Working toward GDPR Compliance

The EU General Data Protection Regulation (GDPR) places new responsibilities and obligations on businesses that process personal data of individuals who are in the Union. To better understand GDPR, we do recommend that you review:
  • the full text of the EU GDPR. Click here to read it 
  • the Data Protection section of the European Commission website. Click here to read it 
  • The ICO's Guide to the General Data Protection Regulation. Click here to read it 

In this article, we have prepared some best-practice recommendations for your Bookeo account, to help you work toward GDPR compliance.
 
The information contained in this article is being provided solely as a general advice, and with the understanding that it is not intended to be interpreted as specific legal or compliance advice. Since EU GDPR is a relatively new and complex regulation, some of its parts may be not immediately clear, and at times differing interpretations are offered by various reputable sources. If in doubt, you should seek the guidance of your legal or compliance counsel.
 
Bookeo Pty Ltd is not authorized to give legal or compliance advice.

Is your organization required to comply with the GDPR?

Before reading the rest of the article, this is the first and most important question to ask.
The GDPR applies to your organization if your organization has an establishment in the EU or if it provides services to customers in the EU, and it specifically targets individuals in the EU (for example by offering services designed for customers in the EU, by running geographical marketing campaigns targeting the EU, listing prices in Euro, etc).

This is an important point to note: if your business is not based in the EU, and it offers services to customers outside the EU, and it doesn't specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR (source and examples: https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/application-regulation/who-does-data-protection-law-apply_en ).

If you are still in doubt whether your organization is subject to the GDPR, we recommend seeking independent legal advice.
 

In this article:


Keep your business contact details current and accurate

You should keep your business details - name of the business, business address, business phone number and email address - set in your account, in Settings>Business details current and accurate. Business details will show in the booking confirmation and reminder emails sent to your customers.

Keeping your business details current and accurate will allow your customers to contact you and submit data subject access requests. 

You can click here to find out more about how you can answer data subjects access requests for personal data stored in Bookeo, so that you can work toward complying with GDPR.

Do I need customer's consent to collect their data during the booking process?

Consent is not the only legitimate reason to process personal data.

As per Article 6 (b) of GDPR (Lawfulness of processing), processing is lawful if “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”.

This means that you have a lawful basis for processing if an individual asked you to do something as a first step and you need to process their personal data to do what they ask, or if you have a contract with the individual and you need to process their personal data to comply with your obligations under the contract.

With Bookeo, you provide a service, and the individual makes a booking, for the provision of a service. You, therefore, enter into a “contract” with that individual, and you and the individual intend that the terms of the contract will be legally binding.

For more information about lawful basis for processing, you can read the ICO guide here.

The ICO has also prepared a “lawful basis interactive guidance tool”, to give guidance on which lawful basis is likely to be most appropriate for your processing activities. You can find it here.
 

Minimize personal data collection

One of the principles of GDPR is data minimization. Data minimization means that should limit personal data collection (as well as storage and usage) to data that is relevant, adequate, and absolutely necessary for carrying out the purpose for which the data is processed (providing your service). You should consider which data you actually need to collect from your customers to provide the service and why it’s necessary.

Also see section Minimize personal data storage and usage below.


Do not collect sensitive data through Bookeo

You must not collect and process 'sensitive data' of your customers, account users and/or resources through Bookeo. 'Sensitive data' means: social security number, passport number, driver's license number, or similar identifier (or any portion thereof), credit or debit card number than the truncated (last four digits) of a credit or debit card), employment, financial, genetic, biometric or health information; racial, ethnic, political or religious affiliation, trade union membership, or information about sexual life or sexual orientation; criminal history; mother's maiden name; and any other information that falls within the definition of "special categories of data" under EU Data Protection Legislation or any other applicable law relating to privacy and data protection, except for date of birth. 

If processing of sensitive data (remember, only the collection of the "date of birth" is allowed) is necessary for the contract, you also need to identify a separate condition for processing this data. 


Consider whether to collect details of participants to a booking  

Bookeo lets you collect details of all participants of a booking, not just the customer making the booking. In this case, you obviously cannot obtain explicit consent from participants, and it is not clear that they're entering into a contract (the booking) with you, because that can only be said of the customer making the booking.

Bookeo believes that this is an unclear area of the regulation, and that probably in the future more clarifications will be provided by the regulators. There are many cases where it is common for a customer to input details of multiple people in a transaction (ex. purchasing an airline ticket, booking a hotel room, etc).

All we can do for now is to recommend considering carefully whether you need to collect participants' details, and if you do, what is the purpose of this data collection, and whether you minimize the data collected (see above).

Clearly, the safest thing to do in respect to the GDPR is to avoid collecting participants' details. 

Processing children’s personal data

If you need to process personal data of children, please refer to the European Commission guidance on children and the GDPR here, or seek the guidance of your legal or compliance counsel. 


Document the lawful basis of processing in your privacy notice

You should document your decision that processing is necessary for the contract and include information about your purposes and lawful basis in your privacy notice (Privacy Policy).


Staff members’ access and use of your customers’ personal information

You should review that staff members set up as account users in account>users have been given the correct permissions and access to your account and to your customers’ personal information, commensurate with the tasks they are expected to performYou can click here for more information on how to set account users permissions. User access rights should be reviewed at regular intervals to ensure that the appropriate permissions and access level are allocated.  

Each account user should have a username that is not shared with any other user and is associated with a specific individual.

Account usernames should not be reused as this may cause confusion in the event of a later investigation.


Minimize personal data storage and usage

Data minimization means that you should limit personal data storage and usage (as well as collection) to data that is relevant, adequate, and absolutely necessary for carrying out the purpose for which the data is processed. You should consider where data is going to be stored, for how long, and where it is transmitted to.

It might have been common practice to hold on to data in case it may be needed in the future, or to collect as much information about your customers as possible. However this practice should be abandoned because it is the opposite of data minimization and doesn’t comply with GDPR.

Before deleting data, you should also verify that data deletion complies with your retention policy and other laws - for example, financial laws.

Securely store data downloaded from Bookeo

Account users should securely store any data downloaded from Bookeo, such as reports, and promptly delete it when it's no longer needed for the purpose for which it was originally downloaded.

Lawfulness of Emails sent by Bookeo

The booking confirmation and reminder email, and the SMS reminders are necessary for the performance of the service to which the data subject is party.

If your business must be GDPR compliant, we recommend that you review the following email settings:


Remarketing email

If you have enabled the Remarketing feature in Marketing>Remarketing, you should disable it. With GDPR enforced correctly, it will no longer be possible to legally send remarketing emails when website visitors abandon the booking process.
 
According to the GDPR, a business must obtain the website visitor’s explicit consent to collect their data, unless in the case the data is necessary in order to perform the service/contract entered with the customer - see above. When requesting explicit consent, the purpose why the business is collecting the information and for how long the information will be kept must be made clear to the website visitor. In addition, the website visitor’s consent needs to be freely given, specific, informed and the business owner must be able to prove that.
 
The only way to use the remarketing feature under GDPR, would be to add a checkbox right beside the email address of the website visitor, asking for permission to re-market to them. Next to this checkbox you would have to list the reaosn why you're asking consent to use their details, and for how long you intend to keep them. The explanation would be quite long. Most website visitors may not tick the box, and may in fact be turned off the booking process completely.
More importantly, under GDPR the website visitor should also be able to revoke the consent given before receiving the remarketing email, which would be completely impractical to implement.

Bookeo is regularly monitoring public discussions regarding the impact of GDPR on remarketing practices, and in the future a practical, usable solution may be devised that permits the use of remarketing in accordance with GDPR. However for the time being, we recommend disabling remarketing as a precaution.

 

Thank you email 

If you have enabled the feature to send a Thank you email to your customers asking for their feedback in Settings>Thank you email, you should define what the feedback email will be used for and its purpose.

If you are collecting feedback to identify any issues and improve your service, and are not going to publish the reviews online, you may have a “legitimate interests” to ask for feedback and should not need consent providing that no sensitive data is collected. We do, however, recommend adding a confirmatory statement such as “by submitting this review you agree that your data will be processed in line with our privacy policy”, and add a link to your privacy policy page.

If you are planning to publish customer feedback generated from the Thank you email as an online review within the Bookeo system, then “unambiguous consent” should be required. Online reviews are a form of marketing and do not count as legitimate interest under GDPR. If your customer feedback is probably not sensitive, you may only need to obtain “unambiguous consent” to publish the reviews within the Bookeo system: the customer should understand how their data will be used.

In this case, we do recommend that you add a statement to the Thank you email you send, including - but not limited to - the following:
  • Where information is stored
  • How information will be used 
  • If information will be shared
  • Which personal data will be shared (for example, only the first name of the customer)
  • How customers can request for removal of a published review
  • A confirmatory statement such as “by submitting this review you agree that we will process your data in line with our privacy policy and that your review will be published on our website”, then add a link to your privacy policy page.

If you are asking customers to publish reviews on a third-party website, the review will be submitted and published on that website, and will be subject to the Third Party website Privacy Policy and Terms of Service. So we would recommend that you make sure that this is clearly explained to customers when they click on the links you provide to leave a review on a Third Party website.
 
Also, if you have repeat customers, we would recommend sending the Thank you email only after the first visit. As you build customer relationships, you can collect customers feedback in other ways, for example with surveys.

Add an SSL certificate to your website

Adding an SSL to your website creates a safe connection with website visitors who browse and share information with you online.

Whether you integrate Bookeo into your website or use the standalone booking page provided by Bookeo, the Bookeo widget is always HTTPS. However, if you do not have an SSL certificate for your website, and use the website integration, the web browser shows the non-secure address of your webpage (HTTP) in the address bar, and not the secure address of the Bookeo widget (HTTPS).

Therefore, if you integrate Bookeo into your website, we do recommend that you add an SSL certificate to your website. If you use the standalone booking page provided by Bookeo, adding an SSL certificate will help you secure your site and add trust and confidence for your website visitors and customers.

MailChimp integration

If you have integrated Mailchimp, we do recommend that you make sure that the checkbox asking customers to subscribe is unticked by default and that double opt-in is enabled:

1. Go to Settings>Integrations

2. Click on Mailchimp



3. Make sure that the Default [1] checkbox is unticked

4. Make sure that the Double opt-in [2] checkbox is ticked. Click here to find out more about Double opt-in

5. You may want to customize the Label [3] to
 describe why you are collecting the information. The label is the text describing the meaning of the checkbox that customer have to tick to subscribe to your newsletter. You should ensure the language of the label accurately describes your marketing activities.

6. If you make any changes, you should click on the Save button

You can find out more about Mailchimp and GDPR on the Mailchimp Help portal.

Third-party apps and integrations

You should consult any third-party vendors, including integrations and apps installed in your Bookeo account – for example, email marketing systems, online calendars, payment gateways, accounting systems and apps developed by your staff or third-party vendors – that may process your customer data to ensure they have sufficient privacy controls in place for GDPR.

According to your integration settings and permissions you granted to these third-party vendors, Bookeo may transfer your account data to these third parties. Bookeo is not responsible or liable for the processing of data performed by these third-party vendors.

If these third-party vendors send emails or notifications to your customers, related to actions, bookings or purchases made in Bookeo, we recommend that you make sure that these emails and notifications have lawful basis under GDPR, and that your customers are duly informed about these emails and notifications, by whom they will be sent and why.