SuperSaaS appointment scheduling and the EU Data Protection law (GDPR)

Privacy

On May 25th, 2018, the General Data Protection Regulation (or GDPR) came into effect. The GDPR aims to strengthen the security and protection of personal data in the EU and harmonize EU data protection law. SuperSaaS is fully compliant with the GDPR. If you use our appointment scheduling system to store personally identifiable data you may need to take action to ensure compliance with the law.

What is the General Data Protection Regulation?

The General Data Protection Regulation (GDPR) is a European privacy law which became enforceable on May 25, 2018. The GDPR will replace the old EU Data Protection Directive and harmonize data protection laws throughout the European Union.

The legislation aims to improve security of personal information and harmonize legislation. Measures include:

  • Transparency on the collection, analysis and use of personal data
  • Individual access to request, correct or remove data
  • Limitation of processing, collecting and storage of personal data to specific and legitimate purposes
  • Rules to inform authorities and customers in case of a data breach
  • A single harmonized law for all organizations in the European Union

What are your responsibilities as a SuperSaaS customer?

SuperSaaS’s customers will typically act as the data controller for any personal data contained in the appointment schedules or forms. SuperSaaS is a data processor and processes personal data on behalf of the data controller when you, or one of your end-users, is using SuperSaaS. The data controller determines the purposes and means of processing personal data, while the data processor processes data on behalf of the data controller.

Because your responsibility as a data controller depends on the type of information you store, and it’s intended purpose we cannot give specific guidelines here. In a general sense, data controllers are responsible for implementing appropriate technical and organizational measures to ensure and demonstrate that any data processing is performed in compliance with the GDPR. Controllers’ obligations relate to principles such as lawfulness, purpose limitation, and accuracy, as well as fulfilling data subjects’ rights with respect to their data. If you are a data controller, you can find guidance related to your responsibilities under GDPR by checking the website of your national data protection authority. You may also want to seek independent legal advice relating to your status and obligations under the GDPR specifically tailored to your situation.

These points may be helpful to SuperSaaS customers:

  • Ensure SSL encryption (https) is enforced when accessing your account (on the Access Control page).
  • Verify who has access to the information in your account (on the User Management page).
  • Configure how long customer and appointment data is retained (on the Usage Information page).
  • If you synchronize the information in SuperSaaS with a third party, for example through a webhook, then you may need to verify that this party is compliant with the GDPR or disable the link with them (on the Webhooks page).
  • You can specify what customer data should be visible to other users, if any, on the configuration page, “Access” tab. You will want to try the system as a regular user to verify that it behaves as expected.
  • You may need a Data Processing Agreement (DPA) that meets the requirements of the GDPR. SuperSaaS customers can download a Data Processing Agreement.

What is SuperSaaS doing to comply with the GDPR?

SuperSaaS is, of course, fully compliant with the GDPR. A non-exhaustive list of actions that have been taken in order to comply:

  • All customer information is stored on servers within the European Union. Our servers are located in state-of-the art data centers with 24/7 monitoring and security.
  • Customers will be able to see which of their data is stored in our systems and can request removal.
  • Where we use data processing services from third parties to store your information, we ensure that data processing agreements with those parties are in place and that they are located within the EU.
  • We have a process in place that determines which of our employees has access to customer information, with appropriate actions should they leave their position.
  • We currently use third-party Subprocessors to provide infrastructure services. The subprocessors do not have direct access to the Customer Data stored or processed by our service, for more information see the subprocessor list.

If you have questions regarding our working methods with the GDPR, please feel free to contact us.