Data Privacy & Protection Policy
1. INTRODUCTION
The purpose of this data privacy and protection policy (Policy) is to demonstrate Shift Technology and its subsidiaries’ (Shift) clear direction and commitment to maintain the protection of personal data that it collects, uses, discloses, stores, and disposes of in the course of conducting business globally, including the privacy and security of that personal data. As a part of that commitment, Shift has implemented this Policy and has established overarching business processes that are consistent with it.
2. SCOPE OF APPLICABILITY
2.1 Scope. This Policy applies to the collection, use, disclosure, storage, and disposal of personal data by Shift, its subsidiaries, and all employee types including but not limited to full and part time employees, contractors, consultants, temporary workers, and trainees that comprise Shift’s workforce (Workforce). Shift will further require that any third parties contracted to collect, use, disclose, store, dispose and otherwise process such personal data on behalf of Shift will adhere to requirements substantially consistent with those contained in this Policy. This Policy does not operate to the exclusion of other policies. As necessary, additional information in this Policy may be found in specific policies or processes dedicated to the subject matter involved.
2.2 Adherence. It is mandatory that all Shift’s Workforce adhere to this Policy and to the standards, processes, and procedures derived from it. The details set out in this Policy, while comprehensive, are not exhaustive and are provided for guidance. If you are unsure of whether a contemplated use or action is permitted, it is your responsibility to determine whether the use is permitted by checking with your line manager and/or contacting Shift’s Data Protection Officer at dpo@shift-technology.com.
3. POLICY
3.1 Principles. This Policy is based upon the following core privacy principles:
a. Shift respects the privacy of the personal data of our workforce, customers, business partners, and online users.
b. Shift will collect, use, disclose, store, and dispose of personal data about individuals only to the extent required for the purpose identified, pursuant to a lawful basis, for no longer than necessary, and in accordance with their rights.
c. Shift maintains reasonable procedures for individuals to exercise their rights under data protection law, including the rights to access their personal data, to correct any inaccuracies in their personal data, have such information deleted or restricted.
d. Shift will maintain technical and organizational measures designed to protect the security and privacy of personal data in its collection, use, disclosure, storage, and disposal of such data.
e. When acting as a Data Processor, Shift will process personal data solely (i) for the purposes of the contract between Shift and the data controller; and (ii) in accordance with the written instructions provided by the Data Controller.
f. Shift is committed to protecting individuals’ personal data in accordance with all applicable laws and regulations.
3.2 Shift as Data Controller
a. Data Collection and Privacy Notice. Where Shift collects personal data about an individual from that individual directly, Shift will:
(i) Give a prominent, clear and conspicuous written privacy notice at the time of collection where personal data is provided in print or online; or
(ii) Give all the information required and included in the privacy notice, verbally at the time of collection, keeping a written record, where personal data is provided in person or over the telephone.
b. Content of Privacy Notice. The privacy notice will include the following information, at a minimum:
(i) The full corporate name and physical address of the data controller (e.g. the Shift corporate entity), that is collecting and determining the purposes for processing the data;
(ii) The details of what the Shift corporate entity (and affiliates and/or non-affiliated third parties, if any) will do with the data and any countries to which the data will be transferred; and
(iii) Anything else that the data subject needs to know in order to make Shift’s use of their personal data fair, for example, with respect to indirectly collected data, the source from which Shift obtained such data.
c. Website Personal Data. In addition to the foregoing notices, where personal data is collected on a website directly from the data subject, Shift will further notify the data subject about any use of cookies and other tracking technology (Web tracers), the purpose of the Web tracers, what personal data is collected by those Web tracers, and the duration of the cookies (e.g. session or persistent). Shift will also prompt the data subject for their consent to the sending or storage of Web tracers altogether (except for necessary Web tracers) or to allow only certain categories of Web tracers, and to change their consent elections at any time.
d. Processing of Web tracer Personal Data. Where Shift shares personal data with third parties, such as technical consultants, marketing partners, and other Shift affiliates, Shift will give notice to the data subjects about the types, if not the names, of such third parties who have access to the personal data collected.
e. Data Minimization and Integrity. Shift will maintain and observe procedures designed to ensure that:
(i) personal data collection is not excessive or unnecessary;
(ii) personal data is not kept for longer than needed; and
(iii) personal data held is accurate and up-to-date.
f. Data Subject Rights. If an individual data subject seeks to exercise their rights with respect to any personal data about them that Shift holds, Shift will take action on the request within a reasonable period of time. Shift will generally grant the request unless the request is either unreasonable, impracticable, or where deletion of data may disrupt the provision of continued services to the data subject. In practice this means:
(i) Shift will not collect personal data that would be “nice to have” but only personal data that Shift “needs to have” for specified fair and lawful purposes; and
(ii) Shift will be vigilant in maintaining our data records.
g. Handling of Data Subject Requests. Upon an individual’s written request to Shift, Shift will, after carrying out appropriate checks to ensure that the request is authentic, and being provided sufficient information to comply with such request:
(i) use reasonable diligence to investigate whether Shift holds personal data about the individual and notify the individual of the data held, the reason for holding the data, and the categories of person to whom Shift may disclose it;
(ii) provide the individual with reasonable access to the personal data collected, together with information about how and where Shift obtained it.
(iii) Action the data subject’s request be that to amend, delete, modify, limit the use or disclosure of personal data, or provide a copy of their personal data held by Shift.
h. Refusal of Data Subject Access Requests. Shift may refuse to provide a data subject with their personal data where disclosure of that personal data would reveal the personal data of, or otherwise harm, another individual, unless the other individual has consented to such disclosure, or if it is otherwise reasonable to comply with the request of the first individual without the consent of the other individual. In practice this means:
(i) Shift shall retain records about how and where it obtained personal data so that Shift may effectively comply with this requirement;
(ii) our systems must be developed and select employees must be trained in such a way to enable the search and retrieval of personal data;
(iii) all requests by individuals for access to their personal data must be processed promptly by employees trained and authorized to handle such requests; and (iv) the DPO shall be promptly notified of all requests for access to personal data.
i. Refusal of Data Subject Erasure Requests. Shift may refuse a data subject request for deletion of their personal data where the personal data must be retained for a secondary purpose, such as to exercise Shift’s legal rights and/or demonstrate compliance with its legal obligations, to the extent permissible under applicable law.
j. Security of Personal Data. Shift will maintain technical, organizational, and physical security measures designed to protect the confidentiality, integrity, and availability of personal data in its possession. In practice, this means that we will take appropriate measures to keep personal data secure. When deciding what is ‘appropriate’, we will bear in mind the sensitivity of the personal information in question and the harm that could arise if it was disclosed. At a minimum, Shift will:
(i) refrain from transporting (whether electronically or by post) or downloading anyone’s personal data onto laptops, USB sticks, or other mobile devices;
(ii) where transport or transfer of personal data is necessary, by any means, make sure that it is transported in a secure manner;
(iii) make sure that any appropriate access controls are in place;
(iv) do not share personal data with people who data subjects would not reasonably expect their information to be shared with; and
(v) retain personal information only as long as necessary in accordance with Shift’s data retention policies and, at the end of the relevant retention period(s), securely dispose of any personal data.
k. Cross-Border Transfers. Shift will not transfer personal data across borders, even to Shift affiliates, except:
(i) with the specific and informed consent of the data subject;
(ii) where necessary to perform our contract obligations with or in the interest of the data subject or where required to comply with a court order or similar request; or
(iii) where the disclosure is to a country or pursuant to a process deemed to be adequate under the law of the exporting country, or under a written data transfer contract that contains provisions intended to offer adequate data protection safeguards to protect the data subjects against misuse of the data in the importing country.
l. Impact Assessments. Shift may conduct an impact assessment of each third country cross-border data transfer, and where necessary, document that assessment, including any supplementary measures introduced to limit the impact of such transfer on any affected data subjects. Shift will endeavour to minimise cross-border transfers and to process and store personal data in countries with laws that ensure the rights and freedoms of data subjects.
3.3 Shift as Data Processor
a. Data Processing Activities. In all cases, Shift will only process personal data:
(i) for the purposes described in the contract and/or data processing agreement with the client. Subprocessors shall only be used with the prior written consent of the Data Controller;
(ii) in accordance and the lawful instructions of the Data Controller;
(iii) in full compliance with laws applicable to Shift’s processing of that personal data.
(iv) To the extent that Shift’s services for a customer includes collection data via a website, Shift will operate the website as a Data Processor and the website will be subject to the customer’s Privacy Notice and Cookie Notice, where applicable.
b. Data Minimization and Integrity. Shift will maintain and observe procedures designed to ensure that:
(i) retention of personal data is in accordance with the specified retention timeframes communicated by the customer;
(ii) personal data received for providing the services is not excessive or unnecessary; and
(iii) personal data held is kept accurate and up-to-date in accordance with any data subject correction requests received from the customer.
c. Data Subject Rights Requests. As a Data Processor, Shift will only operate on the instructions of the Data Controllers with respect to personal data it processes. In the event that Shift directly receives a data subject request, Shift will promptly forward the request to the applicable Data Controller for disposition. Shift will not take any action on data subject requests except as directed by the Data Controller.
d. Handling of Customer Data Subject Requests. Upon a client or data controller’s written request to Shift, Shift will take action on personal data in Shift’s possession in accordance with the instructions of the client or the data controller. Shift may inform the client of alternative approaches and any potential adverse impacts prior to taking action, and may require that the client assumes any resulting risks in actioning the request as communicated. However, in all cases, the client or Data Controller shall be entitled to make the ultimate decision regarding the disposition of any data subject request.
e. Security of Personal Data. Shift will maintain technical, organizational, and physical security measures designed to protect the confidentiality, integrity, and availability of personal data in its possession. Those measures will be in accordance with Shift’s contract with the client; Shift’s information security policies; any requirements of Shift’s certifications and/or third party assessments applicable to the particular Software as a service product provided to the customer; and prevailing information security standards in the global insurance industry.
f. Cross-Border Transfers. Shift will not transfer personal data across borders, even to Shift affiliates, unless the contract with the client permits such cross-border transfers. Shift will conduct reasonable diligence on subcontractors and affiliates that may process data across borders. Shift will ensure that its contracts with subcontractors and affiliates include appropriate contractual terms regarding cross-border transfers as may be required by applicable law. Shift will endeavour to minimise cross-border transfers and to process and store personal data in countries with laws that ensure the rights and freedoms of data subjects.
4. US DATA PRIVACY FRAMEWORK
a. Shift’s US entity, Shift Technology, Inc. located at 321 Summer Street, Boston, 02110 (Shift Technology, Inc.) complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF (UK-U.S. DPF), and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Shift Technology, Inc. has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Shift Technology Inc has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
b. Shift Technology, Inc. shall process the personal data sent to it by the data controller. The types of personal data and the purpose of processing shall be in accordance with the agreed data processing agreement and shall only be disclosed to third party subcontractors and other sub-processors where data controller has agreed to these in writing. Shift Technology, Inc. shall at all times comply with this Policy.
c. In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Shift Technology, Inc. commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU and UK and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF should first contact Shift Technology Inc at: dpo@shift-technology.com.
d. In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Shift Technology, Inc. commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Gibraltar Regulatory Authority (GRA) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.
e. The Federal Trade Commission has jurisdiction over Shift technology, Inc.’s compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF).
f. Under certain conditions, it may be possible for an individual to invoke binding arbitration for complaints regarding Shift’ Technology, Inc.’s compliance with the DPF which is not resolved by any of the other DPF mechanisms. For additional information please see Annex I for additional information: https://www.dataprivacyframework.gov/framework-article/ANNEX-I-introduction
g. Shift Technology, Inc. may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
h. Shift Technology, Inc. has responsibility for the processing of personal information it receives under the DPF Principles and any and all transfers to any third party acting as an agent on its behalf. Shift Technology, Inc. shall remain liable under the DPF Principles if its agent processes such personal information in a manner inconsistent with the DPF Principles, unless Shift proves that it is not responsible for the event giving rise to the damage.
5. EDUCATION AND TRAINING
All new Workforce members shall be trained on data privacy during their onboarding to Shift. When requested, each member of the Workforce shall complete or refresh privacy training by attending training sessions or using e-learning modules provided by Shift. All of the Workforce shall be trained at least annually regarding this Policy.
6. COMPLIANCE AND SANCTIONS
a. Compliance. The Workforce are under a general duty to comply with this Policy, to the extent it does not conflict with any applicable local laws. The DPO shall conduct periodic objective reviews to evaluate compliance with the standards set out in this Policy and any other specific policies associated with it, and shall publish a statement annually, verifying that the self-assessment has been completed, which shall be made available upon request by individuals or in the context of an investigation or a complaint about non-compliance.
b. Sanctions. Any violation of this Policy by a member of the Workforce may result in adverse action up to and including termination of employment, service contract, or project assignment, as applicable and in accordance with local law and company policies.
7. REPORTING
All members of the Workforce are prohibited from ignoring, disregarding or failing to report circumstances that could reasonably be considered sufficient warning that conduct may, has, or will occur which is likely to be a breach of this Policy. Employees who become aware of any such circumstances shall immediately report it to their manager, HR business partner or by using one of the following:
Reporting Option |
Link/Contact Details |
Vault Platform (App Store) |
|
Vault Platform (Google Play Store) |
|
Vault Platform Open Reporting on the web |
https://app.vaultplatform.com/shifttechnology/open-reporting |
Compliance Department |
REVISION HISTORY
Version Number |
Approval Date |
Description |
Owner(s) |
Next Review Date |
Approver(s) |
1.0 |
October 26, 2021 |
Initial Policy |
DPO |
October 2023 |
Head of Legal and Compliance |
1.0 |
November 2022 |
Review |
DPO |
November 2023 |
Head of Legal and Compliance |
2.0 |
August 16, 2023 |
Revised to include EU- US DPF and Swiss-US DPF. |
DPO |
August 2024 |
Head of Legal and Compliance DPF Program |
2.1 |
July 2024 |
Reviewed |
DPO |
August 2025 |
Chief Legal Officer |