Establishing a lawful basis for processing under the GDPR

Under Article 6 of the GDPR, controllers must have a lawful basis for processing data. There are several methods for establishing a lawful basis for processing under the GDPR. The basis that you use will depend on your use case. With scheduling, establishing a lawful basis for processing depends on who initiates the interaction and what data you require:

  • Scheduling under a generic configuration: When a Customer initiates scheduling by navigating to your booking page to schedule a meeting. 
  • Personalized scheduling: When you initiate scheduling by sending a personalized link to a prospect or Customer
  • Collection of sensitive data: When you require sensitive data from Customers during the scheduling process

Scheduling under a generic configuration

This scenario occurs when a Customer schedules from a booking page with a generic configuration. This means that the Customer is not identified in advance, and is therefore required to input their name and email in order to schedule the meeting. This is only relevant if you are using ScheduleOnce. Under the GDPR, you can process information if it is necessary to fulfill a business obligation to a prospect or Customer. In this scenario, when a prospect or Customer inputs their information to schedule a meeting, you need to process their information to fulfill your business obligation. For most organizations, this should be enough to ensure a lawful basis for processing information.

Personalized scheduling

Personalized scheduling is when you input the information of a specific prospect or Customer who you are scheduling with.This is relevant for both ScheduleOnce and InviteOnce. With ScheduleOnce, you may personalize scheduling by sending personalized links to prospects or Customers. In this scenario, Customer data is pulled from Salesforce, Infusionsoft, or URL parameters. With InviteOnce, scheduling is always personalized because you are required to input the prospect or Customer’s information while configuring the scheduling requirements. With personalized scheduling, information is processed by OnceHub without any direct input or consent from Customers. While your organization may have a lawful basis for processing this data via other sources, it is recommended that you ensure that you have a basis for processing the information via OnceHub.

Collection of sensitive data

If you are using ScheduleOnce, and require Customers to input sensitive data, it is recommended that you obtain explicit consent at the time of scheduling. This most likely applies to organizations in the healthcare industry, but other organizations may be affected as well. Data that is considered sensitive includes any information related to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union memberships, genetic or biometric data, health information, or a person’s sex life or sexual orientation. Learn more about collecting consent from your data subjects

To learn more about OnceHub's compliance with the GDPR, read our ebook: A practical guide to using OnceHub in a GDPR compliant manner

Was this article helpful?
Thank you for your feedback!