The EU General Data Protection Regulation (“GDPR”) comes into effect on May 25, 2018 and will replace the existing EU data protection law.
GDPR gives individuals control over how their personal information is stored and used by companies.
We recommend reading our Privacy, GDPR and Timely guide first, for more information.
If you are based in the EU, or have customers based in the EU, then your customers will need to consent to sharing their personal information with you.
Any personal information that you use and store as part of delivering your services must also meet the requirements under the GDPR framework.
In this guide we'll show you how to:
- Add or update your privacy policy.
- Collect and record consent via the online booking process .
- View or update a customer’s consent.
Update your privacy policy
In Timely, you can add your own privacy policy. Customers that book online will be prompted to view the policy and accept its terms to make a booking.
- Head to Setup > Online bookings from the main menu:
- Scroll down to the Privacy policy section:
- You will be able to apply some basic styles to this policy. Check out the "these shortcuts" link to find out more about formatting your policy:
- Enter your privacy policy in the field provided. You can view a Preview of the message underneath the field:
- Click Save to apply your changes.
Writing a privacy policy
The information laid out in this document is for general information purposes only and it is not intended to be comprehensive and does not constitute legal advice. We recommend or talking with your lawyer, or seeking legal advice about drafting a privacy policy, or what your business needs to do to be GDPR compliant. Timely is not liable for any reliance on any of the information contained in this note.
A privacy policy should contain information about: what personal information you collect, how and why you collect and use it, how you secure it, whether third parties have access to it, whether you use cookies, and the control that users have over this. Documenting how you collect & store information collected via Timely is one part of the puzzle. You will also need to inform customers of how you use and share their personal information outside of Timely. This includes sharing information with other systems, and processes used in your general business practices.
To meet the requirements of the GDPR, your privacy policy should include the following:
- That you are the data controller;
- The full name of your business and your contact details (as the data controller);
- The purpose and legal basis for processing the customer's data (this may be that you have obtained the customer's consent to the processing, or that it's required for the performance of a contract between you and the customer);
- Whether the customer is required to provide personal data (and the consequences for not doing so);
- Your source of the personal data if it has not been provided by the customer directly;
- If you transfer the customer's data, or the recipient of the customer's personal data (i.e. you should include that you transfer the customer's data to Timely for processing);
- If you transfer data internationally and the safeguards you have in place when doing this (i.e. you should include that you transfer the data from the EU to Timely's servers in the US and that there is a contract in place between us to provide safeguards (Timely's Terms of Service and our Data Processing Addendum));
- The retention period of the data, or criteria used to determine the retention period (this could be that you'll only hold data for so long as you are lawfully entitled to, or until the customer requests deletion);
- The customer's rights as a data subject (including the right to access, correct and delete data, and to have the data provided to them in a commonly used and electronic format so they could provide the information to another data controller);
- The right for the customer to withdraw their consent to the processing of their data at any time;
- The right for the customer to lodge a complaint with a supervisory authority about how their data has been handled; and
- Whether the data is used to make automated decisions (and if so, how the decisions are made).
While we are happy to help with any questions about adding a privacy policy to your Timely account, we aren't able to provide any legal advice or guidance.
This website has a comprehensive template for a privacy policy that is a great starting point: https://seqlegal.com/free-legal-documents/privacy-policy
- https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/privacy-notices-under-the-eu-general-data-protection-regulation/
- https://www.i-scoop.eu/gdpr/data-controller-data-controller-duties/#Responsibilities_of_the_controller_under_the_GDPR
- https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
- https://dma.org.uk/uploads/misc/58f881147dcd0-gdpr-checklist-copy_58f881147dc1e.pdf
What your customers will see
- When customers book online and get to the last Enter details step, there will be three separate boxes for them to check:
- I want to receive emails with the latest news and updates from <Your Business>.
- I agree to <Your Business> privacy policy.
- I agree to the following cancellation policy.
- Customers will be able to click on the privacy policy link:
- This will pop up a full-screen window over the booking process. This details your privacy policy, as above:
- Customers will need to accept both the privacy policy and the cancellation policy to be able to complete the booking process:
View or update a customer's consent
Once the privacy policy is accepted, this will be shown in the customer’s record.
This can be viewed or updated by editing their record:
- Head to the customer’s record.
- Click Edit in the top right corner:
- On the Details tab, you can see the customer's current status:
- Check/uncheck the box next to Privacy policy:
- Click Save to apply, or x (in the top right corner) to close out of the screen:
Note: If this customer is making this booking on the phone or in person, it is your responsibility to ensure that the customer is informed about how your business is using their personal information. If the customer gives written or verbal consent to your privacy policy in person, this can be updated in Timely via the method above.