Establishing a lawful basis for processing under the GDPR

Under Article 6 of the GDPR, controllers must have a lawful basis for processing data. There are several methods for establishing a lawful basis for processing under the GDPR. The basis that you use will depend on your use case. With scheduling, establishing a lawful basis for processing depends on who initiates the interaction and what data you require:
 
  • Inbound scheduling: When a customer initiates scheduling by navigating to your booking page to schedule a meeting
  • Outbound scheduling: When you initiate scheduling by sending a personalized link to a prospect or customer
  • Collection of sensitive data: When you require sensitive data from customers during the scheduling process



Inbound scheduling

Inbound scheduling is when a prospect or customer initiates scheduling by navigating to your booking page and booking a meeting with you. Under the GDPR, you can process information if it is necessary to fulfill a contract with a prospect or customer. In this scenario, when a prospect or customer initiates scheduling, you need to process their information to fulfill your business obligation. For most organizations, this should be enough to ensure a lawful basis for processing information.



Outbound scheduling

Outbound scheduling is when you initiate scheduling by sending personalized links to prospects or customers. In this scenario, data is pulled from Salesforce, Infusionsoft, or URL parameters. This means that information is processed by ScheduleOnce without any direct input from customers. While your organization may have a lawful basis for processing this data via other sources, it is recommended that you ensure that you have a basis for processing the information via ScheduleOnce.



Collection of sensitive data

For organizations that process sensitive data, it is recommended that you obtain explicit consent at the time of scheduling. This most likely applies to organizations in the healthcare industry, but other organizations may be affected as well. Data that is considered sensitive includes any information related to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union memberships, genetic or biometric data, health information, or a person’s sex life or sexual orientation. Learn more about collecting consent from your data subjects

To learn more about ScheduleOnce's compliance with the GDPR, read our ebook: A practical guide to using ScheduleOnce in a GDPR compliant manner

Rate this article