General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is a regulation under European Union (EU) law regarding data protection and privacy for all individuals within the EU. It addresses the export of personal data outside the EU in an effort to give citizens control over their personal data. As of May 25, 2018, the GDPR replaced the 1995 Data Protection Directive.

GDPR applies to any organization operating within the EU and those outside the EU that offer goods or services to customers or businesses within the EU. Most major corporations in the world must adopt a GDPR compliance strategy.

Under the terms of GDPR, organizations have to ensure that personal data is gathered legally and under strict conditions. Those who collect and manage it will be obligated to protect it from misuse and exploitation and respect the rights of data owners.

GDPR Requirements

GDPR introduces new requirements for companies in several key areas.

  • Right to Data Access – EU citizens have the right to request and receive detailed information on what personal data of theirs an organization possesses and how it’s utilized. EMS Software does not capture any personal ‘people’ data, beyond the reasonable information to respond and uniquely identify (e.g., an email address, name, phone number [optional], and job title [optional]). EMS Software only accepts the data that is provided from the organization’s HR source and does not require that information to function.

  • Data Portability – EU citizens have the right to ask that your company transmit their data to another company, facilitating a switch to a competing service or product provider. This does not apply to EMS Software.

  • Right to Be Forgotten – EU citizens can demand you delete all information an organization has stored (typically referred to as “data erasure”) and can revoke previously given consents. EMS Software provides a procedure for customers to respond to a justifiable deletion request.

  • Breach Notification – Applies to both data controllers and processors and requires EU citizens to be notified within 72 hours of a data breach that might compromise their privacy. This only applies to EMS Cloud Services customers. EMS Software would notify our Cloud Services customers in the unlikely event of a breach and those customers would then notify any affected EU citizens.

This topic provides the following:

What is Personal Data?

Personal data under the existing legislation include names, addresses, and photos. GDPR extends the definition of personal data so that data such as an IP address would be considered personal data. It also includes sensitive personal data—such as genetic data or biometric data—that could be processed to uniquely identify an individual.

Processors and Controllers

There are two different types of data-handlers the legislation applies to: processors and controllers. For detailed information, see General Data Protection Regulation.

Processors

The processor is the person, public authority, agency or other body which processes personal data on behalf of the controller.

Controllers

The controller is the person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing personal data.

GDPR and EMS

EMS Customers should not be entering any unnecessary data into EMS.

GDPR is not a software standard, but a data privacy standard. EMS Software ensures our customers' compliance with GDPR by providing information security on an enterprise-class level. By design, EMS Software does not capture any personal ‘people’ data, beyond the reasonable information to respond and uniquely identify (e.g., an email address and name). The reservation data that EMS uses is provisioned from an organization's election of data and is not within the control of EMS Software. EMS Software only accepts the data that is provided from the organization’s HR source, and does not require that information to function.

GDPR compliance lies mainly with the eradication of data upon exit of a software suite or website; EMS is driven by the user’s data provided at the HR source that is also managed by that source. HR data systems hold the responsibility of releasing and removing the data from record. When this is done, that data is no longer accessible by EMS.

Historical data within EMS for the purpose of reporting typically ‘groups’ user data together in factored percentages and usage and does not include ‘named’ users. In the exception, where named users are listed (invoicing and responsible party), there are legal considerations that allow for this to continue to exist in the product (by organizational choice).

Right to be Forgotten In EMS

If there is a justifiable reason, EU citizens can demand you delete all information an organization has stored (typically referred to as “data erasure”) and can revoke previously given consents.

To do this in EMS, simply create an "anonymous" user. Then, assign any reservations associated with the user to be deleted to this "anonymous" user. Once the original user has no reservations associated with them, they can be deleted in compliance with GDPR.

Accruent logo in white text.

© Copyright Accruent 2025Privacy PolicyTerms of UseLegal