The General Data Protection Regulation (GDPR) is a regulation in the European Union (EU) about the protection of personal data of EU residents. The regulation aims to give control of personal data back to the individuals. 

The GDPR applies to companies that process data of EU residents. This covers EU organisations and non-EU companies that offer goods or services to EU residents. The regulation takes effect on 25th May 2018. This means, your business must comply with GDPR regulations by this time. Learn more: GDPR and Zenoti: What You Need to Know

What is PII? 

Any information that can be used directly or indirectly to identify a person is considered as Personal Identifiable Information (PII) under GDPR. For example, the name of a person, a photo, an email address, bank details, social networking posts, medical or biometric information, or a computer IP address. How a business processes this information and uses it to reach out to individuals, falls under the purview of GDPR.

How Zenoti Protects Privacy Rights of Guests

To be compliant with the GDPR, Zenoti provides various settings/options that you, as administrators, front desk persons, and guests can use to ensure that privacy rights of guests are protected. These settings are available at the organization level (under Settings > Guests). 

Guests Opt Into Marketing Communications

Businesses may want to reach out to customers with special offers on guests’ birthdays and anniversaries, or when they run special campaigns. Zenoti considers any such communication sent out by businesses as marketing communication (emails or text messages). Since PII data is being processed by businesses to reach out to guests, this communication falls under the purview of the GDPR. 

Ideally, businesses must have the consent of guests, before they send out such communication. In the case of minors, businesses can either disable options to send marketing communication to minors, or can first take parental consent before sending marketing communications. 

A guest’s right to opt in to receiving marketing communications falls under the Right to be Informed under GDPR. 

In Zenoti, if the organization level settings Set new guest profile to receive marketing emails and Set new guest profile to receive marketing text messages (SMS) are selected, it means that new guests will receive marketing emails and text messages by default.  

Tip: If your business needs to be GDPR compliant, your administrator must clear (uncheck) these checkboxes so that guests are not opted in to receive these communications by default. Guests need to explicitly opt in to receive such emails and text messages.  

Note that Zenoti prompts the front desk to take consent from guests for receiving marketing emails and text messages when the checkboxes, Receive marketing email and Receive marketing text messages, are selected in the guest profile.
 
Note: Businesses must record guests’ consent for receiving marketing communications when they are present in store. This recording of consent happens outside of Zenoti. 

The organization level setting, Allow guests to configure preferences on marketing emails and text messages using the Webstore and Customer Mobile Application controls whether guests should be allowed to change their preferences for receiving marketing communications using the Webstore and CMA. To be GDPR compliant, administrators must clear this checkbox so that guests opt into marketing communication when they are present in person in the store. 

To ensure that new guests do not receive marketing emails and text messages by default:

  1. Ensure that you are at the organization level. 
  2. Go to Admin > Organization > Organizations > Settings > Guests
  3. Clear (uncheck) the following checkboxes to be GDPR compliant:
    a) Set new guest profile to receive marketing emails
    b) Set new guest profile to receive marketing text messages (SMS)
    c) Allow guests to configure preferences on marketing emails and text messages using the Webstore and Customer Mobile Application
  4. Click Save.
    This way businesses ensure that they do not send marketing communication to guests by default, and thereby, stay GDPR compliant. Guests can also no longer use the Webstore and CMA to change their preferences for receiving marketing communications. If they do want to opt into these communications, they must do so by going in person to the store and informing the front desk that they want to opt into marketing communications. 

Protect Privacy of Minors

To be GDPR compliant, businesses must protect the privacy rights of minors. Administrators can protect the privacy rights of minors by controlling settings at the organizational level that:

  • Define who falls under the minor guest category (based on age)
  • Ensure that the marketing communications to minors be switched off 
  • Control whether minors can create their own guest profiles from the Webstore and Customer Mobile App (CMA) 

Define who falls under the minor guests category: Zenoti identifies minors (minor guests) by specifying the age of minors as those below a particular age. The organization level setting Consider guest less than __ years of age as minor determines the age of minor guests. For example, if the age for minors is set to 16 years, it means Zenoti considers anyone below 16 to be a minor. 

Tip: Administrators can leave this setting blank, in which case, the onus of declaring a guest as a minor lies with the guests themselves. If this setting is left blank, the checkbox This <guest label> is a minor does not appear on guest profiles. 

Ensure that marketing communications to minors be switched off: The setting Allow sending marketing email and text messages to guests who are minors controls whether minors should receive marketing communication (emails and text messages) by default. To be GDPR compliant, administrators must leave this option cleared (unchecked). It means that businesses should not send out marketing communication (emails or text messages) to minors. 

Control if minors can create their own Guest Profiles on the Webstore and CMA: The setting Allow minors to create their own guest profiles on the Webstore and Customer Mobile Application controls whether minors can create their own guest profiles from the Webstore and the CMA. To be GDPR compliant, administrators must leave this option cleared (unchecked).

To protect the privacy rights of minors:

  1. Ensure that you are at the organization level. 
  2. Go to Admin > Organization > Organizations > Settings > Guests. 
  3. Ensure that you clear (uncheck) the following settings to be GDPR compliant:
    a) Allow sending marketing email and text messages to guests who are minors
    Note: You can specify the age of minors using the setting Consider guest less than __ years of age as minor.
    b) Allow minors to create their own guest profiles on the Webstore and Customer Mobile Application
  4. Click Save.
    This way, businesses ensure that they do not send marketing communications to minors. Also, minors cannot create their own guest profiles from the Webstore or the Customer Mobile Application.

Print General Details from the Guest Profile Page

Under GDPR, guests have a Right to Access their PII and also have a Right to Data Portability. Zenoti accommodates these rights by allowing the front desk and administrators to print the Guest Profile page.  

To print a guest profile:

  1. Go to the Guest Profile page.
    Note: Administrators can also access the Guest Profile page when they create a new Guest Profile from the Loyalty, Sales, Memberships, or Packages modules.
  2. Click Print.
    Note: Zenoti prints all information in the General tab of the Guest Profile page.

See Also

External links to further reading:

Did this answer your question?