As an EU citizen or resident, you are entitled to the following:
- The right to access — You have the right to request copies of your Personal Information.
- The right to rectification — You have the right to request that any Personal Information you believe is inaccurate be corrected, and request that any incomplete Personal Information be completed.
- The right to erasure — You have the right to request that your Personal Information be erased under certain conditions.
- The right to restrict processing — You have the right to request that the processing of your Personal Information be restricted under certain conditions.
- The right to object to processing — You have the right object to the processing of your Personal Information be restricted under certain conditions.
- The right to data portability — You have the right to request that your Personal Information be transferred to another organization, or directly to you, under certain conditions.
However, as a provider of integrated payment processing and technology solutions, Shift4 is a “data processor” rather than a “data controller.” That is, Shift4 has no direct relationship with the individuals whose Personal Information Shift4 processes on behalf of its clients. Any individual who seeks to exercise any of the rights above over Personal Information Shift4 is processing on behalf of a client should direct their query to client, the data controller, directly Shift4 is happy to work with its clients to effectuate the protections above. Contact information for our Data Protection Officer and our Article 27 Representative may be obtained by sending an email request for such information to security@shift4.com.
Transfers of Personal Information from the EU to the U.S.
Shift4, participates in and has certified its compliance with the EU – U.S. Privacy Shield Framework (“Privacy Shield”). Shift4 is committed to subjecting all Personal Information received from European Union (EU) member countries, in reliance on the Privacy Shield, to the Framework’s applicable Principles. To learn more about the Privacy Shield Framework, visit the U.S. Department of Commerce’s Privacy Shield List at https://www.privacyshield.gov/list.
Shift4 is responsible for the processing of Personal Information it receives from the European Union, including any subsequent transfers to a third party acting as an agent on its behalf. Shift4 complies with the Privacy Shield Principles for all onward transfers of personal data from the EU, including the onward transfer liability provisions.
Please note that on July 16, 2020, the Court of Justice of the European Union invalided the Privacy Shield as a valid method to transfer Personal Information from the EU to the U.S. While Shift4 remains committed to its obligations under the Privacy Shield, Shift4 relies on other valid transfer mechanisms, such as Standard Contractual Clauses, legitimate interests, or your consent, for the lawful transfer of Personal Information from the EU.
With respect to Personal Information received or transferred pursuant to the Privacy Shield Framework, Shift4 is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, Shift4 may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
Shift4 commits to cooperate with the Department of Commerce’s Data Protection Authorities (https://www.privacyshield.gov/article?id=DPA-Liaison-at-Department-of-Commerce)(DPAs) for investigation and resolution of Privacy complaints brought under the Privacy Shield and will comply with any advice given by the DPAs where the DPAs take the view that we need to take a specific action to comply with the Privacy Shield Principles, including remedial or compensatory measures for the benefit of individuals affected by any non-compliance with the Principles, and will provide the DPAs with written confirmation that such action has been taken.
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact the Department’s DPA Dispute Resolution and Enforcement (https://www.privacyshield.gov/assistance) center.
Under certain conditions, more fully described on the Privacy Shield website(https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint), you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.
Our Privacy Shield policy, in its entirety, can be found at https://www.shift4.com/wp-content/themes/shift4/assets/pdf/Shift4-Payments-Privacy-Shield-Policy.pdf.
If you wish to enquire further about the safeguards we use, please contact us using the details set out at the end of this Privacy Policy.