Due to the current importance, we have listed the most relevant information about the GDPR-compliant use of appointman in your company.
If you have any questions or feedback about appointman and GDPR, please send us an e-mail: support@appointman.net. We collect the questions for our FAQ page. Unfortunately we cannot give individual advice.
Enjoy the read!
DISCLAIMER:
There are currently no jurisdictions for the GDPR issues, as this has not yet come into effect. We can therefore accept no liability for the information and notices. We are also not allowed to give legal advice. Many points in the GDPR can still be widely interpreted, so that only practice will show how these are interpreted by courts.
1. Each customer needs to accept the privacy policy before submitting a form
What does this mean for my appointman account?
Where there was no data protection approval today, there will inevitably be a checkbox in the future. Whenever your customer receives login data for appointman, it will be necessary for your customer to accept both your own and our data protection declarations and general terms and conditions.
At least the following appointman forms will be affected: Trial training, drop-in, shop purchase, registration, booking of appointments, booking of workshops and activation requests.
What does this mean for my website?
Do you have a contact form?
- Then your form will also need a checkbox for your customers to agree to your privacy policy.
- You need an SSL certificate (https://) for secure data transfer.
- Your privacy policy must include a notice regarding the transfer of data to appointman.
What should I do now?
- Create a data protection declaration and store it in appointman under Settings > Basic data.
- Add appointman to your privacy policy: https://intercom.help/appointman/english-guides/add-appointman-to-your-privacy-policy
- Edit contact forms on your website (contact your webmaster if necessary)
- Set up SSL certificate for your website (contact your webmaster if necessary)
2. DPA: Conclude contract on commissioned processing of personal data
Within the next weeks (by 25 May 2018) we will provide you with our GDPR-compliant contract on commissioned processing of personal data and inform you about it in time.
What should do now?
As soon as our updated DPA is available, you should sign and send it back to us! (print, read/understand, sign, return/mail, done.)
3. Delete customer data as soon as the purpose of collection is fulfilled
If the collection purpose is fulfilled and there are no further legal storage obligations, personal data must be completely deleted/anonymised.
In case of doubt, the extent to which legal retention obligations apply must be checked by you for each individual case. This applies of course not only to data you have stored in appointman but to all data of the customer. These can be phone book entries on your iPhone, handwritten notes, Excel tables, Word letters or participant lists which were filled out on site.
An example for deleting or anonymizing customer data: A customer with a used up 10-card who has not booked any class within the last 3 months. Here too, it is important to check individually which period is appropriate. According to the GDPR, it is not appropriate to continue to store the customer’s data without explicit consent (preferably in writing).
Another example: The customer explicitly asks you to delete his data. As long as you can prove that you need the data e.g. for a contract fulfilment a deletion may not be necessary. However, if this cannot be explained, you probably cannot avoid deletion. Also here we advise you in doubt to contact a lawyer for advice and to have this individually checked for your company and your business model.
What should I do now?
Think about your data:
- What and where do you store data about your customers?
- For example, do you keep attendance lists or have you saved his contact details on your iPhone?
- Do you have a Google calendar or a handwritten calendar?
- Do you still have exported data in your download folder?
Within the appointman software we will provide you with the necessary tools to delete customer data as easily as possible. It is a little more difficult to identify all other places where you have stored data about the customer. Therefore, think about where personalized data is stored and define a procedure for deletion in advance.
4. Provide access to the stored data
Your customer has the right to view the data stored about him/her. After your customer’s request, you have 30 days to send him this information.
Of course, this also includes all data you have stored about him in appointman. Course bookings, dates, remarks, address data, no-shows – everything that can be assigned to a customer.
Again, the GDPR is not limited to data stored in electronic systems. Handwritten notes, handwritten participant lists, contacts in your phone book or Google Calendar entries can also be examples where you could have stored data about the customer.
What does this mean for my appointman account?
We provide you with the appropriate options to provide the data to your customer in an easy way.
What should I do now?
You could delete comments that your customer should not know about.
5. Recommendation: DO NOT save medical data!
The GDPR stipulates that companies with 10 or more persons regularly involved in data processing need a data protection officer. It can be assumed that, for example, the maintenance of appointments or the ticking off of participant lists could already be regarded as regular data processing. In our view, it will be difficult for companies with 10 or more employees to credibly demonstrate that not all employees are involved in data processing. We therefore recommend that you check carefully whether a data protection officer is required.
However, there are also exceptions to this rule for companies with less than 10 employees, which will certainly apply to a large proportion of appointman users. The GDPR stipulates that companies with fewer than 10 employees whose core activity is the processing of medical data also require a data protection officer.
We currently assume that at least some of our customers will use the comment function for such data. Some users note previous illnesses such as herniated disc or body fat values, for example. Only practice will show how courts interpret “core activity”. But if you want to be on the safe side, you better not store such information. This applies not only to appointman, but also to Excel lists, handwritten notes or similar procedure.
If it is absolutely necessary to collect this data from the customer, then obtain the written consent of the customer regarding the storage of his medical data. We recommend that you work out appropriate forms with a lawyer. Furthermore, you should appoint a certified data protection officer to be on the safe side.
What should I do now?
You do not have a certified data protection officer?
Then you should not store any medical data about your customers or seek advice from a lawyer as to which options are appropriate for your business.
6. Opt-Ins for e-mails & co.
In order to protect you and your customers we are introducing the so-called Double-OptIn procedure by 25 May 2018. This means that customers who register or book a trial training, for example, will receive an e-mail with a link after booking. They must confirm this e-mail address. This way you are on the safe side that the e-mail address of the customer really belongs to him and you can contact him about it. This prevents misuse of e-mail addresses.
We are aware that this leads to an additional step for your customers and that many of them have problems due to incorrect spam settings. However, in order to comply with the European data protection guidelines this step is unavoidable. It serves above all to protect you as a company from penalties for unlawful contact.
If you change your terms and conditions or privacy policy, your customers will also automatically be required to accept the new version the next time they book.
What should I do now?
- appointman ensures that the opt-ins are queried everywhere where necessary from 25 May 2018 on.
- If you want to contact customers outside appointman by e-mail, phone, WhatsApp or SMS, you must obtain written permission to do so.
- Furthermore, please enter your general terms and conditions and data protection declaration under Settings -> Basic data, so that we can display them for the customer to accept.
7. Transparency of data storage and access
As already mentioned above, customers have the right to know what data you store about them. This also includes where you store this data and who has access to the data. To comply with this requirement, we recommend that you make your privacy policy GDPR compliant.
This means that in addition to concluding a DPA with appointman, you need to list appointman and all other tools in your data protection declaration. appointman hosts the data in a secure and certified data center in Frankfurt.
If you are using other tools, they potentially store data in other countries outside the EU. Here it is important to check individually whether you are still GDPR-compliant with the use of these tools and to make this transparent to the customer. Your tax consultant or your bank are also companies where you transfer personal data. We therefore recommend that you also conclude a DPA here.
In order to make it transparent to customers that appointman is used for data storage during online booking, we will introduce a “We use appointman” label under all booking forms from 25 May 2018 at the latest.
What should I do now?
- Prüfe alle Systemen und Firmen, zu denen du personenbezogene Daten übermittelst. Mache dir den Datenfluss bewusst und schließe mit den entsprechenden Firmen ADVs ab.
- Check all systems and companies to which you submit personal information. Make yourself aware of the data flow and complete DPAs with the appropriate companies.
Revise your privacy policy and save it in appointman under Settings -> Basic data.
8. Employees
We recommend that your staff has sufficient information to handle personal data. This can be done with the help of training courses for example.
Furthermore, we recommend concluding a non-disclosure agreement with your employees.
For the use of appointman we recommend that you do not share your admin login information with your staff. Instead, we recommend you create an user account with individual rights for each employee. This ensures, that changes to data can be uniquely assigned to a person. The management of the user rights is being expanded in the future.
What should I do now?
Check if your employees are sufficiently prepared for the upcoming DSGVO and create personalized accesses for all systems.
QUESTIONS OR FEEDBACK:
If you have any questions or feedback about appointman and GDPR, please send us an e-mail: support@appointman.net. We collect all questions for our FAQ page and for further news. Unfortunately we cannot give individual advice.
