Data minimization under the GDPR

Data minimization is a key GDPR principle. Article 5 of the GDPR states that data collection should be adequate, relevant, and limited to what is necessary in relation to the purpose of processing. 

The GDPR lays out two principles regarding how organizations should ensure data protection when determining their processes for collecting and storing information:

  1. Data protection by design states that controllers should “implement appropriate technical and organisational measures” and “integrate the necessary safeguards into the processing.” Controllers should consider data protection both when designing procedures to process information, and at the time of the processing itself (Article 25).
  2. Data protection by default states that controllers should ensure that “by default, only personal data which are necessary for each specific purpose of the processing are processed.” This applies to the amount of personal data collected, the extent of the processing, the period of storage, and the accessibility of the data (Article 25).

What data is required to schedule a meeting?

To uphold the principles of data protection by design and default, you should consider what is the minimum data you require to schedule meetings.


ScheduleOnceInviteOnce
Name and Email address

This information is required in order for Customers to receive confirmation of their booking.

This information is required in order to send scheduling invitations or schedule on a Customer’s behalf.

Phone number for sending SMS

It is recommended that this field be optional, allowing individuals to decide whether or not they want to receive SMS notifications.

This is not relevant for InviteOnce
Information required for providing your service

Depending on the purpose of your meetings, you may require specific information from individuals to ensure you are prepared for your meeting. Only data that is absolutely necessary for conducting a meeting should be collected.

This is not relevant for InviteOnce

When scheduling with InviteOnce, you already have the Customer’s details, meaning there is no booking form for the Customer to fill out. On the other hand, ScheduleOnce is primarily used to schedule under generic configurations, meaning you do not have the Customer’s details and therefore require them to fill out a form. This form can be customized to collect specific information from Customers. When customizing booking forms, you should consider compliance with the GDPR. 

Follow these steps to create custom booking forms with ScheduleOnce:

Steps to create a custom booking form in ScheduleOnce

1. Go to the Booking forms editor in your account by expanding the left sidebar and selecting the Booking forms editor (see Figure 1).
Figure 1: The Booking forms editor in the left sidebar

2. Using the editor, you can determine which fields your customers will need to fill out in order to book a meeting with you (See Figure 2).

Figure 2: The Booking forms editor

3. Click the New Booking form button to create a new form. You can add any fields that you require to your form. ScheduleOnce has a robust library of system and custom fields that you can use. You can also create your own fields if you require other information. 

4. Use the Remove field link to remove any unnecessary fields.

5. Define which fields will be mandatory for customers to fill out and the order in which fields are presented.

You’re all set! Be sure to associate the Booking form with the relevant Booking pages and Event types. Learn more about the Booking forms editor

Accessing Customer Data

The principles of data protection by design and by default require that controllers limit the accessibility to customer data. This is important for OnceHub accounts with multiple Users. If your account has multiple Users, you should limit access to your Customer data by assigning user roles and permissions. 

OnceHub has two type of Users: Administrators and Members. Learn more about OnceHub User roles

It is recommended that you limit the amount of Administrators in your OnceHub account. While OnceHub allows you to have multiple Administrators, to comply with the Data protection by design principle, we recommend you only grant the Administrator role to users who configure setup and require access to reports. Users who receive bookings, but do not need to configure scheduling scenarios, should be granted the role of Member.

OnceHub recommends that you only grant Users permission to booking pages they require. By assigning Users roles and permissions, you can limit who has access to data related to ScheduleOnce bookings. This will allow you to ensure that you are compliant with the GDPR principles of data protection by design and default. Learn more about User management

ScheduleOnce has additional user permissions related to Booking pages. Learn more about Booking page access permissions

There are four access permission levels:

  • Owner: This is the person receiving the bookings made via that page. There can only be one Owner for each booking page. The Owner has access to all booking and Customer data related to the Booking page. Both Administrators and Members can be Owners of Booking pages.
  • Editor: Editors do not receive bookings from the Booking page, but have almost complete access to the booking and Customer data related to that booking page. Both Administrators and Members can be Editors of Booking pages.
  • Viewer: Viewers cannot edit a Booking page, but do have access to the booking and Customer data associated with the booking page. Only Administrators can have the role of a Viewer.
  • No access: No access means that the Booking page will not show up in the User’s account at all and the User will have no access to the booking or Customer data related to the page. Only members can be assigned no access to Booking pages.

To learn more about OnceHub's compliance with the GDPR, read our ebook: A practical guide to using OnceHub in a GDPR compliant manner

Was this article helpful?
Thank you for your feedback!