GDPR Privacy Policy requirements and consent within RMS.

Overview

The General Data Protection Regulation (GDPR) is a regulation in European Union (EU) law on data protection and privacy for all individuals within the EU.

Privacy Policy Content Requirements

The Privacy Policy should communicate precisely how an individual's personal information is going to be collected, processed, and stored.

Privacy Policies should clearly state:

• Who the organization is and what the purpose of personal information collection is.
• The legal basis for processing this data and how consent is obtained.
• The Data Retention Policy in place.
• Individual's rights to access, withdraw consent or request erasure of their personal information.
• Parties to whom the individual's personal information will be shared.
• RMS stores data outside the EU or EEA for the purpose of processing, backup, and disaster recovery.

GDPR emphasizes the rights of children being outlined in the Privacy Policy, making clear reference to the organization's practices with relation to children's information.

If consent is being obtained, the Privacy Policy must notify that whoever holds parental responsibility is the one providing consent on the child's behalf.

The Privacy Policy must clearly explain the rights relating to both adults' and children's personal information.

Information

RMS recommends seeking independent legal advice with respect to the content, detail and specific clauses outlined in your Privacy Policy.

Individuals whose data was obtained prior to the introduction of GDPR are not required to 'Opt in' but must be provided with the opportunity to 'Opt out' of ongoing retention of their data and/or the opportunity to update their communication preferences.

Accessibility to the Privacy Policy

A visible link to and/or copy of the Privacy Policy must be provided in any scenario where the exchange of an individual's personal information is being conducted. This includes sign up and subscription forms as well as booking and registration processes. 

When using RMS and the RMS Booking Engine, Guest Portal, and Digital Registration Card, a URL can be included referencing the Privacy Policy setup in RMS.

Obtaining Consent

Under GDPR, individuals must be provided the opportunity to 'Opt in' to their personal information being obtained, retained, updated, and stored.

This consent is defined as:

any freely given, specific, informed and unambiguous indication of the Data Subject's (individual's) wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data.