Booker and GDPR
This is not legal advice. We urge you to consult your own legal counsel to familiarize yourself with the requirements that govern your own specific situation.
The General Data Protection Regulation (GDPR) is a comprehensive new European data protection law that will provide greater data protection for individuals in the European Union (EU). The GDPR takes effect on May 25, 2018.
At Booker, we are working hard to ensure that our tools and processes support you as you prepare for the GDPR, including conducting a review and update of internal policies and procedures, conducting employee policy training, and releasing a new "right to be forgotten" Booker feature.
What are your obligations as a Merchant?
If your business is based in the European Union (EU) or you have customers or contacts in the EU, then you will be responsible for ensuring compliance with the key requirements of the GDPR, including how the Booker platform is used.
As a "data controller" under GDPR terminology, you are responsible for understanding the type of personal information you hold inside and outside of the Booker platform and ensuring compliance with the key requirements of the GDPR. This includes notifying individuals of how you handle their personal information, obtaining their consent where appropriate, addressing their requests for access to their information, etc. Make sure you and your staff are aware of and fully trained on the type of information you are collecting and how to handle personal data.
What is Booker doing to support merchants as they prepare for GDPR?
Here are some ways you can use the Booker system to support you as you prepare for GDPR:
Exporting of Data:
Customers can request an export of their data. The Individual Customer Export report can be used to provide this information in a structured, commonly used and machine-readable format.
Right to be Forgotten:
Merchants and brands can honor client requests for deletion by going to System Settings and enabling the Allow customers to delete their account feature, and execute any valid "delete my account" requests.
Once the new Delete their account feature is enabled by the administrator customers will be able to request "delete my account" through self-service. If a customer submits a deletion request the merchant will receive an email with a link to complete the "delete my account" request.
When a merchant Admin opens the "delete my account" request and clicks on the link they will see a pop-up with steps and reminders. For example:
- Cancel any memberships
- Cancel any future appointments
- Manage open orders
- Reminder to download any customer documents that must be retained for legal reasons
Once all steps of the "delete my account" pop-up are complete, and the Admin executes the deletion request, the customer profile and any related documents will no longer be available. The data is deleted within 30 days of the administrator completing the "delete my account" request.
Customers may also request "delete my account" in person, over the phone, via firstname.lastname@example.org, or through other means. If the merchant user has access to customer profiles they can submit the "delete my account" request on behalf of the customer. The "delete my account" request follows the same process as a customer initiated "delete my account" request. The merchant is responsible for checking that the request is valid and completing the request.
A few things to keep in mind regarding the Delete their account tool:
- For security reasons only specific roles can process account deletions:
- For a Stand-alone location: Location Admin
- For a Brand with shared customers: Brand Admin
- For a Brand with non-shared customers: Brand Admin or Location Admin
- Customer exports will not include customers that have been deleted
- If the merchant belongs to a brand with individual customers the "delete my account" is specific to the location
- If the merchant belongs to a brand with shared customers the "delete my account" is for all locations
Vendors outside of the Booker System:
Merchants are responsible for destroying any customer data that is stored outside of the Booker system and ensuring the destruction of any customer data that the merchant shared with any third parties outside of the Booker system. For example, if you are using an external email marketing company the deletion request should be conveyed to this external vendor so that the customer data may be deleted from this vendor as well. The merchant is also responsible for updating or correcting any customer data or preferences that may be stored with third parties.
If you have questions, please go to https://help.booker.com or contact Booker Support.