GDPR includes six key principles that govern how organisations should treat the personal information of individuals.
It is the responsibility of the Data Controller (customer of RMS) to ensure that an individual's personal information is:
-
Collected in a Transparent Manner
All personal information must be processed in a lawful, fair and transparent manner. -
Collected for a Legitimate Purpose
All personal information must only be used for the purpose(s) explicitly specified at the time of collection. -
Used with Limitation and Relevance
The use of Personal Information is limited to the necessary purpose(s) for which it was collected. -
Collected and Maintained in an Accurate Manner
All personal information should be accurate and if necessary, kept up to date. -
Stored and Used with Time Limitation
All personal information should be kept in a form which permits identification of individuals (Data Subject's) for no longer than is necessary. -
Secure
Adequate security measures need to be in place to prevent unauthorised access or accidental loss of an individual's (Data Subject's) personal information.
Additional Information for RMS Users
Security
RMS provides high levels of security in respect to user login and data encryption to prevent data from being read, copied, altered or deleted by unauthorised parties during transmission. RMS encrypts storage to further safeguard against data breaches.
Data Retention
The Data Controller (RMS customer) must decide on the appropriate time duration to retain personal data.
RMS provides configuration options for implementing individual policies.
GDPR does not define the time period for the stipulation that an individual's personal data should be held for no longer than is required for the purpose that it was obtained.
Notification
In the unlikely event that personal data is obtained from either a breach of security procedures at the property or from the RMS data centres, GDPR requires that the Data Controller (RMS customer) shall without undue delay and where feasible, notify the supervisory authority no later than 72 hours after having become aware of the breach. When the personal data breach is likely to result in a high risk to the individual's (Data Subject's) rights and freedoms, the Data Controller shall communicate the breach to that person without undue delay.