What is GDPR?
GDPR stands for the General Data Protection Regulation. It’s a European Union (EU) law that ensures that EU citizens have the right to request that their personally-identifiable data be removed from software systems. This is called a request to be “forgotten.”
The law goes into full effect on May 25, 2018.
Does AppointmentPlus comply with GDPR?
Yes, it does. Some factors related to compliance include:
- We are SSAE16 SOC 2 Type 2 and HIPAA compliant.
- As per Privacy Shield regulations, we have strict policies on secure data transfer outside of the EU.
- We follow appropriate, industry-standard security measures and precautions.
- We will notify regulators of any security breaches, and perform appropriate client notifications.
- We ensure that any employees or contractors with access to personally-identifiable data have signed confidentiality agreements and adhere to our data management, privacy, and security standards.
This Fact Sheet contains additional details on compliance and process.
Our business is not in the EU, so why does this matter to me?
GDPR extends to any EU citizen, no matter where they are in the world. So, if your business is in Dallas, Texas, and one of your customers is visiting from France, they could request to be “forgotten” in the software systems you use. In that case, you may have some responsibility in removing them from any systems you use, and any software vendors you work with would have the same responsibility.
How does a person request to be “forgotten?”
For your business, you will have to develop a process whereby an EU citizen can request to be forgotten. For a person to request to be forgotten in the AppointmentPlus application, they would simply send an email to firstname.lastname@example.org and include the following:
- Full name
- Phone number
- Country of citizenship
- The company with whom they are a customer
Once the request is received, the following will happen:
- We will contact the requester to verify the request is valid.
- We will contact the company they are requesting to be forgotten from to make them aware and attain their written consent.
- We will begin the process of removing the requester’s data from our systems.
Per GDPR regulations, requests have to be processed within 30 days, unless there is legitimate reason it would take longer. We adhere to this timeline.
How can a person use an appointment scheduling system if their data is not accessible?
The stance that AppointmentPlus has taken is that it’s not feasible for a company to be able to make, change or cancel appointments for a person for whom they have little to no identifying data.
So, for any persons using the system, they are acknowledging that they are a known person in the system. If a person does not want to accept this, they can choose to not use the application.
If they are an existing user and request to be forgotten, their data will be deleted and they will no longer be able to utilize the system.
The exception to this is those accounts that solely identify users via a unique identifier in the system.
Where does AppointmentPlus store my data?
The primary data center for AppointmentPlus data is the Switch Data Center in Las Vegas, Nevada. Replicated data for redundancy purposes is housed in Switch’s Reno, Nevada Data Center. Backup data is stored at the Rackspace Data Centers in Dallas, Texas and Chicago, Illinois.
How does AppointmentPlus handle onward transfers of data outside of the EU?
If you are using our application from the EU, your data is currently stored in servers in the U.S. To safeguard your data when it leaves the European Economic Area, we adhere to the EU-U.S. Privacy Shield provisions.
Will AppointmentPlus sign Standard Contractual Clauses (“Model Clauses”)?
Organizations use Model Clause agreement to ensure vendors and partners adhere to GDPR data transfer provisions. AppointmentPlus will assess signing Model Clauses on a case-by-case basis.
Does AppointmentPlus offer a Data Processing Addendum (DPA)?
Yes. The Addendum is available upon request to email@example.com.
Who do I contact with questions about GDPR?
To contact our Data Privacy Officer, send an email to firstname.lastname@example.org with your question and contact information. They will then respond directly to your question or set up a date and time to speak.