Cyber security and protection of customer data is a top priority at nShift. nShift meets the obligations set out in the EU General Data Protection Regulation (GDPR). The regulation addresses how nShift collects, process, use and protect personal data.
nShift works with customers and top brands all over the world. More than 10,000 customers trust our business-critical services and they have high expectations and demands. Cyber security and protection of customer data has never been more important and this drives our ambition to always deliver best practices and beyond within this field.
nShift works together with leading brands and partners to continuously assess and eliminate risk in our business processes, software development and technical operations.
We conduct external penetrations tests on our cloud based systems.
Thank you for contacting us or visiting nShift.com.
This policy explains what, how and why we collect information when you communicate with us or visit our website. It also explains the specific ways we use and disclose that information. We fully respect all wishes for confidentiality of personal information that is disclosed online, and we are aware of the need for appropriate protection and management of any personal information that we receive. We never sell information about our users.
The current policy is based on the following definitions:
|We, us, nShift||All nShift entities|
|Personal data||Any information relating to an identified or identifiable natural person; an
identifiable natural person is one who can be identified, directly or indirectly, in
particular by reference to an identifier such as a name, identification number,
location data or an online identifier.
|Processing||Any operation or set of operations which is performed on personal data or on sets of
personal data, whether or not by automated means, such as collection, recording,
organising, structuring, storing, adapting or alteration, retrieving, consultation, use,
disclosure by transmission, dissemination or otherwise making available, alignment
or combination, restriction, erasure or destruction.
|Consent||Any freely given, specific, informed and unambiguous indication of your wishes by
which you, by a statement or by a clear affirmative action, signify agreement to the
processing of personal data relating to you.
|Data Controller||The party that determines the purposes and means of the processing of personal
|Data Subject||The person to whom the personal data relates.|
|Data Processor||Another entity, which processes personal data on our behalf|
In legal terms, we are the Data Controller, whereas you are the Data Subject. We may engage other entities as Data Processor.
This policy applies to our processing of any personal data that you provide when communicating with us or interacting with our websites and web shop.
3. Legal basis for processing of the personal data related to you
Our processing of your personal data is based on your contract, consent or legitimate interest in business development.
You may at any time withdraw your consent. Please note that after the withdrawal of your consent, we may no longer be able to provide our services to you.
You can decide for yourself whether you want to accept or refuse to consent to the storage of cookies in your browser.
4. Website owner (data controller) and contact information
Our websites are operated and owned by:
nShift Group AS
Org. no.: 979 306 725
Phone: +47 23 24 94 80
5. Data Protection Officer
We have appointed a data protection officer that you may contact if you have any questions or concerns regarding
the processing of your personal data. You can reach the data protection officer by sending an e-mail to:
6. Information collected
All nShift’s activities, particularly our web and online activities as well as our marketing campaigns are compliant with data protection and data security legislation. The following describes what information may be collected when communicating with us or visiting our websites and how this is handled.
A. Personal Data you actively provide to us: When you sign up for our newsletter(s), send us a message through our contact form, make a purchase on our web shop or communicate with us in any way, you are actively giving us personal data that we collect. That personal data may include your name, physical address, e-mail address, IP address and phone number. By giving us this personal data, you consent to this personal data being processed by us.
B. Personal Data collected automatically: When you use our website, we may collect personal data about your visit and web browsing. That personal data may include your IP address, operating system, browser ID, browsing activity and other data on how you interacted with our website or other websites. We collect this data using cookies. Cookies are small text files that are stored locally in the cache of your browser
allowing us to recognise your browser and/or computer. The data is used for certain essential functionalities to make our sites work (“first party cookies”), for example to provide access to secure areas.
First party cookies cannot be refused without impacting the function of our websites.
In addition, cookies are used to create anonymous user profiles using Google Analytics (“third party cookies”). Third party cookies will not be merged with personal data profiles and for personal identification of visitors to our websites. User tracking data is used to review the performance of our websites and make improvements. We do not use third party cookies for advertising.
You have the right to decide whether to accept or reject cookies and you can do this through your browser controls. The means vary from browser to browser, so go to your browser’s help menu for more information.
7. Systems used
We use third party systems to collect and store personal data:
• E-mail marketing system
We use an external e-mail marketing system to collect subscribers for newsletter lists, which are used for different marketing and sales purposes. All personal data in the e-mail marketing system is collected via our websites and all subscriptions are subject to double opt-in.
• Web shop
When customers place orders in our web shop we collect personal data about the customers and their orders. The processing of personal data related to orders in the web shop is done for the purpose of carrying out the service deliveries to the customer.
• ERP system
To issue invoices for items purchased via our web shop we collect personal data (e.g. reference name) about the customer in our billing system and ERP system.
• Delivery Management system
To fulfil the delivery of items purchased via our web shop we collect personal data (e.g. delivery address) about the customer in our Delivery Management system.
• Website (Pop-up messages)
nShift uses pop-up messages on our websites to collect subscribers for newsletter lists, which are used for different marketing purposes. All personal data collected via pop-up messages is collected via nShift’s website and stored directly in the pop-up message system.
• Customer Relationship Management system (CRM)
nShift uses a CRM system to manage personal data on relations we have when communicating either via e-mail, phone or in person. The CRM system is mainly used in sales-related activities at nShift, with communication tracked within the CRM system.
• Customer Service system (CS)
nShift uses a CS System to manage enquiries submitted to us by customers, partners or other external parties. Personal data regarding the party that submits the enquiry is stored in this system.
Communication whether by e-mail, phone or in person is logged for the purpose of processing the enquiry.
• Phone system
nShift uses a phone system as an integrated part of our CS system in order to manage inbound and outbound calls with customers, partners and others. We do not record any such conversations.
7. Use of personal data
We use the personal data we collect to promote our services to you and send informational and promotional content. You can stop receiving our promotional e-mails by following the unsubscribe instructions in the e-mail. In addition, we use the personal data to invoice customers who have made an order in our web shop.
Our legal basis for collecting and using your information to reach out to you is in legitimate interest and does not overwrite your data protection interests or fundamental rights and freedoms. Our legitimate interest, in this case, is to offer you content we believe is in line with the theme of your website and you would want to publish, this is why we need to process your data.
You have the right at any time to receive and get access to the personal data stored regarding your person and to have incorrect data deleted or rectified. You can contact us at any time if you have questions about the handling of your personal data or if you wish to request the correction of personal data stored by us. See the Questions and
Complaints guidance below.
8. Information Security
We take reasonable and appropriate measures to protect personal data from loss, misuse and unauthorised access, disclosure, alteration and destruction, considering the risks involved in the processing and the nature of the personal data.
In the event of a personal data breach, we will notify the supervisory authority without undue delay and no later than 72 hours after having become aware of the breach, unless the breach is unlikely to cause a risk to the rights and freedoms of you or any of our users and subscribers. Moreover, if the breach is likely to cause a high risk to
your rights and freedom, we will notify you without undue delay with at least:
• The name and contact details of the Data Protection Officer or other relevant contact point,
• A description of the likely consequences of the breach, and
• A description of the measures we have taken to address the breach.
9. Questions and complaints guidance
If you have comments, questions, concerns or objections related to our information and/or handling of your personal data or want to access, update, change or delete any of your personal data please contact us. Our contact details can be found in section 4.
10. Complaints to a supervisory authority
If you are of the opinion that we process or have processed your personal data unlawfully, you may lodge a complaint with the Norwegian Data Protection Supervisory Authority (Datatilsynet) or the supervisory authority of your country of nationality.
Contact details to the Norwegian Data Protection Supervisory Authority (Datatilsynet) can be found here: www.datatilsynet.no.