General Data protection regulation (GDPR)



The General Data Protection Regulation (GDPR) is a new European Union (EU) privacy law that will come into effect on 25th May 2018. It replaces the 1995 EU Data Protection Directive (DPD).


Its objective is to improve the protection of the personal data of EU citizens and ensure that organizations who collect, store and process Personally Identifiable Information (PII) – such as email addresses or phone numbers – operate in a well defined framework. PII are any data that used alone or with other data can be used to identify a person.


The full text of the GDPR can be found here. If you have any question on how this affect the data held by Bookafy contact us.


The GDPR exists to ensure that businesses like Bookafy have a legal basis to process Personal Data. The recommended action to do so is simply to ask users for their consent. This consent must be specific and verifiable.

Which means that a written record of consent must be kept and tied to specific users. It also means that this consent can be withdrawn at any time and businesses then have to delete the PII from their records.

Consent also has to be unambiguous and clearly explain what the user is agreeing to. This means that, for example, pre-checked consent boxes on forms aren’t accepted.


This new EU regulation also clearly defines the rights of the data subjects, the persons whose data is held by businesses. EU citizens will have the right to ask for information on how their data is processed, used and stored. They can also request their data to be handled in a specific fashion. For example they might not want it hosted outside of the EU.

Whatever the reasons they have the right to request their data to be corrected, amended or even deleted. They also have the right to access that data and check with personal data is hosted by the company they use.

This means that the data processors need to be clear on how they process data – including the different third party services they might be using – and be ready to support user requests in a timely manner.

Our approach to Data Protection

As a business dealing with sensitive calendar data on behalf of our users protecting this data is paramount. Our data protection team which includes senior representatives of our Security, Architecture and Technical team is constantly reviewing our processes in order to ensure that all user data is protected and encrypted.

We have data centers in both the US and Europe so our clients – no matter where they are – can choose the location that works best for them and their users. We are applying GDPR standards to all our data, not just EU data.

We’ve also taken additional actions in order to ready for GDPR and you can consult our Terms of Service and End User Terms of Service documents for more details.

Collecting user consent

The data we host isn’t limited to calendar data. We also use data for Marketing purposes. This can range from basic product updates to recurring newsletters.

When clients and prospects entrust us with their Personally Identifiable Information we ensure that they are clear and how we will be using their data – such as their email address – going forward.

All our forms include a clear and verifiable consent action and we are also gathering consent from all our existing contacts going forward.

For more information please consult our Privacy Policy document.

Our team is here to help

We’ve been preparing for GDPR and have adjusted our processes where necessary. We are also ensuring that our third-party providers are in compliance with the GDPR.

If you don’t yet have a contract in place with us that includes the necessary Data Processing Agreement (DPA) please don’t hesitate to email us at or if you have any question about our approach to the GDPR.