At 7shifts we understand the importance of maintaining the security of our products and the security of your data. We understand the great responsibility that comes with looking after your data and we use best-practice security systems to ensure it is safely stored and securely managed.

Given this, 7shifts has taken measures to comply with the European Union General Data Protection Regulations (GDPR) in relation to personal data. These measures include updates to our Terms of Service, Privacy Policy, and internal processes.
We’ve also created the following FAQs to help our customers stay informed about the GDPR and the changes 7shifts has made.
If you are a customer, we ask that you read the updated Terms of Service and Privacy Policy, and familiarize yourself with the content of the FAQs.


What is the GDPR?

The GDPR (General Data Protection Regulation) is a comprehensive data protection law that replaces existing European privacy laws and strengthens the protection of personal data in an increasingly data-driven world. The GDPR is enforceable in each EU member state and gives the providers of personal data greater control over that data.
The GDPR is in effect as of 25 May 2018, and 7shifts has updated its processes, systems, and policies accordingly.
What is personal data?
Any information related to a natural person (individual) that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
Who does it affect?
The GDPR applies to any organization that processes the personal data of EU individuals, regardless of whether the organization has a physical presence in the EU. For 7shifts customers, that’s any organization with one or more employees in the EU.
What are the main rights of Data Subjects?
Anonymization/pseudonymization: Personal data should be anonymized when possible. To ensure an anonymization/pseudonymization, all information that can identify an individual should be encrypted or removed when possible.  
Right to be forgotten: Entitles individuals to have the data controller delete their personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for deletion include the data no longer being relevant to original purposes for processing, or an individual withdrawing consent.
Right of access: Entitles individuals to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where, and for what purpose. Furthermore, the controller shall provide a copy of the personal data, free of charge, in an electronic format.
Data portability: Individuals have the right to obtain and reuse their personal data for their own purposes across different services. On request, data controllers must give individuals their data in an easy-to-read format or pass it directly to the new provider.
Data breach notifications: Data breaches that may pose a risk to individuals must be notified to the relevant Data Protection Agency (DPA) within 72 hours and to affected individuals without undue delay.
Privacy by design: Under GDPR, it is a legal requirement to design products and services with data protection measures in mind.  Privacy settings must also be set at a high level by default, and personal data is not processed unless necessary for specific purposes.
What is the difference between a data processor and a data controller? How do I know what my business is?
A “Data Controller” is an organization that collects personal data from EU residents.  A “Data Processor” is an organization that processes EU resident personal data on behalf of a data controller.
In the case of 7shifts, our customers are “data controllers” as they collect information from their employees (name, contact details, email, tasks, journals).  Because we hold and process this data in the 7shifts Application under instruction, we (7shifts) are the “data processor”.
Where is my personal data stored?
All personal data collected from EU residents is stored in the United States of America.
As an employee, how do I request that 7shifts delete my data?
To delete the information your current or previous employer holds about you, please reach out to your employer directly to request the deletion of your employee profile. 
If you have worked for multiple employers, you will need to contact each employer individually.
As an employer, how do I delete an employee account?

In order to permanently delete an employee account, please have an Admin contact our Support team
When I delete an employee account, how much data is deleted?
All data associated with that account is deleted. Including contact details, previous timesheets, shifts, tasks, journals, and employment terms.
Can I recover a deleted employee account?
No, once an employee account is deleted it cannot be recovered.

Further questions and information sources

If you have more detailed questions about how 7shifts is GDPR compliant or what it means for your business, please contact us.
For more detailed information about the GDPR, please visit
Was this article helpful?
1 out of 4 found this helpful