3 min read

Establishing a lawful basis for processing: What you need to know

Does my organization need consent to process information from customers who schedule with me?

With the General Data Protection Regulation (GDPR) taking effect in just a couple months, our users have been asking this question. The short answer: most likely no, due to the fact that scheduling is customarily initiated by customers.

The GDPR requires organizations to establish a lawful basis for processing customer data. A lawful basis for processing means that your organization has a legal right for collecting, storing, or accessing data belonging to a specific person. Often, a lawful basis for processing relies on consent from the customer. However with online scheduling, because the activity is customarily initiated by customers, a lawful basis for processing can usually be established without consent.

Under the GDPR you can process information without consent if it is necessary to fulfill a business obligation to a prospect or customer. When a prospect or customer initiates scheduling, this creates a business obligation for you to conduct the requested meeting. For most organizations, this should be enough to ensure a lawful basis for processing information via ScheduleOnce without requesting consent.

However, there are some instances when you may need to establish a lawful basis by other means. If you engage in outbound scheduling activities, or if you collect sensitive data during the scheduling process, you may not automatically have a lawful basis for processing.

Outbound scheduling

Outbound scheduling is when you initiate scheduling by sending personalized links to prospects or customers. In this scenario, data is pulled from Salesforce, Infusionsoft, or URL parameters. This means that you are processing information for scheduling without any direct input from customers. While your organization may have a lawful basis for processing this data, it is recommended that you ensure that you have a basis for processing the information for the purpose of online scheduling. Depending on your business scenario, this can be established by the need to fulfill a business obligation or by obtaining consent.

Collection of sensitive data

For organizations that collect sensitive data in addition to basic customer data at the time of scheduling, it is recommended that you obtain explicit consent. This most likely applies to organizations in the healthcare industry, but other organizations may be affected as well. Data that is considered sensitive includes any information related to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union memberships, genetic or biometric data, health information, or a person’s sex life or sexual orientation. If you require this information at the time of scheduling, it is recommended that you add a field to your booking form to request consent.

Bringing it all together

To sum up, with online scheduling you most likely have a lawful basis for processing customer data due to the inbound nature of online scheduling. However, we recommend that you assess whether your scheduling activities are inbound or outbound, and whether you collect sensitive data in addition to basic customer data at the time of scheduling.

To learn more about the GDPR, visit our GDPR center and read our practical guide to using ScheduleOnce in a GDPR compliant manner.

As always, if you have any questions or feedback, we would love to hear it. You can add a comment to this post or use our Contact page.