Last updated: 1 July 2026
At AnyShift BV, registered office at Stenenbrug 117, 2100 Borgerhout (Antwerp), Belgium, registered in the Crossroads Bank for Enterprises (KBO/BCE) under number BE 1019.746.053, we attach great importance to the protection of your personal data.
AnyShift is a recognised temporary employment agency (Flemish accreditation number) that brokers flexi-jobs, student jobs and related forms of work.
Note regarding the extension of flexi-jobs to all sectors: On 30 April 2026, the Council of Ministers approved the preliminary draft law extending flexi-jobs to all sectors (De Wever government, Minister of Labour Clarinval). The parliamentary vote is expected at the end of July 2026. Until the law is officially published in the Belgian Official Gazette, the provisions in section 6 of this statement that specifically refer to the extension to all sectors are not yet applicable. The other provisions of this statement remain fully in force. AnyShift will update this statement immediately after publication in the Official Gazette.
This privacy statement clarifies how we process personal data in accordance with:
| Data Controller | AnyShift BV |
|---|---|
| Address | Stenenbrug 117, 2100 Borgerhout, Belgium |
| KBO number | BE 1019.746.053 |
| General email address | hello@anyshift.be |
| Privacy-specific email | privacy@anyshift.be |
| GDPR contact / DPO | Sania Khan |
For all questions, requests or complaints regarding data protection, you can contact our privacy officer via privacy@anyshift.be (mention in the subject: "Privacy Question – GDPR").
In this statement, "AnyShift", "we", "us" and "our" refer to AnyShift BV and its affiliated entities. "You" and "your" refer to:
At registration and profile creation (Shifters):
At registration and profile creation (Partners):
When using the services:
In certain cases we process sensitive personal data within the meaning of Article 9 GDPR:
We process this data exclusively on the basis of an explicit exception as set out in Article 9(2) GDPR, with all required additional safeguards in place.
| Purpose of processing | Legal ground (Art. 6 GDPR) | Explanation |
|---|---|---|
| Creating and managing accounts | Art. 6(1)(b) — performance of contract | Necessary to provide the service |
| DIMONA filing and RSZ obligations | Art. 6(1)(c) — legal obligation | Act of 27 June 1969 (RSZ Act); Royal Decree DIMONA |
| Salary calculation and payment | Art. 6(1)(b) + Art. 6(1)(c) | Performance of employment contract + tax and social legislation |
| Matching Shifters with Partners | Art. 6(1)(b) — performance of contract | Core function of the platform |
| Verification of employment status (flexi-job, student) | Art. 6(1)(c) — legal obligation | Act of 16 November 2015 (flexi-jobs); student work regulations |
| Limosa notifications (foreign EU workers) | Art. 6(1)(c) — legal obligation | Royal Decree of 20 March 2007 on Limosa |
| Temporary employment agency obligations | Art. 6(1)(c) — legal obligation | Act of 24 July 1987 on temporary work |
| Communication about shifts and services | Art. 6(1)(b) — performance of contract | Necessary for service delivery |
| Commercial communication via email, SMS or WhatsApp | Art. 6(1)(a) — consent | Opt-in required; opt-out always possible via any message |
| Dispute resolution and fraud prevention | Art. 6(1)(f) — legitimate interest | Protection of platform integrity and users |
| Profiling for job matching (automated) | Art. 6(1)(b) + notice under Art. 22 GDPR | See section 10 |
| Customer service and complaint handling | Art. 6(1)(b) + Art. 6(1)(f) | Performance of contract + legitimate interest |
| Analysis and improvement of services | Art. 6(1)(f) — legitimate interest | Internal use, anonymised statistics |
| Direct marketing (newsletter, offers) | Art. 6(1)(a) — consent | Opt-in required; opt-out always possible |
| Functional cookies | Art. 6(1)(b) — performance of contract | Strictly necessary for operation |
| Analytical and marketing cookies | Art. 6(1)(a) — consent | Via cookie banner; see Cookie Policy |
| Compliance with accounting and tax obligations | Art. 6(1)(c) — legal obligation | Belgian accounting law (7 years) |
| Business transfer or due diligence | Art. 6(1)(f) — legitimate interest | Limited, under NDA; users informed 30 days in advance |
| Data category | Retention period | Legal ground |
|---|---|---|
| Account data (active user) | As long as account is active + 2 years after inactivity | Contract |
| Salary and remuneration data | 7 years after the tax year | Belgian accounting law / tax law |
| DIMONA and RSZ filing data | 5 years | Act of 27 June 1969 (RSZ Act) |
| Shift history and contracts | 5 years after end of employment | Labour law / statute of limitations |
| Invoices and payment documents | 7 years | Companies and Associations Code |
| Communication data (platform messages) | 2 years | Legitimate interest (disputes) |
| Log data and server data | 12 months | Security and fraud detection |
| Marketing consent | Until withdrawal of consent + 1 year proof | Art. 7(1) GDPR |
| Application/profile data (not hired) | 6 months after last contact | Legitimate interest |
| Cookies (analytical/marketing) | See Cookie Policy (max. 13 months) | Consent |
After expiry of the applicable retention period, data is securely deleted or anonymised.
Legal status — updated 4 May 2026: On 30 April 2026, the Council of Ministers approved the draft law for the extension of flexi-jobs to all sectors (De Wever government, Minister Clarinval). Parliamentary processing and publication in the Belgian Official Gazette are still pending — a plenary vote is expected at the end of July 2026. The processing operations described in this section are not yet applicable until after official publication in the Belgian Official Gazette. The existing flexi-job rules under the Act of 16 November 2015 (as amended) remain fully in force in the meantime. AnyShift will update this section immediately after publication.
Once the law enters into force, AnyShift will process the following additional data to comply with the new statutory conditions:
If AnyShift mediates EU citizens coming to work in Belgium and subject to the Limosa notification obligation, we process the required personal data (identity, nationality, work period, employer) for the declaration. The legal ground is a legal obligation (Royal Decree of 20 March 2007).
When a Partner uses camera surveillance, badge registration, GPS tracking or other electronic monitoring tools during the performance of a shift, this falls under CLA No. 68 (deposited with the NLC). In that case, AnyShift processes the data provided by the Partner (arrival, departure, hours worked) exclusively for:
AnyShift acts as a processor for the Partner, who remains the controller for workplace monitoring. The Partner guarantees that monitoring is carried out in accordance with CLA No. 68 and the GDPR.
AnyShift maintains review and performance data (star ratings, Partner feedback) which may contribute to decisions about the visibility or deactivation of a Shifter. In accordance with CLA No. 109 and the principle of good governance:
AnyShift communicates with Shifters and Partners via email, SMS and WhatsApp Business (via Brevo/Sendinblue as a registered Business Solution Provider).
Commercial messages (promotions, offers, news) are sent only after your explicit opt-in consent. You can unsubscribe at any time via:
Operational messages (shift confirmations, payslips, DIMONA info, legal notices) are sent on the basis of contract performance (Art. 6(1)(b)) and cannot be turned off without disrupting service delivery.
Your phone number and message content are processed by Brevo SAS (France) as processor, on the basis of a concluded data processing agreement compliant with GDPR.
AnyShift maintains an internal register of processing activities in accordance with Article 30 GDPR. This register contains, per processing operation: the purposes, categories of data subjects and data, recipients, international transfers and retention periods. The register is available for inspection by the GBA. A summary is available on request via privacy@anyshift.be.
Given the nature of our processing — large-scale processing of INSZ numbers, special categories of personal data and automated profiling — AnyShift has carried out a Data Protection Impact Assessment (DPIA) for high-risk processing operations, as required by Article 35 GDPR.
Where necessary, we consult the GBA prior to new processing operations with high residual risk (Art. 36 GDPR — prior consultation).
AnyShift uses automated matching to connect Shifters with suitable shifts. This system analyses:
No fully automated decisions with legal effects: our matching algorithms support service delivery but do not lead to decisions based solely on automated processing that produce legal effects for you. A human employee is always involved in significant decisions (e.g. permanent deactivation of an account).
You have the right to:
You can address requests to privacy@anyshift.be (mention: "Profiling Objection" or "Human Intervention").
In certain situations, AnyShift and a Partner act as joint controllers for personal data of Shifters, in particular for:
In such cases, AnyShift and the Partner conclude a joint controller arrangement in accordance with Article 26 GDPR. The essence is available to Shifters on request via privacy@anyshift.be.
For processing carried out exclusively by the Partner on its own systems (internal HR, own payroll), the Partner is the sole controller and the Partner's privacy policy applies.
We share your personal data only with the following categories of recipients:
We conclude a data processing agreement with all processors in accordance with Article 28 GDPR.
| Sub-processor | Category | Server location | Purpose |
|---|---|---|---|
| Google LLC (Analytics, Cloud) | Analytics / Cloud | USA (SCCs apply) | Web analytics, cloud infrastructure |
| Brevo SAS | Email / SMS / WhatsApp | EU (France) | Transactional and commercial communication |
| MongoDB Inc. | Database | EU / USA (SCCs) | Platform data storage |
| Stripe / Mollie | Payment processing | EU | Billing and payments |
| VPS provider (own infrastructure) | Cloud / VPS | EU (to be confirmed in hosting contract) | AnyShift platform server infrastructure |
We inform you of changes to our sub-processors via our website or by email (at least 14 days in advance).
We never sell your personal data to third parties for commercial purposes.
In the context of a possible or effective business transfer, merger, acquisition or due diligence procedure, personal data may be shared with potential acquirers or investors. The following safeguards apply:
Some service providers are established outside the European Economic Area (EEA). In such cases, we ensure an adequate level of protection through:
You can request a copy of the applicable SCCs via privacy@anyshift.be (mention: "International Transfer – GDPR").
Technical:
Organisational:
In the event of a breach involving a high risk to your rights and freedoms, data subjects are notified without delay in accordance with Art. 34 GDPR.
AnyShift services are not aimed at persons under 16 years of age. For student jobs (16-17 years), additional legal rules apply; in that case the consent of a parent or legal guardian is required at registration.
We do not knowingly collect personal data from children under 16. If you suspect that we have inadvertently collected data of a minor, please contact us immediately via privacy@anyshift.be.
You have the following rights. You can exercise them via privacy@anyshift.be (mention: "GDPR Request – [type of right]"). We respond within 30 calendar days (extendable by 2 months for complex requests, subject to notification).
| Right | Content | GDPR Article |
|---|---|---|
| Right of access | Request what data we hold about you | Art. 15 |
| Right to rectification | Correct inaccurate or incomplete data | Art. 16 |
| Right to erasure | Deletion of your data (with legal limitations) | Art. 17 |
| Right to restriction of processing | Temporarily stop processing while a dispute is pending | Art. 18 |
| Right to data portability | Receive or transfer your data in machine-readable format (JSON/CSV) | Art. 20 |
| Right to object | Object to processing on grounds of legitimate interest or profiling | Art. 21 |
| Right to withdraw consent | Withdraw consent at any time (without retroactive effect) | Art. 7(3) |
| Right re. automated decision-making | Request human review of automated decisions | Art. 22 |
| Right to explanation of profiling | Insight into the logic and consequences of the matching system | Art. 22(3) |
Note: Exercising certain rights may affect your ability to use (parts of) our services, e.g. if legally required data is no longer available.
We verify your identity before processing a request, via your registered account or a valid identity document (where you may redact document number and photo yourself).
AnyShift.be uses cookies and similar technologies:
You can adjust your cookie preferences at any time via the cookie preference manager. See our full Cookie Policy for more information.
If you are not satisfied with the way we process your personal data, you have the right to lodge a complaint with:
Data Protection Authority (GBA)
Drukpersstraat 35, 1000 Brussels
Email: contact@apd-gba.be
Website: www.gegevensbeschermingsautoriteit.be
However, we kindly ask you to first contact us via privacy@anyshift.be, so that we can resolve your concern as quickly as possible.
AnyShift reserves the right to amend this statement. The date of the last change is mentioned at the top.
For material changes, we will inform you at least 30 days in advance via email or a notification on the platform. By continuing to use our services after a change, you agree to the amended policy.