Dealing with data subject access requests under GDPR

Under the EU GDPR, data subjects will benefit from rights in terms of their ability to request and access any personal data you have collected about them.

Below, we give guidance on how you can us the tools provided by Bookeo to answer data subjects access requests for personal data stored in Bookeo so that you can work toward complying with GDPR.

You can also review the European Commission article on How should requests from individuals exercising their data protection rights be dealt with here

The information contained in this article is being provided solely as a general advice, and with the understanding that it is not intended to be interpreted as specific legal or compliance advice. For further guidance or If in doubt, you should seek the guidance of your legal or compliance counsel.
 
Bookeo Pty Ltd is not authorized to give legal or compliance advice.

In this article:


Right of access by the data subject

As per article 15 of GDPR "The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information"


Customers' personal data

Self-access for customers

If you have enabled the Customer Area in Marketing>Customer area, your customers can log into the customer area and click on Your Profile to see their personal data collected using Customer fields set as public. They can take a screenshot of the page or save the page as an image or .pdf.

Customers can click on Your bookings in the customer area to see their past and upcoming bookings. They can click on the Print button to print the bookings.

 

Access for account users

Bookeo account users can print a customer profile and bookings from the Bookeo dashboard. The customer profile will include:
  • Customer fields set as public
  • Customer fields not set as public (only accessible by account users)
  • Notes about the customer

To print a customer profile:

1. Go to Customers

2. Click on a customer profile 

3. Click on the Print button. A .pdf file will be generated. The file can be printed or emailed to the customer.


To print customer bookings:

1. Go to Customers

2. Click on a customer profile 

3. Click on the Bookings tab. 

4. Click on the Print button.
 

Employees' Personal data 

Employees who are account users can access their personal data as account users in account>your details.

Employees who are resources:
  • can access the resource settings in Settings>Resources, if they are account managers or the account owner. Click here for more information 
  • if the employees do not have manager permissions, they will have to request a copy of their personal data to the account owner or to an account manager. The account owner or the account manager can take a screenshot of the resource settings and give it to the employee.

Right to rectification

As per article 16 of GDPR "The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement".


Customers' personal data

Self-access for customers

If you have enabled the Customer Area in Marketing>Customer area, your customers can log into the customer area and click on Your Profile to see and edit their personal data.


Access for account users

Bookeo account users can edit customer profiles from the Bookeo dashboard:

1. Go to Customers

2. Click on a customer profile 

3. Edit the customer profile.

4. Save


Employees' Personal data 

Employees who are account users can edit their personal data as account users in account>your details.

Employees who are resources:
  • can edit the resource settings in Settings>Resources, if they are account managers or the account owner. Click here for more information 
  • if the employees do not have manager permissions, they will have to request rectification of their personal data as resources to the account owner or to an account manager. 

Right to erasure (‘right to be forgotten’)

As per article 17 of GDPR "The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies".


Deletion of customer's data

You can delete a customer profile and all his/her bookings. After deletion, the information can no longer be retrieved. Please verify that the deletion complies with your retention policy and other laws - for example, financial laws. Click here for more information

To delete a customer profile and his/her bookings:

1. Go to Customers

2. Click on a customer profile 

3. Click on the Delete customer button

4. If there are bookings for this customer, Bookeo will show a warning message. 

5. Click on the Yes, delete the customer and all his bookings button. If there are upcoming bookings, you will have to delete each booking first, before you can delete the customer profile.

Deletion of employee's data as an account user

If you delete an account user, the email address of the user will be erased from the system. For historical purposes, the name of the account user will show in the dashboard and in reports to show who performed each task. Click here for more information 

Before deleting a user, you may want to anonymize his/her profile. To anonymize an account user profile:

1. Go to account>users

2. Click on the account user

3. Change the name, surname and email address with fictitious values, so that these details will show in the system

4. Save


To delete an account user:

1. Go to account>users

2. Click on the account user

3. Click on the Delete button.
 

Deletion of employee's data as a resource

Depending on the account type you are using and on how you set up the services you offered, if you delete a resource from Settings>Resources, you may delete all the bookings to which the resource was assigned. Click here for more information 

Instead of deleting a resource, you may want to anonymize his/her profile and change the name, surname and other personal data with fictitious value, then hide the resource from your customers and the other account users. Click here for more information


To delete a resource

1. Go to Settings>Resources

2. Click on the resource type

3. Click on the Resource

4. Click on the Delete button.
 

Right to withdraw consent

As per Article 7.3 of GDPR "The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent."

If you are using the integration with MailChimp, customers can withdraw their consent to receive newsletters from your business via MailChimp.

If you have collected consent using another setting in your account, this is an account customization made by your business and you should verify how customers can withdraw their consent. If you need assistance, you can contact the Bookeo Support Team at help@bookeo.com. Please provide information on how you collected consent and how this is set up in your account. 
 

Right to restriction of processing and Right to object

As per article 18 of GDPR "The data subject shall have the right to obtain from the controller restriction of processing..." and "...such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State".

In addition, as per Article 21 of GDPR "The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims."
 

Customers' personal data

Bookeo only process data about your customers when they make a booking, purchase a gift voucher, prepaid package or are enrolled in a membership.


You can add notes for any processing restrictions in the Notes section of the customer profile:

1. Go to Customers

2. Click on a customer profile

3. In the Notes section, you can add a note about the restriction.

4. Save

Employees' Personal data 

Bookeo processes data about your employees set up as resources if a booking is made for a service using that resource. If you do not want customers to make bookings for that resource, you should follow the instructions in this tutorial, in Step 1 and Step 2: http://help.bookeo.com/customer/en/portal/articles/1087998

Bookeo processes data about your employees set up as account users if the account user logs into the account and performs an action, such as create a booking. 

Right to data portability

As per Article 20 of GDPR "The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided"
 

Customers' personal data

Customer's personal data can be exported in XML format as follows:

1. Go to Customers

2. Click on a customer profile

3. Click on the GDPR Export [1] button



4.  By default, Bookeo will export the customer profile and all the Custom fields set as public. In the Customer data export [2] section, you can select additional data, including information that is normally not shown to customers (in this case, a warning will be shown).



5. Click on the Download [3] button to download the XML file.