General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) was adopted in the European Union (EU) on April 27, 2016, and it became law on May 25, 2018. RMAPORTAL is compliant with the regulations of the EU General Data Protection Regulation (EU-GDPR).

RMAPORTAL implements appropriate and effective measures that demonstrate our GDPR compliance, including the effectiveness of those measures. Those measures take into account the nature, scope, context and purposes of any of our handling or controlling of data, and the risk to the rights and freedoms of natural persons.

On Data Processing:
  1. We do not perform "regular and systematic monitoring of data subjects on a large scale", in fact it does not perform this activity at any scale at all.
  2. We do not collect nor process "special categories of personal data", such as data about race, ethnic origin, political opinions, and religious beliefs.
  3. Processing personal data is not a core part of our business and our activity doesn't create risks for individuals.
  4. Our core activities do not involve processing of sensitive data on a large scale or involve large scale, regular and systematic monitoring of individuals.
  5. None of our services monitor the behavior of data subjects in any form of tracking and profiling on the internet, including for the purposes of behavioral advertising.
  6. Processing of personal data is not part of our services' activity and does not by any mean pose a threat to individuals’ rights and freedoms, or concerns sensitive data or criminal records.
  7. For all intents and purposes, RMAPORTAL serves as Data Controller to all its direct customers.
Data Protection Activities:
  1. We have a complete and clear audit of all our data, and we safeguard their access with multi-factor authentications.
  2. We conduct regular Risk Assessement for all features of our service. We have active firewalls (hardware and Web Application (WAF) firewall) set and regularly evaluated to detect and respond to malicious web traffic.
  3. We enforce full encryption between our web servers and its clients. All web traffic are required, redirected and forced to use a secured layer.
  4. We utilize pseudonymisation techniques to further minimize personal identifiable information of our users.
  5. We enable users of our service to use multiple levels of Access Controls that can be configured by the administrators of the respective apps or portals.
  6. We conduct periodic data destruction routine to ensure that unneeded and expired data are properly degaussed and or destroyed to ensure they are protected from unauthorized recovery and access.
  7. We have procedures in place to detect, report, and investigate a data breach; such as having a Data Breach notification process in place to notify relevant supervisory authorities within 72 hours after its discovery.
  8. We continously review provisions in the GDPR that apply only in rare instances and we are prepared to comply within reasonable time.