Privacy Statement - AnyShift.be
Last updated: 1 July 2026
At AnyShift BV, established at Stenenbrug 117, 2100 Borgerhout (Antwerp), Belgium, registered with the Crossroads Bank for Enterprises under number BE 1019.746.053, we attach great importance to the protection of your personal data.
AnyShift is a licensed temporary employment agency (Flemish authorisation number) that brokers flexi-jobs, student jobs and related forms of employment.
Note regarding the extension of flexi-jobs to all sectors: On 30 April 2026 the Council of Ministers approved the preliminary draft bill extending flexi-jobs to all sectors (De Wever government, Minister of Labour Clarinval). The parliamentary vote is expected at the end of July 2026. As long as the law has not been officially published in the Belgian Official Gazette, the provisions in section 6 of this statement that specifically refer to the extension to all sectors are not yet applicable. The other provisions of this statement remain fully in force. AnyShift will update this statement immediately after publication in the Official Gazette.
This privacy statement clarifies how we process personal data in accordance with:
- the General Data Protection Regulation (GDPR - Regulation (EU) 2016/679);
- the Belgian Act of 30 July 2018 on the protection of natural persons with regard to the processing of personal data;
- the Act of 5 December 1968 on collective labour agreements and applicable CLAs (including CLA No. 68 and CLA No. 109);
- all other applicable Belgian and European regulations.
1. Contact Details and Data Controller
| Data controller | AnyShift BV |
|---|---|
| Address | Stenenbrug 117, 2100 Borgerhout, België |
| Enterprise number | BE 1019.746.053 |
| General e-mail address | hello@anyshift.be |
| Privacy-specific e-mail address | privacy@anyshift.be |
| GDPR contact person / DPO | Sania Khan |
For all questions, requests or complaints regarding data protection, you can contact our privacy officer via privacy@anyshift.be (state in the subject line: "Privacy question - GDPR").
2. Who are "you" and "we"?
In this statement, "AnyShift", "we", "us" and "our" refer to AnyShift BV and its affiliated entities. "You" and "your" refer to:
- Shifters: employees (flexi-jobbers, students, or other forms of employment) who seek and perform shifts via the AnyShift platform;
- Partners: employers, self-employed persons or organisations that post shifts via the platform;
- References: contact persons named by Shifters as a reference;
- Visitors: persons who visit AnyShift's website or applications without creating a registered account.
3. Which personal data do we process?
3.1 Data you provide to us directly
Upon registration and profile creation (Shifters):
- Identification data: surname, first name, date of birth, gender
- Contact details: e-mail address, telephone number, home address
- National Register number (INSZ) - required for Dimona declaration and salary calculation
- Bank account number (IBAN) - for the payment of wages
- Copy of identity document or residence permit
- Diplomas, qualifications and work experience (CV data)
- Profile photo (optional)
- Student status and/or proof of enrolment (for student jobs)
- Proof of main occupation or pensioner status (for flexi-jobs)
Upon registration and profile creation (Partners):
- Company identification: name, BCE/VAT number, legal form
- Contact details of responsible person(s): name, position, e-mail, telephone
- Invoicing and payment information
- Sector, NACE code and joint committee (relevant for flexi-job eligibility and pay scales)
- Functional information about shift requirements and locations
When using the services:
- Shift requests, bookings and confirmations
- Reviews, feedback and performance information
- Communication via the platform (messages, notifications)
- Completed surveys or satisfaction questionnaires
3.2 Data that is generated automatically
- Location data: precise GPS location (only when the app is active and you have given consent for this), approximate location via IP address
- Usage data: pages visited, features used, click behaviour, session duration
- Device information: device type, operating system, browser type, IP address, language
- Log data: server logs with timestamp, error messages, system activity
- Cookies and tracking technologies: see our Cookie Policy
3.3 Data received from third parties
- Social media (if you log in via a social media platform)
- Payment providers and financial institutions
- Government authorities (ONSS, RVA, Dimona system) for verification
- References that you provide yourself
- Publicly available sources (e.g. LinkedIn, BCE)
3.4 Special categories of personal data
In certain cases we process sensitive personal data within the meaning of Article 9 GDPR:
- Health data: e.g. fitness-for-work certificate, sick leave - solely insofar as necessary for the performance of the employment contract or required by law
- Nationality and residence status: for the verification of the applicability of labour law and social security
We process this data solely on the basis of an explicit exception as set out in Article 9(2) GDPR, and in compliance with the required additional safeguards.
4. Purposes and legal grounds for processing (Art. 6 GDPR)
| Purpose of processing | Legal ground (Art. 6 GDPR) | Explanation |
|---|---|---|
| Creating and managing accounts | Art. 6(1)(b) - performance of contract | Necessary to provide the service |
| Dimona declaration and ONSS obligations | Art. 6(1)(c) - legal obligation | Act of 27 June 1969 (ONSS Act); Royal Decree on Dimona |
| Salary calculation and payment | Art. 6(1)(b) + Art. 6(1)(c) | Performance of the employment contract + tax and social legislation |
| Matching Shifters with Partners | Art. 6(1)(b) - performance of contract | Core function of the platform |
| Verification of employment-law status (flexi-job, student) | Art. 6(1)(c) - legal obligation | Act of 16 November 2015 (flexi-jobs); student work regulations |
| Limosa declarations (foreign EU workers) | Art. 6(1)(c) - legal obligation | Royal Decree of 20 March 2007 on Limosa |
| Temporary employment agency obligations (licensed agency) | Art. 6(1)(c) - legal obligation | Act of 24 July 1987 on temporary work |
| Communication about shifts and services | Art. 6(1)(b) - performance of contract | Necessary for service delivery |
| Commercial communication via e-mail, SMS or WhatsApp | Art. 6(1)(a) - consent | Opt-in required; opt-out always possible via any message |
| Dispute resolution and fraud prevention | Art. 6(1)(f) - legitimate interest | Protection of platform integrity and users |
| Profiling for job matching (automated) | Art. 6(1)(b) + notification under Art. 22 GDPR | See section 10 |
| Customer service and complaints handling | Art. 6(1)(b) + Art. 6(1)(f) | Performance of contract + legitimate interest |
| Analysis and improvement of the services | Art. 6(1)(f) - legitimate interest | Internal use, anonymised statistics |
| Direct marketing (newsletter, offers) | Art. 6(1)(a) - consent | Opt-in required; opt-out always possible |
| Functional cookies | Art. 6(1)(b) - performance of contract | Strictly necessary for operation |
| Analytical and marketing cookies | Art. 6(1)(a) - consent | Via cookie banner; see Cookie Policy |
| Compliance with accounting and tax obligations | Art. 6(1)(c) - legal obligation | Belgian accounting law (7 years) |
| Business transfer or due diligence | Art. 6(1)(f) - legitimate interest | Limited, under NDA; users informed 30 days in advance |
5. Retention periods
| Category of data | Retention period | Legal ground |
|---|---|---|
| Account data (active user) | As long as the account is active + 2 years after inactivity | Contract |
| Wage and remuneration data | 7 years after the tax year | Belgian accounting law / tax law |
| Dimona and ONSS declaration data | 5 years | Act of 27 June 1969 (ONSS Act) |
| Shift history and contracts | 5 years after termination of employment | Labour law / limitation of claims |
| Invoices and payment documents | 7 years | Code of Companies and Associations |
| Communication data (platform messages) | 2 years | Legitimate interest (disputes) |
| Log data and server data | 12 months | Security and fraud detection |
| Consent for marketing | Until consent is withdrawn + 1 year of proof | Art. 7(1) GDPR |
| Application/profile data (not hired) | 6 months after last contact | Legitimate interest |
| Cookies (analytical/marketing) | See Cookie Policy (max. 13 months) | Consent |
After the expiry of the applicable retention period, data is securely deleted or anonymised.
6. Flexi-jobs and extension to all sectors
Legal status - updated 4 May 2026: On 30 April 2026 the Council of Ministers approved the draft bill for the extension of flexi-jobs to all sectors (De Wever government, Minister Clarinval). The parliamentary procedure and publication in the Belgian Official Gazette are still pending - a plenary vote is expected at the end of July 2026. The processing operations described in this part are not yet applicable until after official publication in the Belgian Official Gazette. The existing flexi-job rules based on the Act of 16 November 2015 (as amended) remain fully in force in the meantime. AnyShift will update this section immediately after publication.
As soon as the law takes effect, AnyShift will process the following additional data in order to comply with the new legal conditions:
- Verification of main occupation or pensioner status: confirmation that the Shifter meets the eligibility conditions for flexi-job work (e.g. employment of at least 4/5 with another employer, or pensioner status)
- Sector identification of the employer (Partner): registration of the NACE code and the joint committee of the Partner
- Dimona type "FL": mandatory declaration with code FL for each flexi-job performance; for this we process the Shifter's INSZ number and the shift data (start and end time, location)
- Flexi-job pay calculator: the tax-free wage up to the statutory limits is calculated on the basis of hours worked and the applicable hourly wage
Limosa declarations (foreign EU workers)
If AnyShift brokers EU citizens who come to work in Belgium and are subject to the Limosa declaration obligation, we process the required personal data (identity, nationality, work period, employer) for the declaration. The legal ground is a legal obligation (Royal Decree of 20 March 2007).
7. Belgian CLA obligations regarding monitoring and reviews
CLA No. 68 - Camera surveillance and electronic monitoring in the workplace
Where a Partner makes use of camera surveillance, badge registration, GPS tracking or other electronic monitoring means during the performance of a shift, this falls under CLA No. 68 (filed with the NLC). In that case AnyShift processes the data supplied by the Partner (arrival, departure, hours worked) solely for:
- Verification of hours worked and salary calculation
- Compliance with labour and social legislation
In this regard AnyShift acts as a processor for the Partner, who remains the controller for workplace monitoring. The Partner guarantees that monitoring is carried out in accordance with CLA No. 68 and the GDPR.
CLA No. 109 - Reviews, scores and deactivation of Shifters
AnyShift keeps review and performance data (star ratings, feedback from Partners) that may contribute to decisions about the visibility or deactivation of a Shifter. In accordance with CLA No. 109 and the principle of sound administration:
- Shifters are informed in good time about the criteria that determine their active status
- A deactivation is never carried out solely on automated grounds without human intervention (see also section 10)
- A Shifter has the right to request an explanation and review via privacy@anyshift.be
8. Communication channels: e-mail, SMS and WhatsApp
AnyShift communicates with Shifters and Partners via e-mail, SMS and WhatsApp Business (via Brevo/Sendinblue as a registered Business Solution Provider).
Commercial messages (promotions, offers, news) are sent solely after your explicit opt-in consent. You can unsubscribe at any time via:
- The unsubscribe link in each message
- Your account settings on the platform
- An e-mail to hello@anyshift.be stating "Unsubscribe - [channel]"
Operational messages (shift confirmations, payslips, Dimona information, legal notices) are sent on the basis of the performance of the contract (Art. 6(1)(b)) and cannot be disabled without interrupting the service.
Your telephone number and message content are processed by Brevo SAS (France) as a processor, on the basis of a concluded data processing agreement in accordance with the GDPR.
9. Record of Processing Activities and Data Protection Impact Assessment (DPIA)
Record of processing activities (Art. 30 GDPR)
AnyShift maintains an internal record of processing activities in accordance with Article 30 GDPR. This record contains, for each processing operation: the purposes, categories of data subjects and data, recipients, international transfers and retention periods. The record is available for inspection by the DPA. A summary is available on request via privacy@anyshift.be.
DPIA (Art. 35 GDPR)
Given the nature of our processing operations - large-scale processing of INSZ numbers, special categories of personal data and automated profiling - AnyShift has carried out a Data Protection Impact Assessment (DPIA) for the high-risk processing operations, as required by Article 35 GDPR.
Where necessary, we consult the DPA prior to new processing operations with a high residual risk (Art. 36 GDPR - prior consultation).
10. Automated decision-making and profiling (Art. 22 GDPR)
AnyShift makes use of automated matching to connect Shifters with suitable shifts. This system analyses:
- Availability, location and previously worked shifts
- Sector experience and skills profile
- Reviews from previous Partners
No fully automated decisions with legal effects: our matching algorithms support the service but do not lead to decisions based solely on automated processing that have legal effects for you. A human employee is always involved in significant decisions (e.g. permanent deactivation of an account).
You have the right to:
- Request an explanation of how the matching system works
- Request human intervention in the event of a decision that is unfavourable to you
- Object to profiling (Art. 21(2) GDPR)
You can address requests to privacy@anyshift.be (state: "Objection to profiling" or "Human intervention").
11. Joint controllership (Art. 26 GDPR)
In certain situations, AnyShift and a Partner act jointly as controllers for personal data of Shifters, in particular for:
- Shift data that the Partner receives and processes internally (attendance registration, planning)
- Reviews and performance feedback entered by the Partner via the platform
In such cases, AnyShift and the Partner conclude a joint controller arrangement in accordance with Article 26 GDPR. The essence of this is available to Shifters on request via privacy@anyshift.be.
For processing operations carried out solely by the Partner on its own systems (internal HR, own payroll), the Partner is the sole controller and the Partner's privacy policy applies.
12. Recipients of personal data and sub-processors
We share your personal data solely with the following categories of recipients:
12.1 Within the platform
- Partners and Shifters with each other: limited profile information necessary for the performance of a shift (name, photo, review, contact details)
12.2 Main sub-processors (Art. 28 GDPR)
With all processors we conclude a data processing agreement in accordance with Article 28 GDPR.
| Sub-processor | Category | Server location | Purpose |
|---|---|---|---|
| Google LLC (Analytics, Cloud) | Analytics / Cloud | US (SCCs applicable) | Web analytics, cloud infrastructure |
| Brevo SAS | E-mail / SMS / WhatsApp | EU (France) | Transactional and commercial communication |
| MongoDB Inc. | Database | EU / US (SCCs) | Platform data storage |
| Stripe / Mollie | Payment processing | EU | Invoicing and payments |
| VPS provider (own infrastructure) | Cloud / VPS | EU (to be confirmed in the hosting contract) | Server infrastructure of the AnyShift platform |
We inform you of changes to our sub-processors via our website or by e-mail (at least 14 days in advance).
12.3 Government authorities (legally required)
- RSZ / ONSS: wage declarations and social security contributions
- FPS Finance: tax forms (281.10, 281.20)
- Dimona system: mandatory declaration of the start and end of employment
- Inspection services: Social Inspectorate, Supervision of Social Laws
- Limosa database: for foreign workers
12.4 Other recipients
- References (contact details only, subject to your consent)
- Potential buyers or investors in the event of a business transfer - see section 13
- Judicial authorities if legally required
We never sell your personal data to third parties for commercial purposes.
13. Business transfer, merger or investment
In the context of a possible or effective business transfer, merger, acquisition or due diligence procedure, personal data may be shared with potential acquirers or investors. The following safeguards apply:
- The transfer is limited to the strictly necessary data for the evaluation
- The recipient is bound by a non-disclosure agreement (NDA) and by the GDPR obligations
- In the event of an effective transfer, data subjects are informed at least 30 days in advance by e-mail, stating the identity of the new controller
- The new controller assumes the obligations of this privacy statement, or data subjects receive a new statement with the option to object or to have their data deleted
14. International transfer of data (Art. 44-49 GDPR)
Some service providers are established outside the European Economic Area (EEA). In such cases we ensure an adequate level of protection by means of:
- Adequacy decision of the European Commission (e.g. UK, Switzerland, Canada - limited)
- Standard Contractual Clauses (SCCs) approved by the European Commission (Implementing Decision 2021/914)
- Additional technical measures: end-to-end encryption, pseudonymisation, access control
You can request a copy of the applicable SCCs via privacy@anyshift.be (state: "International transfer - GDPR").
15. Security of personal data (Art. 32 GDPR)
Technical:
- TLS/SSL encryption of all data transmission
- Encryption of sensitive data at rest (including IBAN, INSZ)
- Two-factor authentication (2FA) for accounts
- Regular penetration tests and vulnerability scans
- Access control based on the least-privilege principle
Organisational:
- Internal privacy policy and confidentiality agreements for employees
- Training of employees on data protection
- Procedure for reporting data breaches (internally within 24 hours, DPA within 72 hours in accordance with Art. 33 GDPR)
In the event of a breach that poses a high risk to your rights and freedoms, data subjects are informed without delay in accordance with Art. 34 GDPR.
16. Minors
The AnyShift services are not directed at persons under the age of 16. For student jobs (16-17 years), additional legal rules apply; in that case the consent of a parent or legal guardian is required upon registration.
We do not knowingly collect personal data from children under the age of 16. If you suspect that we have accidentally collected data from a minor, please contact us immediately via privacy@anyshift.be.
17. Your rights as a data subject (Art. 15-22 GDPR)
You have the following rights. You can exercise these via privacy@anyshift.be (state: "GDPR request - [type of right]"). We respond within 30 calendar days (extendable by 2 months for complex requests, subject to notification).
| Right | Content | GDPR Article |
|---|---|---|
| Right of access | Request which data we hold about you | Art. 15 |
| Right to rectification | Have incorrect or incomplete data corrected | Art. 16 |
| Right to erasure | Deletion of your data (subject to legal restrictions) | Art. 17 |
| Right to restriction of processing | Temporarily suspend processing while a dispute is ongoing | Art. 18 |
| Right to data portability | Receive or transfer your data in a machine-readable format (JSON/CSV) | Art. 20 |
| Right to object | Object to processing based on legitimate interest or profiling | Art. 21 |
| Right to withdraw consent | Withdraw consent given at any time (without retroactive effect) | Art. 7(3) |
| Right regarding automated decision-making | Request human assessment in the case of automated decisions | Art. 22 |
| Right to an explanation of profiling | Insight into the logic and consequences of the matching system | Art. 22(3) |
Please note: Exercising certain rights may affect your ability to use (parts of) our services, e.g. if legally required data is no longer available.
We verify your identity before processing a request, via your registered account or a valid identity document (whereby you may redact the document number and photo yourself).
18. Cookies
AnyShift.be uses cookies and similar technologies:
- Strictly necessary cookies: required for the operation of the website and the platform (no consent required)
- Analytical cookies: e.g. Google Analytics (consent required via cookie banner)
- Marketing cookies: e.g. Meta Pixel, LinkedIn Insight Tag (consent required via cookie banner)
You can adjust your cookie preferences at any time via the cookie preferences manager. Please consult our full Cookie Policy for more information.
19. Complaints
If you are not satisfied with the way we process your personal data, you have the right to lodge a complaint with:
Data Protection Authority (DPA)
Drukpersstraat 35, 1000 Brussel
E-mail: contact@apd-gba.be
Website: www.gegevensbeschermingsautoriteit.be
However, we ask that you first contact us via privacy@anyshift.be, so that we can resolve your concern as quickly as possible.
20. Changes to this privacy statement
AnyShift reserves the right to amend this statement. The date of the last amendment is indicated at the top.
In the event of material changes, we will inform you at least 30 days in advance by e-mail or a notification on the platform. By continuing to use our services after a change, you agree to the amended policy.