You're on our United Kingdom website.

Change region


Change Region

You’re on our United Kingdom website. Change your region to see information for another location.

Loading animation


Clinic Management software that makes booking and rebooking multiple appointments simple and pain free.

What is the General Data Protection Regulation (GDPR)?

The GDPR is the European Union’s, comprehensive privacy and data protection law that took effect on May 25, 2018. The primary aim of the GDPR is to regulate how the personal data of individuals in the EU is processed – even by businesses that have no physical or legal presence in the EU. Organizations can face hefty fines for non-compliance: up to €20 million or 4 percent of annual global revenue, whichever is higher.

Is Pabau GDPR certified?

There is not yet any kind of recognized GDPR certification scheme, but we’ve been working hard to ensure that we’re in compliance with the GDPR.

The new DPA governs the terms by which we, as a data processor, process data on behalf of you, our customers, (who are typically data controllers) in accordance with Article 28 of the GDPR.

According to Article 28 of the GDPR, data processors must act only upon the documented instructions of the data controller unless otherwise required by law. This, however, does not relieve us of any of our obligations or liabilities under the GDPR. We are still required to ensure that we’re in compliance with the GDPR.

What is Pabau doing to ensure that it (and its vendors) are compliant with the GDPR?

We’ll continue to review our security measures, as we always do, to stay at the forefront of evolving industry standards and best practices.

So Pabau is compliant with the GDPR. Does that mean that I’m automatically compliant too? If not, where can I learn more about my own obligations?

No, while we’ve done our best to make it easier for you to be compliant, you’ll still need to address your own practices regarding GDPR compliance.
Much of how you collect, use, and dispose of personal data is not determined by your data processor (that’s us). Thus, each organization should get its own professional guidance on the topic to help ensure compliance. Here’s an additional resource from the UK Information Commissioner’s Office:

Am I a data controller? Is Pabau a data processor?

Typically, you (the Pabau customer) will be considered a data controller (i.e., an organization that determines the purposes and means of the processing of personal data) and we will always be considered a data processor under the law.
Controllers and processors each have their own respective obligations under the law. When a data controller engages a service provider like us, the service provider is typically a data processor acting on behalf of the controller, and the processor acts at the behest of the controller. As stated above, our DPA will govern the relationship, and the nature of the processing activities, between Pabau and its customers.

What is considered personal data?

According to GDPR Article 4, personal data means…“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
So, what does that mean for you?
Within your Pabau account, that would include your customers’ contact information. And they may at some point ask you to forget them, or modify their information to be accurate, etc. You would then be responsible for fulfilling that request.

Does the GDPR require an additional checkbox to be able to lawfully process personal data? Or will a sentence such as "enter your information for us to email you XYZ Pdf" be sufficient?

If you are processing personal data on the basis of the data subject’s consent, you will need to include a mechanism to collect that consent, which could include an unticked checkbox which the data subject can tick to consent to the processing of his or her data. If you can consider this type of arrangement as a “contract” between you and the individual who requested the “something,” then you may be able to skip the checkbox altogether, and base your processing on the need to perform your obligations under this “contract”.

If as customer asks me to exercise their Right to be Forgotten, do I have to remove them from my database?

A statement along the lines of the following may be more appropriate:

If you are a health care professional, or providing a health/medical based service, you will most likely have a legal requirement to retain medical records and treatment notes for a statutory (minimum) period of time (typically between 7 and 30 years). The data protection legislation you are governed by may also permit retaining these records for longer, if you have a legal basis, for example continuation of care. It is important that you satisfy your legal requirements before deleting any medical records from your database. A data subject’s right to have their data erased does not override your legal obligations to retain health/medical records for the statutory period. You should also ensure you satisfy your legal requirements by retaining these records if you migrate away from Pabau, end your account with Pabau, or cease trading. The ability for your users (staff) to delete client records should be restricted using User Permissions, ensuring only permitted users can erase data from your database.

What if I offer services free of charge (e.g. regularly emailing cat photos to my subscribed customers without requiring them to pay)? Does this constitute a contract, and can this be considered as a legal basis for lawful processing of personal data?

Yes. The GDPR is not limited to situations where money is transferred. According to Article 3.2(a) of the GDPR, merely offering goods or services to EU data subjects, even without payment, makes that transaction regulated by the GDPR. By using your services for which no payment is required, your customers typically agree to the Terms of Use/Terms of Service that you display on the website, thus forming a valid contract. You can use this as a legal basis for justifying the processing of personal data, simply because it is necessary for fulfilling your obligations under the contract.

Under GDPR, can I still have my opt-in forms checked by default?

No, please note that the use of pre-ticked opt-in boxes is not valid under the GDPR. Silence or inactivity on the part of the data subject, as well as merely using a service (without first ticking a box to indicate agreement) doesn’t count as “consent”.