General Data Protection Regulation (GDPR)


The GDPR is Europe’s new framework for data protection laws – it replaces the previous 1995 data protection directive. This new legislation is designed to provide greater protection and rights to individuals in the EU. This new regulation comes into effect on 28th May 2018 and will affect how EU citizen’s personal data is utilized by all companies (public and private) dealing with individuals in the EU.  Find out more.

What is GDRP?
Who is impacted by this?
What does the new GDPR entail? How to be compliant
In what countries does Book4Time process your data and what safeguards are in place at these locations?
Will Book4Time only process data in accordance with my instructions, and is there a written contract?
What is Book4Time doing to prepare for GDPR?


What is GDPR?

The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.


Who is impacted by this?

This new regulation applies to ALL organizations collecting and processing personal data of individuals residing in the EU, regardless of the company’s physical location.

The GDPR applies to controllers (an organization that collects data from EU residents) and processors (an organization that processes data on behalf of data controller e.g. cloud service providers) that are handling the personal data of European individuals.

According to the European Commission “personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address”

In short, a data controller specifies how and why personal data is processed, while a processor conducts the actual processing of the data. The controller is responsible for ensuring their processor abides by data protection law.


What does the new GDPR entail? How to be compliant

Extended jurisdiction – Regulations will apply to any company collecting and/or processing EU citizen’s personal data regardless of where the company’s physical offices are located.

Consent – Organizations will be required to obtain individual’s consent to store and use their data as well as explain how it is used.

Mandatory breach notification – Organizations will now be required to notify the supervisory authority within 72 hours of discovering a security breach unless it is unlikely to “result in a risk to the rights and freedom of individuals.”

Right to access – Companies must be able to provide electronic copies of private records to individuals requesting what personal data the organization is processing, where their data is stored and for what purpose.

Right to be forgotten – EU citizens will be able to request the controller to not only delete their personal data but to stop sharing it with third parties – who are then also obligated to stop processing it.

Data portability – The new regulation gives individuals the right to transmit their data from one controller to another. As a result, upon request, organizations must be able to provide an individual’s personal data in a ‘commonly used and machine-readable format.’

Privacy by design – This will be a real game-changer. Privacy by design is now a legal requirement in GDPR. This means that security must be built into products and processes from day one.

Data protection officers (DPO) – Both data controllers and data processors are now required to appoint a DPO – who can either be a contractor, new hire or a member of the organization’s staff.

It is important to note that not all companies are obliged to have a DPO. Only those “whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences.”


In what countries does Book4Time process your data and what safeguards are in place at these locations?

Your data will only be transferred to a country that the European Commission has determined provides an adequate level of protection, or to service providers who have an agreement with us committing to the Model Contract Clauses defined by the European Commission, or certified under the Privacy Shield.


Will Book4Time only process data in accordance with my instructions, and is there a written contract?

We will only process your personal data according to your instructions as Data Controller in accordance with our Terms and Privacy Policy. Please e-mail us at to obtain an addendum that will grant Book4time with the suitable permissions required to handle your data accordingly.


What is Book4Time doing to prepare for GDPR?

Much of the GDPR when it comes into effect in May 2018 builds on the existing EU data protection framework which we are already well placed for. However, GDPR does introduce a number of changes that impact on us and you.

The actions we are taking to prepare include:

  • Putting in place a Data Processing Agreement, which is an extension of our Terms & Conditions that sets out the obligations between us, and permits Book4Time to continue to receive and process the data you upload to the system when GDPR takes effect in May 2018
  • Updating our processes and privacy policy to ensure our compliance in respect of the data we hold about our users
  • Reviewing Book4Time functionality to consider whether we can make any improvements that make Book4Time more efficient for users who are subject to GDPR.

From a customer perspective, GDPR does raise the bar on data privacy. We suggest you review the advice given by the European Union as they are responsible for implementing the GDPR legislation in the EU.

Back to Homepage