Contact Support

    GDPR Responsibilities

    Information on the responsibility of GDPR for customers using RMS.

    GDPR includes six key principles that govern how organisations should treat the personal information of individuals.

    It is the responsibility of the Data Controller (customer of RMS) to ensure that an individual's personal information is:

    1. Collected in a Transparent Manner
      All personal information must be processed in a lawful, fair and transparent manner.
    2. Collected for a Legitimate Purpose
      All personal information must only be used for the purpose(s) explicitly specified at the time of collection.
    3. Used with Limitation and Relevance
      The use of Personal Information is limited to the necessary purpose(s) for which it was collected.
    4. Collected and Maintained in an Accurate Manner
      All personal information should be accurate and if necessary, kept up to date.
    5. Stored and Used with Time Limitation
      All personal information should be kept in a form which permits identification of individuals (Data Subject's) for no longer than is necessary.
    6. Secure
      Adequate security measures need to be in place to prevent unauthorised access or accidental loss of an individual's (Data Subject's) personal information.

    Additional Information for RMS Users


    RMS provides high levels of security in respect to user login and data encryption to prevent data from being read, copied, altered or deleted by unauthorised parties during transmission. RMS encrypts storage to further safeguard against data breaches.

    Data Retention

    The Data Controller (RMS customer) must decide on the appropriate time duration to retain personal data.

    RMS provides configuration options for implementing individual policies.

    GDPR does not define the time period for the stipulation that an individual's personal data should be held for no longer than is required for the purpose that it was obtained.


    In the unlikely event that personal data is obtained from either a breach of security procedures at the property or from the RMS data centres, GDPR requires that the Data Controller (RMS customer) shall without undue delay and where feasible, notify the supervisory authority no later than 72 hours after having become aware of the breach. When the personal data breach is likely to result in a high risk to the individual's (Data Subject's) rights and freedoms, the Data Controller shall communicate the breach to that person without undue delay.

    Was this article helpful?

    Send Feedback

    Can’t find what you’re looking for?

    Contact Support