GDPR Legislation and TutorCruncher Part 3

 Sam Jenkins
Legal Small business Technology

Once more, TutorCruncher has been busy working with its users to prepare for 25th May, when GDPR legislation will come into effect. In this post, we wanted to clarify some tweaks we have made to the tools available to you from within your TutorCruncher account.

If you have not already had the chance to read Part 1 and Part 2, then we would highly encourage you to do so.

Please note that as per our terms and conditions, TutorCruncher provides its clients the means to be compliant with GDPR. However, responsibility for operations and use of these tools in compliance with GDPR lies solely with the company.

Additionally, please note that this article’s content in no way constitutes legal advice. If you are looking for legal clarification on GDPR and how your company can comply with incoming legislation, you will need to speak to a lawyer familiar with the GDPR legislation.

What should I put in my Terms and Conditions?

In this System > Settings > Terms and Conditions section, you have the ability to input a policy of some kind which you ask your users to consent to as part of keeping their information in your database. Fundamentally, you can use this tool in different ways. For example, you might use it for:

  • Laying out your privacy policy and how you are to use your user's data, whilst including links to your wider terms and conditions of your services
  • Adding in the entirety of your terms and conditions (of which GDPR relevant information is a part)
  • Asking users to consent to your policy of sending them marketing emails relevant to their interests

Depending on what you wanted to do with this part of the system, you are able to customize what the end user receives before actually viewing any terms you have added. From your System > Settings > Terms and Conditions, you can configure your 'Terms and Conditions Title'. This is what will show at the top of the page when users are asked to consent.

Additionally, in your System > Settings > Email Definitions, you can locate the definition called 'Sent when your Terms and Conditions are changed'. From here you can edit the wording of the email your users receive (which then asks them to consent to your terms).

Set up your own custom terms, on your own terms

Who gets notified about my Terms and Conditions?

We have also given you a greater level of control as to who is notified about your Terms and Conditions. You have 3 options as indicated in the above screenshot:

  1. Nobody is asked to reconsent to terms and conditions and no email is sent.
  2. Only users who have not yet consented to or declined to terms and conditions will be asked to reconsent and they will be notified via email.
  3. All users (not including those who have declined terms and conditions) will be asked to reconsent to terms and conditions and will be emailed.

With these choices available, you can ensure that you can send out effective email reminders to everyone who has not yet consented without contacting, nor adjusting the status of, those users who have already agreed. Note that if anybody has asked for you to delete their data, they will never be notified in this email.

Removing your user data

As a related part of our work on GDPR and Data Erasure, we have also added the ability to erase multiple users at the same time. Via your System > Settings > Bulk Erase Users, you can erase the data of many users at once.

You can permanently erase the data for multiple users

As erasing user data is an irreversible process, the list of users eligible for bulk erasure comes under certain conditions:

  • Users who have not given consent will show (meaning those who have consented will not)
  • Users who have no historic invoices will show (meaning those who have received invoices from you will not)
  • Users who have no historic payment orders will show (meaning those who have received payment orders from you will not)
  • Users who have an invoice balance of zero will show (meaning those clients whose account balances are not zeroed will not)
  • Users who have not had a lesson since the configurable date will show (meaning those who have had lessons since the configurable date will not)

Note that whilst these conditions will prevent some users from appearing in the bulk erase section, it is not impossible to delete users individually if they match these criteria. However, your company may want to keep their information if it is relevant to your processes, e.g. keeping a client's details due to invoices they have paid within the past 7 years.

With a list of users who are eligible for bulk erasure, you then simply need to tick each checkbox for each user which you wish to delete. The application here is primarily removing old data from your system.

Please note that the responsibility for Data Erasure lies solely with the Data Controller and not with TutorCruncher. If you are unsure as to whether you need to erase user data, whether it be generally or in line with a request or a right to be forgotten, you will need to speak to a qualified lawyer.

If you need further information regarding this, you can contact our Data Controller by emailing support@tutorcruncher.com.

Glossary of Terms

Consent - freely given, specific, informed and explicit consent by statement or action signifying agreement to the processing of their personal data

Data Controller - the entity that determines the purposes, conditions and means of the processing of personal data

Data Processor - the entity that processes data on behalf of the Data Controller

Data Subject - a natural person whose personal data is processed by a controller or processor

Right to be Forgotten - also known as Data Erasure, it entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties cease processing of the data

EU GDPR Source