Salon-2

What is the GDPR?

GDPR stands for General Data Protection Regulation, which becomes enforceable in the EU on May 25th, 2018 and relates to how businesses process their customers’ personal data (information that identifies an individual).

It covers issues such as:
- Using customers’ personal data in accordance with outlines principles (Article 5 – Processing Principles)
- Requesting consent to collect personal data (Articles 7, 8 & 9 - Consent)
- Enabling customers access to their personal data (Article 15 - Access)
- Providing copies of personal data to you customers (Article 20 – Data Portability)
- Rectifying personal data which is out of date or incorrect (Article 16 - Rectification)
- Fully deleting a customers’ personal data at their request (Article 17 - Erasure)

Under the GDPR, there are two parties involved in complying with the above:
1. The Controller – This is your business using Ovatu
2. The Processor – This is us, Ovatu

You (the Controller), are required to comply in terms of how you treat your customers' personal data. We (the Processor), are required to enable you to comply with the legislation. We are also of course required to comply with this legislation in terms on how we treat your personal data (we are fully compliant).

A contract between the Controller and Processor is also required, in order to specify each parties obligations under the GDPR.

This article will address, what the GDPR means for you, what Ovatu is doing to enable you to comply, how Ovatu complies, and where you can find the relevant contracts.

What does the GDPR mean for you?

The GDPR applies to business that are:
- Established in the EU
- Offer goods or services to EU based individuals
- Monitor EU residents’ behaviour

Under the GDPR, these businesses are required to comply with the following directives:

Article 5 – Processing Principles
Businesses collecting personal data are required to treat such data in the following ways:
- Process the data in a way that is lawful, fair and transparent
- Use the data for legitimate purposes
- Limit the use only to what is necessary
- Process the data in a way that maintains its accuracy
- Store the data for no longer than necessary
- Process the data in a secure fashion

Articles 7, 8 & 9 - Consent
Customers must be given clear information about how their data will be used, and their consent to data collection needs to be made in a way that:
- Consent is given in an opt-in rather than op-out fashion
- It is given just before the data is collected
- Separate requests are made for separate types of data collection
- Consent is easy to withdraw

Article 15 – Access & Article 20 – Data Portability
Customers have the right to request and obtain:
- A copy their personal data
- Information on how it is being used and stored
- Information about who the data may be disclosed to

Articles 16 – Rectification
A customer has the right to request that their personal data be rectified and updated

Articles 17 - Erasure
A customer can also ask your business to erase their personal data or to place a restriction on how it will be used. Your business must comply with requests to erase the data if it no longer needs the data for the original reason it collected this data.

In addition, if your business exports customer data to a third party (such as an email marketing tool), you need to ensure that the third party also complies with the GDPR.

What is Ovatu doing to enable you to comply with the GDPR?

Ovatu has been designed in a way that ensures data protection and security are at the forefront. In addition, all of your data is stored in the United States in Amazon Web Services data centres. The storage and transmission of this data is covered by the EU-U.S. privacy shield framework.

In order to enable our customers to fully comply with the requirements of the GDPR, we are implementing a number of specifically targeted features. These will all be live by March 25th 2018. A full two months prior to the GDPR coming into effect.

Articles 7, 8 & 9 - Consent
1. An explicit checkbox (unselected by default) will be presented to customers signing up via the online booking system (Mini-site, widgets and Ovatu You)
2. Customisable text field will enable you to modify the content of the checkbox and instruct your customers on your personal data collection use and policies.
3. A second checkbox allowing your customers to opt-in to marketing materials sent by your business.
4. An explicit checkbox (unselected by default) with fully customisable text presented when a customer completes a form. This can be modified and different for each form type.

Article 15 – Access & Article 20 – Data Portability
1. A full customer file export function which includes customer profile, sales, forms, custom fields, notes, photos, passes and gift cards
2. This file can be requested from the customer profile page and you will be alerted when it is ready. You can then download and email this file directly to your customer. Please note that your customers are able to request a copy of the notes fields.

Articles 16 – Rectification
1. The customer file is currently already fully editable
2. The option to unseal a locked form (which will then be marked as unlocked with no ability to re-lock)

Articles 17 - Erasure
1. A full customer deletion function. Please note that deleting a customer will permanently delete their file from Ovatu servers. There will also be an 'Archive Customer' option, where full deletion is not required.

How does Ovatu comply with the GDPR?

Ovatu’s compliance with the GDPR consists of facilitating the Controllers compliance by means of implementing the features listed above.

Ovatu is also required to treat customer personal data in accordance with the same principles. Ovatu is fully compliant and this is outlined in the Privacy Policy. Some specific areas to note are:

Articles 7, 8 & 9 - Consent
Upon sign up, all Ovatu customers are required to agree to the Ovatu Software as a Service (SaaS) Agreement. This agreement is a legal contract between the Processor (Ovatu) and Controller (Ovatu customer). Ovatu customers are also required to agree to our Privacy Policy which outlines Ovatu’s data collection and processing principles and our responsibilities both as a Processor and Controller under the GDPR.

Article 15 – Access & Article 20 – Data Portability
Ovatu has always provided full data export for all of our customers. Ovatu customers are able to export CSV files of any type of data stored within their account via our Web App.

Articles 17 - Erasure
Ovatu has a fully transparent cancellation policy. Ovatu customer may cancel their account at any time for any reason via the Web App and may request full deletion of their account via email hello@ovatu.com.

This article is not written by lawyer and does not constitute legal advice.

Resources:

https://www.oaic.gov.au/resources/agencies-and-organisations/business-resources/privacy-business-resource-21-australian-businesses-and-the-eu-general-data-protection-regulation.pdf

http://www.appaforum.org/resources/guidance/appa-gdpr-general-information-document.pdf