GDPR Privacy Policy Requirements
Information on Privacy Policies in relation to GDPR and RMS.
Privacy Policies must be reviewed and amended in line with the new regulations to be complaint with GDPR requirements.
Privacy Policy Content Requirements
The Privacy Policy should communicate exactly how an individual's personal information is going to be collected, processed and stored.
Privacy Policies should clearly state:
- Who the organisation is and what the purpose of personal information collection is.
- The legal basis for processing this data and how consent is obtained.
- The Data Retention Policy in place.
- Individual's rights to access, withdraw consent or request erasure of their personal information.
- Parties that the individual's personal information will be shared with.
- RMS stores data outside the EU or EEA for the purpose of processing, backup and disaster recovery.
GDPR places emphasis on the rights of children being outlined in the Privacy Policy, making clear reference to the organisation's practises with relation to children's information. If consent is being obtained, the Privacy Policy must notify that whoever holds parental responsibility is the one providing consent on the child's behalf. The Privacy Policy must clearly explain the rights relating to both adult's and children's personal information.
Accessibility to the Privacy Policy
A visible link to and/or copy of the Privacy Policy must be provided in any scenario where the exchange of an individual's personal information is being conducted. This includes sign up and subscription forms as well as booking and registration processes.
When using RMS and the RMS IBE, Guest Portal and Digital Registration Card, a URL can be included referencing the Privacy Policy setup in RMS.
Obtaining Consent
Under GDPR individuals must be provided the opportunity to 'Opt in' to their personal information being obtained, retained, updated and stored.
This consent is defined as:
any freely given, specific, informed and unambiguous indication of the Data Subject's (individual's) wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data.