Under the ‘ShiftBase’ brand name, Shiftbase processes personal data for and on the instruction of its client on account of the client having taken out a (direct or indirect) software subscription (user agreement) with Shiftbase.
Shiftbase’s service consists in providing a standard application with the associated standard services (software as a service), hereinafter: ‘the Application’.
Personal data processing and processing purposes
In the performance of its service, Shiftbase processes personal data that you, as a client, enter in Shiftbase’s Application. Such processing consists in making the Application and the associated services available, including a help desk service, whereby you, as the client, enter personal data in our Application and generate data. Examples of personal data that you may input as a client are names, addresses, email addresses, dates of birth, IP addresses, telephone numbers, and financial details such as a payslip.
Shiftbase is consequently designated as the ‘processor’ under the General Data Protection Regulation (‘GDPR’), since our service is to save, host, and store your data – which may include personal data – as part of the performance of the subscription you have taken out for our Application.
As a client, you can decide for yourself what data to store in the Application. We have no say in that whatsoever, and neither do we have any influence over it. To be able to use the Application, you only need your employees’ name (or pseudonym) and an email address (which can be an email address created especially for the Application). The Application does, however, offer more possibilities, whereby you decide which ones you want to use. As a result, you are personally responsible for assessing whether something constitutes personal data, as well as for assessing the purpose and the nature of the processing of such data in the Application, which includes assessment of whether or not you are allowed to enter the data in the Application and have Shiftbase process it. It is also up to you to assess whether the level of security is adequate for the personal data you entered, in line with the nature of the data. When entering personal data in the Application, you accept that Shiftbase will also process the personal data you entered under the terms and conditions used by Shiftbase. You furthermore guarantee, when taking out the subscription to the Application, that the personal data you have entered can be processed for one of the purposes specified in the GDPR.
You must notify your employees of the processing of their personal data in the Application, unless you request that Shiftbase do so on your behalf, for which Shiftbase may charge you.
Shiftbase does not add, modify, or delete data without a specific order to that effect from you as the client. Such an order can be submitted through a request or in the Application.
Shiftbase collects anonymised data on the use of the Application for the purpose of improving our product and our services. We use this data to gain insight into whether, how, and how often certain parts of the Application are used. The anonymised data will be used solely for the purpose of improving the Application and our services. The anonymised data will not be used for commercial purposes. We will neither sell your employees’ personal data to third parties, nor use their personal data for commercial purposes.
Purpose and use of personal data
Shiftbase processes personal data that you have entered in the Application as a client only for the agreed purposes, i.e. for the performance of the subscription to the Application that you have taken out. Personal data processing by Shiftbase is always based on legal grounds, i.e.:
Performance of the agreement with you as described above under ‘Personal data processing,’ or,
A legitimate interest of Shiftbase, such as to implement security measures, customer relationship management, IT management, improvement, research and analysis of its own products and services, internal business administration, legal procedures, internal management, or,
Your consent, or, A legal requirement;
We may be required to provide personal data to authorities or other third parties, such as in relation to a legal obligation or for the performance of a duty under public law.
Shiftbase shall go to every necessary effort to protect the collection, sending, and storage of personal data. Shiftbase uses various methods to guarantee the privacy of data and to protect personal data. Technological solutions have been implemented, for example, to protect personal data against unauthorised access and use. If necessary, we will adapt these measures when new, generally accepted security standards or technological possibilities become available.
Our employees and sub-processors do not have access to the personal data in (your account for) the Application. They will only have access to the personal data in your account for the Application if you consent to it. Only Shiftbase employees who are Administrators may gain limited access to all your data and personal data without your consent, whereby such access will be limited to what is strictly necessary, such as in case of an emergency or for bug-fixing or other technical reasons.
When we bring in an external party to process personal data on our behalf, we will make arrangements for the protection of the personal data. These arrangements will be detailed in the applicable Data Processing Agreement. For an up-to-date list of sub-processors, please check subprocessors (password available on request).
Shiftbase has drawn up a protection information document for its services. Please refer to our Security Policy.
All your data, including data you enter in the Application as a client, will be treated as highly confidential by Shiftbase, and we will therefore not disclose the data to third parties, unless one of the grounds for an exception applies. The applicable Data Processing Agreement provides further details of Shiftbase’s duty of confidentiality.
Data breach notification obligation
The data breach notification obligation in the GDPR requires that possible data breaches be reported to the Supervisory Authority. The applicable Data Processing Agreement details how Shiftbase handles this obligation.
Shiftbase stores personal data in the Application for no longer than necessary, unless we are under a legal obligation to retain personal data for longer. At Shiftbase, we go by the basic principle that personal data is retained for as long as necessary, i.e. to be able to provide the service agreed with you or for as long as we have a legitimate interest in retaining the data, such as for the administrative processing of termination of the subscription.
Your account data, including personal data, will therefore be used for as long as the subscription (the user agreement) to the Application is effective and subsequently be retained for a maximum of 90 days for technical reasons (back-up), so that we can deal with possible queries or handle complaints after termination of the subscription. After that, we will proceed to erase your personal data and destroy the data irreversibly.
Data that we believe to be necessary to be able to assess and prevent claims lodged against us or to bring proceedings or prevent claims against you, us, or third parties, may be retained by us for as long as such proceedings could still be brought.
Returning data, data portability, and erasure of data:
If you no longer wish to use the services of Shiftbase and wish to terminate the subscription, you can export (download) the data from the Application yourself. It is also possible to request the database and the associated files. This will allow you to import the data as accrued in the Application on your own local systems. If you have any questions about data portability, please contact us.
We will erase your data from all systems 30 days after termination of your subscription. Given that we keep a complete copy of our customer databases for 60 days, i.e. a back-up as specified in the General Terms and Conditions, your data will have been erased and destroyed automatically after 90 days.
Data subject rights
You and the employees whose personal data you enter in the Application have the right to access the personal data. Aside from that, your employees will in some cases also have the right to have their personal data rectified or erased, or to suspend the processing of their personal data. Your employees furthermore have the right to withdraw their consent, provided that your processing of their personal data is based on their consent, the right to restrict the processing, and you as the client have the right to data portability. This latter right means that you can transfer your data or have your data transferred.
We will never accept independent requests from your employees, but always refer your employees to you. We will assist you to the extent possible to enable you to meet your legal requirements. The applicable Data Processing Agreement specifies how Shiftbase handles these data subject rights in its role of processor.
If you have any questions about Shiftbase personal data processing practices, or if you or one of your employees want or wants to exercise your or their privacy rights, please contact us on email@example.com, using ‘Privacy’ as the email subject.
If you prefer to call, please check the contact page on our website for contact details.
2718 AA, Zoetermeer
Chamber of Commerce registration number: 59514701