working-time arrangements, secondment or mission orders, status changes, internal mobility, and termination data (including reason for departure where lawful).
• Compensation, benefits, expenses and equity data. Salary, bonuses, commissions, allowances, expense claims and supporting documentation, fringe benefits, meal and eco-vouchers, company phone and subscription (benefit in kind), mobility budget, company car, equity or option-plan participation, pension scheme data, group insurance enrolments, extralegal advantage choices in the FIP plan (BE).
• Tax, social-security and bank data. National identification number, tax residence and tax identifier, bank account details, social-security declarations, dependents for tax purposes, and supporting documentation.
• Time, attendance, leave and absence data. Working-time records, overtime, holiday balances, paid and unpaid leave, sick-leave declarations (without medical details where not strictly necessary), parental and family-care leave, remote-work declarations, and badge or physical-access logs to ML6 premises.
• Occupational health, safety and well-being data. Information necessary to organise the legally required occupational health surveillance and to ensure a safe workplace, including fitness-for-work certificates, accident-at-work reports and reasonable-accommodation requests, processed in accordance with applicable employment and health-and-safety legislation.
• Performance, career and learning data. Objectives, performance reviews, feedback, 360° assessments, promotion and salary-review decisions, individual development plans (incl. Personal Improvement Plans or “PIP”), training records, certifications and skill mappings.
• Communication, calendar and collaboration data. Your ML6 email account, internal messaging accounts, calendar, meeting invitations and metadata, documents and files you create, edit, share or store on ML6 systems, and the metadata associated with this activity.
• Project, time-tracking and client engagement data. Your assignment to client engagements, the time entries you log, the deliverables you contribute to, and the professional correspondence carried out on ML6 systems in the context of those engagements.
• IT account, device and usage data. Account credentials and authentication events, IP address, device identifiers, browser information, session and system logs, software and asset inventory linked to you, and mobile-device-management telemetry on ML6-managed devices.
• Security monitoring and investigation data. Logs and alerts generated by ML6 security tooling and systems (including endpoint security, data-loss prevention, identity and access management, email and cloud security, antivirus and threat detection), records of access to sensitive systems and data, and — where reasonable suspicion of a breach exists — content and metadata reviewed during a targeted internal investigation. See the section “Monitoring of IT systems, devices and confidentiality” below.
• CCTV footage. Where CCTV is in operation on ML6 premises, the recordings made by those cameras. See the Visitors Privacy Notice for more information.
• Image, voice and marketing-adjacent data. Photographs, videos, voice or written quotes used for internal and external communications, where you have given your consent.
• Event-organisation data. Practical information you choose to share with us in connection with internal ML6 events (team-building, off-sites, social gatherings and similar), used only to organise the relevant event and your participation.
• Subcontractor-specific data. For independent contractors providing services to ML6: your company name, VAT number, registered address, contract terms, invoices, time entries, deliverables, and your professional contact details.
• Voluntarily provided data. Any other information you choose to share beyond the categories above, for example in correspondence, during career conversations, or in optional internal surveys.
• Special category of data. As a general rule, ML6 does not request or collect special category data within the meaning of Article 9 GDPR. Where such data is processed (for example, occupational-health certificates, accident-at-work data, or sensitive information disclosed in the context of a workplace incident), this is strictly limited to what is required and is based on a specific legal ground (in particular Article 9(2)(b) GDPR — employment, social-security and social-protection law — Article 9(2)(h) GDPR — occupational medicine — or Article 9(2)(f) GDPR — establishment, exercise or defence of legal claims).

What purposes do we use your personal data for?

We use the personal data described above for the following purposes:

• Managing the employment or subcontracting relationship. Onboarding, contract conclusion and amendments, day-to-day administration, internal mobility, role changes, and off-boarding.
• Compensation, benefits, expenses and equity administration. Paying salaries, bonuses, allowances and expenses, administering equity and group insurance plans, and providing benefits (meal/eco-vouchers, mobility budget, company car, pension, gym subscription etc.).
• Compliance with tax, social-security, accounting and reporting obligations. Preparing and filing payroll, tax and social-security declarations, maintaining accounting records, and responding to statutory reporting requirements.
• Time, attendance, leave and absence management. Recording working time, leaves and absences, requesting special leave (f.e. parental leave), planning capacity and team coverage.
• Occupational health, safety and well-being. Organising the legally required medical surveillance, preventing and addressing workplace accidents, and offering well-being initiatives.
• Performance, career and learning management. Setting objectives, conducting performance reviews, organising training and certifications, support during PIPs and managing career development.
• Communications, collaboration and project delivery. Enabling internal and client-facing collaboration, project execution, allocation to client engagements, and the management of those engagements.
• IT operations, asset management and identity and access management. Provisioning, maintaining, securing and recovering IT accounts, devices and access rights.
• Security of our IT systems, premises, data and confidential information. Operating standing security measures over our IT environment and premises, including logging, monitoring and CCTV where in use, in order to protect the security, availability and integrity of our information systems, the personal data we process, the confidential information entrusted to us by our clients and partners, and our intellectual property and trade secrets. See the dedicated sections below.
• Internal investigations on reasonable suspicion. Conducting targeted internal investigations where there is a reasonable suspicion that you have breached your contractual obligations, ML6's IT and security policies, our confidentiality, non-disclosure or non-solicitation commitments, our intellectual-property rules, or applicable law. See the dedicated section below.
• Compliance with legal obligations and responses to authorities. Responding to requests from competent public authorities, regulators, courts, bailiffs and law-enforcement agencies, and complying with employment, anti-discrimination, accounting, tax and social-security laws.
• Defending and exercising legal claims. Establishing, exercising or defending the legal rights, claims and defences of ML6, including in case of suspected misappropriation of data, intellectual property or trade secrets, theft of company information, breach of non-compete or non-disclosure commitments, and any other dispute arising from or in connection with your relationship with ML6. All categories of data described in this Notice may be used for this purpose where strictly necessary.
• Mergers, acquisitions, reorganisations and other corporate transactions. Carrying out due diligence, financing, restructuring, merger, acquisition or sale processes, subject to appropriate confidentiality protections.
• Internal communications, image and voice use. Internal communications, recognition and engagement initiatives, and (where you have given your consent) the use of your image or voice on internal and external channels.
• Organisation of team events and internal gatherings. Planning and organising team-building events, off-sites, training sessions, social activities and similar internal gatherings, and taking into account any practical information you choose to share with us in that context.
• Workforce analytics and reporting. Producing aggregated reports on headcount, retention, training and similar workforce metrics.
• Responding to data-subject rights requests and deleting or anonymising your data at the end of retention. Handling access, rectification, erasure, restriction, objection and portability requests, and ensuring that data is deleted or anonymised once the applicable retention period has expired.

We only collect the personal data from you that is necessary for the purposes outlined above.

What legal basis do we rely on?

Under the GDPR, we must have a valid legal basis to process your personal data. The legal basis we rely on depends on the purpose for which your data is processed and the context in which it is collected.

• Performance of a contract (Article 6(1)(b) GDPR). We process personal data where necessary to perform our employment or subcontracting contract with you, or to take steps at your request prior to entering into such a contract.
• Legal obligation (Article 6(1)(c) GDPR). We process personal data where necessary to comply with applicable legal or regulatory obligations (in particular employment, tax, social-security, accounting, anti-discrimination, health-and-safety, and reporting obligations).
• Legitimate interests (Article 6(1)(f) GDPR). We process personal data where necessary for our legitimate interests, provided that these interests are not overridden by your rights and freedoms. This is in particular the case for the security and integrity of our information systems (expressly recognised in Recital 49 of the GDPR), targeted internal investigations on reasonable suspicion, CCTV where in use, defence of legal claims, corporate transactions, and workforce analytics.
• Consent (Article 6(1)(a) GDPR). Where required, we rely on your consent to process specific categories of personal data — for example, the use of your image or voice for marketing purposes, or participation in optional surveys. You may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.

Consolidated overview
of processing

Please find below a consolidated overview of the personal data we process, for which purposes, under what legal basis, and for what period.

Use of AI tools and profiling

ML6 may use AI-assisted tools to support certain internal processes (for example, content drafting, knowledge search, summarisation, translation, or coding assistance). Where these tools process your personal data, they do so under our instructions, with appropriate safeguards and within the boundaries of this Notice. AI-generated outputs are used only as support and are always subject to human review.

ML6 does not take decisions that produce legal effects on you, or similarly significantly affect you, on the basis of solely automated processing. You may request additional information about the use of AI in any process that concerns you, express your point of view, object to such processing, or request a fully manual review by contacting dpo@skyhaus.com.

Internal tools and third-party platforms

In the course of managing your working relationship with us, ML6 uses a variety of internal tools and third-party platforms (cloud productivity and collaboration platforms, HR and payroll systems, finance and accounting systems, IT security tooling, project and engineering platforms, AI tooling, communication platforms, and similar). While ML6 controls access to these tools and the way they are configured, they are operated by third-party providers. These providers may process technical and usage data to ensure service functionality, stability and security, under appropriate data-processing agreements.

To whom does ML6 send your personal data?

We share your personal data with third parties only where necessary for the purposes described above.

Recipients may include:

(a) Service providers acting as data processors on our behalf, in particular:

• providers of cloud productivity, collaboration and communications platforms;
• cloud infrastructure and hosting;
• software development, code hosting, AI development and observability tooling;
• generative AI services;
• HRIS systems, payroll, benefits, mobility and well-being platforms;
• recruitment and onboarding tools;
• sales, marketing, CRM and advertising platforms;
• finance, accounting, expense management and banking-document exchange;
• identity, access, security and e-signature tooling;
• workplace devices and mobile-device management;
• workflow automation and data integration;
• project, planning and design collaboration tools;
• public communications and social media platforms;
• and partner programmes operated by major cloud and AI vendors.

These providers process personal data on our behalf under appropriate data-processing agreements. An up-to-date list of the specific tools we use may be obtained on request from dpo@skyhaus.com.

(b) Public authorities and supervisory bodies, including tax, social-security and labour authorities, the National Social Security Office, occupational health services, regulators, courts, bailiffs and law-enforcement agencies where disclosure is required by applicable law.

(c) Professional advisors, such as our auditors, legal and tax advisors, certifying bodies, occupational health providers and training organisations, under appropriate confidentiality protections.

(d) Insurance, pension and benefits administrators, where necessary to administer the benefit you receive.

(e) Counterparties in corporate transactions, such as potential buyers, sellers, lenders, investors and their advisors in the context of due diligence, financing, restructuring, merger, acquisition or sale, under appropriate confidentiality protections.

(f) Internal recipients within ML6, including your manager, HR, IT and Security, the Legal team, the Data Protection Officer and Senior Management, on a need-to-know basis.

Where do we process your data?

We and our external processors primarily process your data within the EEA. Where we share your personal data with a third party so that it is transferred to or becomes accessible from outside the EU/EEA, we always put adequate safeguards in place (such as Standard Contractual Clauses, additional safeguards where required, and reliance on adequacy decisions such as the EU–US Data Privacy Framework where applicable).

A transfer outside the EEA could take place through the use of global HR, productivity, security or development tools. The categories of tools concerned are described in the section “To whom does ML6 send your personal data?” above. An up-to-date list of the specific tools, their location of processing and the safeguards relied upon may be obtained on request from dpo@skyhaus.com.

How long will we keep your data?

Applicable data protection laws require that we do not retain personal data in an identifiable form for longer than necessary for the purposes for which it is processed.

In line with our retention policies and IT procedures, we ensure that your personal data is deleted or anonymised once the applicable retention period has expired, unless a longer retention period is required to comply with legal obligations, to establish, exercise or defend legal claims, or to enforce post-contractual commitments (such as non-disclosure or non-compete clauses). The applicable retention periods are described in the consolidated overview above.

What are your rights?

You have the following rights in relation to your personal data:

Please note that the rights mentioned above are not absolute, and therefore, your request may not always be fully granted.

How can you contact us?

If you have any questions or concerns about how ML6 processes your personal data, or if you would like to exercise your data subject rights, please submit your request at dpo@skyhaus.com.

Updates to this document

This Privacy Notice may be updated from time to time. In case of material updates, we will inform you via internal communication channels.