The Shyfter.co service is managed by SHYFTER SA, with its registered office at 30 Boulevard de Waterloo, 1000 Brussels – Belgium and its operational headquarters at Rue Joseph Saintraint 1, 5000 Namur – Belgium, company number 0720.922.212, email: hello_at_shyfter.co, phone: +32 2 320 26 57.
Article 1. Unless otherwise provided by mandatory legal provisions, these General Terms and Conditions apply to all activities of SHYFTER SA. These General Terms and Conditions, as well as any specific conditions of SHYFTER SA, are deemed accepted by its buyers and suppliers, even if they conflict with their own general or specific conditions. Any deviations from these terms must be documented in writing and communicated by a person authorized to bind SHYFTER SA.
Article 2. SHYFTER SA declines all liability for any damages that may result from the use of the information on its website. Consequently, you are entirely responsible for how you use this information.SHYFTER SA’s offers are made without commitment. Orders are only final once confirmed in writing by a person authorized to bind SHYFTER SA. SHYFTER SA cannot be held liable for any failure to fulfill its obligations under these Conditions if such failure is due to events beyond our control and/or resulting from a force majeure event. Force majeure includes, in addition to cases recognized by jurisprudence, all natural disasters, acts of war, breaches of public order, epidemics, fires, floods, and other disasters, all governmental actions, all strikes, lock-outs, as well as any electrical or technical issues external to the parties that hinder communications.
Article 3. Delivery and production commencement deadlines are provided for informational purposes only. SHYFTER SA reserves the right to invoice services, training, and consulting as deliveries occur, even if these deliveries are partial.
Article 4. SHYFTER SA is only responsible for hidden defects unless it demonstrates that the defect is undetectable. SHYFTER SA’s warranty ceases if the buyer does not notify it of any grievances by registered mail no later than one month from the date of sale. SHYFTER SA’s liability is limited to the availability of the website or the resolution of any errors, and it cannot be held liable for any refunds, compensation, or damages of any nature or for any reason.
Article 5. Unless otherwise agreed in writing, all invoices issued by SHYFTER SA are payable on the spot at SHYFTER SA’s premises. Failure to pay an invoice by its due date renders all amounts due immediately, regardless of any previously granted payment facilities. In the event of non-payment on the due date for a partial delivery, SHYFTER SA reserves the right to cancel the balance of the order.
Article 6. If an invoice is not paid on its due date and without prior notice, the debtor shall be liable for a fee amounting to 15% of the invoice due, with a minimum of €150.00, as well as interest at the rate set by the law of 02.08.2002 on combating late payments in commercial transactions.Without prejudice to any other remedies, we reserve the right to issue a warning, to temporarily or permanently suspend your access, to terminate it, and to cease providing our services if you violate all or part of these Conditions.
Article 7. The buyer acknowledges that this website has been developed with the utmost care. It is intended for informational purposes and is subject to change. Shyfter.co shall in no case be held liable for any damages that could be caused, directly or indirectly, by its use.We do not guarantee that our services will operate uninterrupted, error-free, or securely. Although we strive to make the Shyfter.co website available seven days a week, 24 hours a day, we reserve the right, at any time and without notice, to interrupt access to the site for technical or other reasons, as well as to terminate our services, without being held liable for such interruptions and the resulting consequences for you or any third party.
Article 8. The dispatch of the invoice showing the final balance shall be deemed as a request for acceptance if it has not been previously executed. In the absence of any complaint sent by registered mail within twenty days from the invoicing date, the work shall be considered as definitively and unconditionally accepted.
Article 9. In the event of a dispute, other than the recovery of unpaid invoices, the parties agree to first resort to mediation by appointing an approved mediator and to participate in at least two sessions of no less than two hours each in order to attempt to reach an amicable solution.
Article 10. SHYFTER reserves the right to modify its prices and/or its General Terms and Conditions (GTC) at any time. Any price modifications will be communicated to the Client by email or any other available means, at least thirty (30) days before their effective date.The updated conditions or prices shall apply from their effective date for any contract renewal, new order, or recurring invoice issued after that date. If the Client does not accept the updated prices or conditions, they may terminate their services in accordance with the termination provisions provided in these GTC.In the absence of a termination notice from the Client within the specified period, the updated prices or conditions shall be deemed accepted.
Article 11. In the context of providing services, SHYFTER SA processes personal data on its own behalf as a data controller. For further information regarding these processes, please consult our Privacy Policy available via the link: https://shyfter.co/fr-be/politique-donnees-personnelles/.SHYFTER SA also processes personal data on behalf of its Clients, as part of the use of the SHYFTER solution. In this case, SHYFTER acts as a sub-processor for its Clients. Annex 1 of these Conditions covers such data processing activities. We also refer you to the Privacy Policy of each of our Clients for additional information regarding these processes.
Article 12. You agree to defend and indemnify SHYFTER SA (including reasonable attorney fees) as well as its agents, directors, officers, and employees against any claim or demand made by a third party, caused or resulting from your violation of these Conditions or your violation of any law or any rights of such third party.
Article 13. You agree to comply with all applicable laws, regulations, or standards in force relating to the use of our services.
Article 14. Shyfter.co, on one hand, and you, on the other, are independent parties, each acting in its own name and on its own behalf. These Terms of Use do not create any relationship of subordination, mandate, joint venture, partnership, employer/employee, or franchisor/franchisee between Shyfter.co and you.
Article 15. All disputes shall fall under the exclusive jurisdiction of the judicial district of Brussels, even in the event of third-party claims or multiple defendants. SHYFTER SA reserves the right to bring the case before the court in the domicile of one or more of the defendants. No method of payment or execution shall constitute a novation or waiver of this express clause on exclusive jurisdiction. Belgian law shall be solely applicable.
DATA PROCESSING AND PERSONAL DATA PROTECTION AGREEMENT
Between SA SHYFTER, whose registered office is located at 30 Boulevard de Waterloo, registered in the Crossroads Bank for Enterprises under number 0720.922.212,
Hereinafter referred to as “the Processor”And The Client, any company or legal entity, natural or legal person acting on its own behalf, in a non-private capacity, who has subscribed to the SHYFTER Services in accordance with the General Terms and Conditions of Sale,
Hereinafter referred to as “the Data Controller”Hereinafter collectively referred to as “the Parties”.This Data Processing Agreement is an integral part of SHYFTER’s General Terms and Conditions of Sale. Adherence to these conditions implies the Client’s acceptance of the following provisions regarding the processing of personal data.
IT IS AGREED AS FOLLOWS: 1. PURPOSE 1.1 This Agreement has as its sole purpose to delineate the respective rights and obligations of the parties regarding the processing of Personal Data of the data subjects in the context of the current and future collaborations, in accordance with Regulation (EU) 2016/679, hereinafter referred to as the “GDPR”. 1.2 In the context of the services provided by the Processor through the use of its solution, the Processor will process Personal Data on behalf of the Data Controller, hereinafter referred to as the “Services”.This Agreement does not affect any other contractual elements agreed upon between the parties in any other agreement, except if they relate to Personal Data. In such case, in the event of any contradiction between the main agreement and this Agreement, this Agreement shall prevail. 1.3 In the context of their contractual relationship, the parties agree to comply with the regulations in force regarding the processing of Personal Data, in particular the GDPR and the applicable national regulations. 2. DEFINITIONS 2.1 Unless otherwise stipulated, the terms and notions used in this Agreement shall be interpreted as defined in the GDPR. 3. PURPOSES AND NATURE OF PROCESSING 3.1 The purposes and means of the processing activities are determined by the Data Controller. 3.2 The processing purposes entrusted by the Data Controller to the Processor are as follows: - Staff management; - Client management; - Colleague management; - Schedule management; - Collection and management of timekeeping data; - Management of medical certificate collection; - Performance control; - Activity reports; - Leave reports; - Service records; - Sign-in sheets; - Messaging; - Management and creation of contracts; - Management of signatories; - Management and creation of documents; - Management of DIMONA declarations; - Logging; - User account management; - Contact management.
3.3 The nature of the processing operations includes: - Collection; - Recording; - Organization; - Structuring; - Storage; - Adaptation or modification; - Consultation; - Use; - Provision.
4. CATEGORIES OF PERSONAL DATA AND CATEGORIES OF DATA SUBJECTS 4.1 The Data Controller determines the categories of Personal Data and the categories of Data Subjects that will be processed by the Processor to perform its mission. 4.2 The categories of Personal Data processed are as follows: - Personal identification data; - Electronic identification data; - Worker ID; - National Register identification number; - Personal details; - Professional activities; - Work-related information; - Medical certificates; - Financial identification data; - Salary data; - Security-related data; - Images and/or video; - DIMONA status and default DIMONA hours; - Permits; - Social secretariat reference; - Clothing size; - Skills and attributes assigned within the solution; - Alert and notification preferences; - Date and time of message dispatch; - Logging data/logs.
4.3 The categories of data subjects are as follows: - Clients; - Users of the services.
5. RIGHTS AND OBLIGATIONS OF THE DATA CONTROLLER 5.1 The Data Controller is responsible for ensuring that the processing of Personal Data is carried out in accordance with the GDPR (as provided in Article 24 of the GDPR) and the applicable provisions of the EU or the Member States concerning data protection. 5.2 The Data Controller has the right and the obligation to make decisions regarding the purposes and means of processing Personal Data. 5.3 The Data Controller must ensure that the processing of Personal Data entrusted to the Processor is based on a legal basis. 5.4 The Data Controller may, at any time during the term of the Services contract, provide additional documented instructions. Such instructions must always be documented.
6. RIGHTS AND OBLIGATIONS OF THE PROCESSOR 6.1 The Processor undertakes to:Process only the Personal Data strictly necessary for the correct and complete performance of the Services to be provided on behalf of the Data Controller or in compliance with legal obligations. The Processor further undertakes to process Personal Data solely for the processing purposes defined in Article 3; Keep the Data updated, complete, rectified, and erased as needed to ensure its accuracy; Assist the Data Controller and cooperate with it in the event of requests from competent authorities or data subjects to comply with the obligations provided for in the applicable data protection laws and regulations. In this regard, the Processor shall immediately notify the Data Controller of any request received from data subjects or competent authorities and shall not act upon such request unless authorized by the Data Controller; Assist the Data Controller in carrying out Data Protection Impact Assessments and in consulting with the competent authorities as provided in Articles 35 and 36 of the GDPR; Assist and cooperate with the Data Controller in the event of a breach of Personal Data, particularly according to the provisions of Article 9 below; Maintain a record of the processing activities carried out on behalf of the Data Controller in accordance with Article 30(2) of the GDPR; Provide the Data Controller with all necessary information to demonstrate compliance with the obligations set forth in the GDPR and to enable and facilitate audits, including inspections, carried out by the Data Controller or any auditor mandated by the Data Controller, in accordance with Article 28(3)(h) of the GDPR. The Processor shall grant the Data Controller access to its premises subject to a minimum notice period of 10 days; Ensure the complete confidentiality of the Personal Data received or collected in the context of the processing, maintain absolute confidentiality regarding such data, and bind all persons authorized to process them (employees, subsequent processors, etc.) to such confidentiality; Establish an internal framework and organization that limits access to the data to personnel strictly necessary for the performance of the processing; Raise awareness among its personnel regarding the protection of Personal Data; Adhere to the GDPR principles of data protection by design (Privacy by Design) and data protection by default.
6.2 The Processor undertakes to act solely on documented instructions from the Data Controller and to take appropriate measures to ensure that any individual acting under its authority who has access to the Data does not process it except on documented instructions, unless required to do so by EU law or the law of a Member State.
6.3 The Processor shall immediately inform the Data Controller if, in its opinion, any instruction provided by the Data Controller constitutes a violation of the Data Protection Regulation.
6.4 All instructions, directives, email exchanges, technical data, protocols, access codes, diagrams, plans, standards, etc., that are provided by the Data Controller’s personnel to the Processor in the operational context of the processing constitute the documented instructions.
6.5 The documented instructions are confidential and constitute a trade secret of the Data Controller.
6.6 In the event of an evident incompatibility, the Processor shall suspend processing after notifying the Data Controller and await new documented instructions.
6.7 If the Processor is required, pursuant to EU law or the law of the Member State to which it is subject, to process Data in a manner not in accordance with the Data Controller’s instructions or not foreseen therein, the Processor undertakes to inform the Data Controller of this legal obligation before processing, unless the applicable law prohibits such disclosure for reasons of significant public interest.
6.8 If the processing involves sensitive Data (i.e., personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation, or data relating to criminal convictions and offenses), the Processor shall apply specific limitations and/or additional safeguards.
7. SUB-PROCESSORS 7.1 In order to carry out the processing of Personal Data necessary for the provision of the Services, the Processor may engage sub-processors to whom specific processing operations will be assigned to be performed on behalf of the Data Controller. The Data Controller hereby gives its general consent to the engagement of sub-processors in accordance with this Article.
7.2 The list of sub-processors used by the Processor shall be communicated to the Data Controller.
7.3 The Processor shall inform the Data Controller of any planned changes concerning the addition or replacement of any sub-processor, thereby giving the Data Controller the opportunity to raise objections to such changes.
7.4 The Processor shall ensure that its sub-processors provide guarantees in terms of Personal Data protection and that each sub-processor is contractually bound to data protection obligations at least equivalent to those set forth in this Agreement, and in any case, provides sufficient guarantees regarding the implementation of appropriate technical and organizational measures.
7.5 The Processor remains fully liable to the Data Controller for the performance of the data protection obligations by its sub-processors in the event that a sub-processor fails to meet its obligations.
7.6 The Data Controller reserves the right to refuse that the processing, or a part thereof, be entrusted to a sub-processor if it appears that the sub-processor does not comply with the GDPR or this Agreement. In such a case, the Data Controller shall notify the Processor in writing of the non-compliance and the list of deviations observed. The Processor shall then implement corrective actions within a maximum period of 3 days, during which the processing shall be suspended. The Processor will subsequently notify the Data Controller in writing that the situation has been remedied.
7.7 The Processor shall, at its own expense, exclude and replace any sub-processor who: (i) Fails to correct its compliance deviations within 3 days; or (ii) Is responsible for a second compliance deviation within a period of 12 months.
8. TRANSFER OF DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANIZATIONS 8.1 Any transfer of Personal Data to third countries or international organizations by the Processor or any sub-processor must always be carried out in accordance with Chapter V of the GDPR.
8.2 The Data Controller reserves the right to condition such transfers on the Processor conducting a Transfer Impact Assessment (TIA) when engaging sub-processors located outside the EEA. The Processor must provide the results of the TIA to the Data Controller prior to the effective transfer of Personal Data.
8.3 When transfers to third countries or international organizations, which the Processor was not commissioned by the Data Controller to carry out, are required by the legislation of the EU or the Member State to which the Processor is subject, the Processor shall inform the Data Controller of this legal requirement before proceeding with the processing, unless such legislation prohibits such information for reasons of significant public interest.
8.4 The entrusted Data is hosted on Cloud servers. This service is provided by the sub-processor Digital Ocean.
9. PERSONAL DATA BREACH 9.1 In the event of a Personal Data breach or any incident that may compromise the security of the Personal Data concerned, the Processor shall:Notify the Data Controller of any breach immediately, and in any case within 24 hours after becoming aware of it. The notification must at least describe the nature of the Personal Data breach, including, if possible, the categories and approximate number of data subjects affected, the categories and approximate number of Personal Data records affected, and a description of the likely consequences of the breach. In collaboration with the Data Controller, immediately and without undue delay, adopt all necessary measures to minimize any risk that the breach of the Personal Data concerned may pose to the data subjects, remedy the breach, and mitigate any potential adverse effects.
9.2 The Processor undertakes to maintain a record containing a list of breaches of Personal Data related to the Personal Data covered by this Agreement, including the relevant circumstances, their consequences, and the measures taken to address these breaches. This record shall be provided to the Data Controller upon request.
10. TECHNICAL AND ORGANIZATIONAL MEASURES 10.1 Taking into account the state of the art, the Processor shall take all appropriate Technical and Organizational Measures to secure the Personal Data and to maintain its adequate security – including protection against any form of imprudent, unskilled, incompetent, or unlawful use and/or processing, and protection against loss, destruction, or damage – as well as to ensure the confidentiality and integrity of the Personal Data. 10.2 These Technical and Organizational Measures are available upon request.
11. DURATION OF PERSONAL DATA PROCESSING 11.1 The Data shall be retained for the period necessary for the provision of the Services and in accordance with the provisions of point 13 of these Conditions.
11.2 This retention period may vary depending on the specific context and the use of a Service resulting therefrom and will be determined by the Data Controller through documented instructions.12. DURATION OF THE AGREEMENT12.1 This Agreement enters into force upon acceptance of the General Terms and Conditions of Sale and shall remain applicable as long as the Processor processes Personal Data on behalf of the Data Controller in connection with its service provision. 12.2 Each party shall have the right to request a renegotiation of the Clauses if changes in the law or non-performance of the Clauses give rise to such a need.
13. TERMINATION OF THE AGREEMENT 13.1 This Agreement shall terminate when the Services are completed and when the Processor no longer processes Personal Data on behalf of the Data Controller in the context of the service provision.
13.2 The Data shall be made available to the Data Controller on the Web Platform or, where applicable, on the Application for a period of two years from the termination of the service relationship. At the end of this period, and unless otherwise instructed by the Data Controller, the Data shall be anonymized in the Processor’s information systems, unless EU law or Belgian law requires the retention of Personal Data.
13.3 To that effect, the Processor shall confirm in writing to the Data Controller that the activities referred to in this section have been completed, also specifying any possible retention of the Personal Data concerned as required by the applicable legislation.
13.4 It is then the responsibility of the Data Controller to take all necessary measures to ensure the integrity and backup of such Data.
13.5 If the Services are terminated for any reason, this Agreement shall end on the same date.
13.6 Furthermore, the Processor is entitled to terminate the Services when the Data Controller insists on following instructions that violate the legal requirements applicable to this Agreement. The Processor must have informed the Data Controller of this in advance.
