SuperSaaS appointment scheduling and the new EU Data Protection law (GDPR)

Privacy

On May 25th, 2018, the General Data Protection Regulation (or GDPR) will come into effect. The GDPR aims to strengthen the security and protection of personal data in the EU and harmonize EU data protection law. SuperSaaS will be compliant with the GDPR when it becomes enforceable in 2018. If you use our appointment scheduling system to store personally identifiable data you may need to take action to ensure compliance with the new law.

What is the General Data Protection Regulation?

The General Data Protection Regulation (GDPR) is a new European privacy law due to become enforceable on May 25, 2018. The GDPR will replace the EU Data Protection Directive and is intended to harmonize data protection laws throughout the European Union.

The new legislation aims to improve security of personal information and harmonize legislation. New measures include:

  • Transparency on the collection, analysis and use of personal data
  • Individuals can request access to their data, as well as correction or removal of their data
  • Limit the processing, collecting and storage of personal data to specific and legitimate purposes
  • Rules to inform authorities and customers in case of a data breach
  • A single harmonized law for all organizations in the European Union

What are your responsibilities as a SuperSaaS customer?

SuperSaaS’ customers will typically act as the data controller for any personal data contained in the appointment schedules or forms. SuperSaaS is a data processor and processes personal data on behalf of the data controller when you, or one of your end-users, is using SuperSaaS. The data controller determines the purposes and means of processing personal data, while the data processor processes data on behalf of the data controller.

Because your responsibility as a data controller depends on the type of information you store and it’s intended purpose we cannot give specific guidelines here. In a general sense, data controllers are responsible for implementing appropriate technical and organizational measures to ensure and demonstrate that any data processing is performed in compliance with the GDPR. Controllers’ obligations relate to principles such as lawfulness, purpose limitation, and accuracy, as well as fulfilling data subjects’ rights with respect to their data. If you are a data controller, you can find guidance related to your responsibilities under GDPR by checking the website of your national data protection authority. You may also want to seek independent legal advice relating to your status and obligations under the GDPR specifically tailored to your situation.

These points may be helpful to SuperSaaS customers:

  • You can enable SSL encryption (https) on your account (on the Access Control page).
  • You can verify who has access to the information in your account (on the User Management page).
  • If you synchronize the information in SuperSaaS with a third party, for example through a webhook, then you may need to verify that this party is compliant with the GDPR or also disable them (on the Webhooks page).
  • You can specify what customer data should visible to other users, if any, on the configuration page, “Access” tab. You will want to try the system as a regular user to verify that it behaves as expected.
  • You may need a Data Processing Agreement (DPA) that will meet the requirements of the GDPR. SuperSaaS intends to offer customers a GDPR DPA that is available on request to help customers prepare for next May.

What is SuperSaaS doing to comply with the GDPR?

SuperSaaS is already compliant with the current EU Data Protection Directive that the GDPR will be replacing. We will be fully compliant with the additional requirements set forth in the GDPR when it takes effect in May 2018. A non-exhaustive list of actions we have already taken, or are in the process of implementing:

  • All customer information is stored on servers within the European Union. Our servers are located in state-of-the art data centers with 24/7 monitoring and security.
  • Customers will be able to see which of their data is stored in our systems and can request removal.
  • Where we use data processing services from third parties to store your information, we ensure that data processing agreements with those parties are in place and that they are located within the EU.
  • We have a process in place that determines which of our employees has access to customer information, with appropriate actions should they leave their position.

If you have questions regarding our working methods with the GDPR, please feel free to contact us.