How ShiftSphere complies with the EU General Data Protection Regulation.
1. Our Role Under GDPR
ShiftSphere acts as a Data Processor on behalf of your organization (the Data Controller). Your organization determines what employee data is collected and how it is used. We process data strictly according to your instructions and our Data Processing Agreement.
2. Legal Basis for Processing
We process personal data based on: (1) contractual necessity — to provide the Service, (2) legitimate interest — for security and fraud prevention, (3) consent — for optional features like biometric attendance and analytics cookies.
3. Data Subject Rights
EU/EEA individuals have rights to: access, rectification, erasure, restriction of processing, data portability, and objection. Requests should be directed to your employer (the Controller), who can fulfill them through the ShiftSphere admin panel or by contacting us.
4. International Transfers
Data may be processed in India where our servers are located. We ensure adequate protection through Standard Contractual Clauses (SCCs) and technical measures including encryption and access controls.
5. Data Protection Officer
Contact our DPO at privacy@shiftsphere.co for GDPR-related inquiries. We respond to all requests within 30 days as required by regulation.
6. Breach Notification
In the event of a personal data breach, we will notify affected Data Controllers within 72 hours of becoming aware, providing details of the breach, affected data, and remediation steps taken.