General Data Protection Regulation (GDPR) A Andrew Kelly

The General Data Protection Regulation, or GDPR, is a European Union privacy law that took effect in 2018. The GDPR controls how individuals and organizations may collect, use, and retain personal data. It affects some Acuity users.

This guide covers some of what we’re doing to comply with the GDPR and what you should know as an Acuity customer, particularly if you have clients in Europe.

Note: This guide is available as a resource, but should not be construed or relied upon as legal advice. Per our Terms of Service, Acuity doesn't provide advice or recommendations regarding laws applicable to your business.

Who is affected by the GDPR?

The GDPR regulates not only entities inside the EU, but also entities outside the EU that interact with EU residents online. That interaction can consist of doing business with EU residents, or just monitoring their web activities, such as by tracking their visits to your scheduling page.

Because the Internet is global, Acuity customers should review their practices and decide if they fall within the scope of GDPR.

What’s considered personal data?

Under the GDPR, personal data is any information that could, either alone or with other information, reasonably be used to identify a specific living person. This broad definition includes not only traditional personal data, such as dates of birth, names, physical addresses, and email addresses, but also location data, biometric data, financial information, and much more.

What has Acuity done to ensure compliance with the GDPR?

After reviewing how we store and use data — both about our customers and on behalf of our customers — we made a number of GDPR-related changes.

Specifically, we:

• Have adopted new Terms of Service and a new Privacy Policy that are more transparent about our use and treatment of data.
• Now offer a Data Processing Addendum, or DPA, to address how we process data on your behalf. The DPA takes effect when you accept our updated Terms of Service.
• Changed Acuity to make it easier for you to manage your data. For example, you can delete inactive clients.

How does Acuity help me comply with GDPR?

Acuity is a tool that can help you be GDPR compliant, but being GDPR compliant is ultimately up to you. How you use and configure your account, as well as which data you collect, will play a role in your compliance. There are several specific areas of Acuity that can help with these solutions.

• Acuity allows you to display terms and conditions in your scheduling instructions. You can use intake forms to get explicit consent to your terms from clients. And you can require your clients to agree to your terms before buying a package or signing up for a subscription.
• If you need to delete a client’s information, you can do so in the Client List. You can delete clients in bulk and delete inactive clients, as well.
• If you need to export data to comply with a client’s data portability request, you can do so in the Import/Export section.

How do I remove personal data from Acuity?

You can access, update, or delete some personal data in your account, including:

• Your account email address
• The email addresses and phone numbers tied to your calendars
• Your Appointments
• Client profiles

To ask us to remove other specific data from our system, either your own data or client data, contact [email protected] .

Does Acuity need to store data in the EU?

As with existing law, the GDPR requires us to observe certain safeguards when transferring personal data outside the EU. We have self-certified to the EU-U.S. and Swiss-U.S. Privacy Shields, which allows us to lawfully transfer EU and Swiss personal data to the U.S., including to our U.S.-based data centers. Read more about our Privacy Shield certifications.

Using Acuity with other services

Just as the GDPR affects Acuity, it also affects other services you may use for your business. These services may have their own privacy policies, terms of service, and other practices which are different from ours.

For example, some Acuity users track visits to their scheduling pages using integrations with Google Analytics or Facebook Pixel.

It’s important to carefully review the terms and policies of all third party services you use for your business.

GDPR best practices for Acuity users

While we can’t offer legal advice, here are some best practices that will help you get started with your GDPR compliance.

Personal data audit

Review your business practices and look for areas where you collect personal data, keeping in mind the broad definition GDPR uses for “personal data.”

Some questions to consider:

• Do you collect personal data using third-party services such as Google Analytics or MailChimp? You should read their privacy policies.
• Do you download or export data into any other systems?
• Do you combine the personal data you collect with other sources of data
• Are you gathering information you don’t need?

Create (or update) your privacy policy

After you’ve identified your data collection activities, consider creating a policy that documents:

• What information you collect.
• Why you collect that information.
• Who you share that information with.
• Any other information required under the GDPR.

Once you have written or updated your policy, you can use a form to add it to the scheduling process.

Where can I get more information about the GDPR?

Regulators within the EU provide specific guidance on the GDPR. You can view their documentation here:

• Data Protection Commissioner
• CNIL

Did this answer your question?