Ensuring compliance with GDPR/FADP

Designed by data protection and IT security specialists, Rumya GDPR is a software that offers a concrete response to companies subject to data protection regulations. It is easy to implement, offers a very pragmatic approach and provides your company with efficient day-to-day support.

With 3 complementary modules, it is easy to simplify your compliance!

Would you like to test our product or have a demonstration?

Contact us

The GDPR - General Data Protection Regulation

The European Union regulation (EU 2016/679) which entered into force on 25 May 2018 aims to:

  • • Define the rules regarding the protection of personal data of individuals with respect to the processing of the data and the rules regarding the free movement of such data.
  • • Protect the fundamental rights and freedoms of individuals.
  • • Ensure the free flow of personal data within the European Union and the relevant countries.

Management of Record of Processing Activities

Rumya GDPR / DPA assists you in the creation of your Record of Processing Activities through a simple and fluid user interface, focusing primarily on the documentation of your company's business processes.

Specifically adapted to national, cantonal and regional regulations, the application integrates repositories containing treatment sheet templates, documentary reports and complete parameterization following the expectations of the authorities operating in the company's location.

The Record of Processing Activities is

the fundamental element of the data protection strategy. The obligation to keep a Record of Processing Activities differs according to the legislation to which the organization is bound.
Under the GDPR, every organization is obliged to keep a Record of Processing Activities. Companies with fewer than 250 employees benefit from a derogation and are only required to enter the following processing operations in the record :
  • Non-occasional processing,
  • processing likely to involve a risk to the rights and freedoms of individuals,
  • processing of sensitive data.
Under the DPA, any company employing fewer than 250 employees and presenting a limited risk to the personal data of the persons concerned is exempt from keeping a record, with the responsibility on the company to demonstrate the limited nature of the risk.

Process description

Simple recording of processing activities in line with the expectations of supervisory authorities.


Model repository and recommendations

Database of standard processing, pre-populated lists and document templates supplied as standard with all our subscriptions.


Detection of anomalies and points of attention.

Real-time analysis of inconsistencies or gaps in company documentation.


Impact analysis follow-up

Assistance in carrying out impact assessments and full monitoring of impact analysis.


Directory of processing providers and list of applications

Cross-disciplinary lists of all contacts, companies and applications involved in processing. Measure the impact of these collaborations in just a few clicks.


Employee training management

Consolidation in a single location of training courses for employees in data protection and information security.


Direct mail

Generate working or compliance documents directly in Word and PDF formats.


Group solution

Internal repository, duplication of processes or entities, team management and precise assignment of rights and roles.

Managing individuals’ rights

Rumya GDPR/FADP offers you a tool that makes it easier to manage individuals’ data protection rights.

Specifically created to manage requests according to the principles of privacy by design, the application handles the entire process: from collecting the request to returning the information in a secure extranet via the standardised and traced processing of the request.

Individuals concerned have the following rights:

  1. The right to information
  2. The right to access their personal data
  3. The right to modify their personal data
  4. The right to have their personal data deleted (or the right to be forgotten)
  5. The right to restrict how their personal data is processed
  6. The right to data portability
  7. The right to object to their personal data being processed in certain circumstances
  8. The right to be given an explanation regarding any decision made pertaining to automation or profiling

Application forms

Automated creation and online publication of forms dedicated to the persons concerned


Assistance in processing applications

Providing users step-by-step support in the response process


Collection of personal data

Manual or automated import to collect the information to be communicated to data subjects


Customised connectors (API)

Personal data collection


Secure extranet

Secure area for data subjects to access their information



Interface to quickly view the status of applications


Archiving centre for completed applications

Recording and classification of requests and responses according to legal principles


Documentation centre

Documentary database to store all compliance-related files


Specific access for the Data Protection Officer

Management space, dashboard and multi-company settings



Integration of multiple forms by sector, industry, entity, etc.


Notifications and tasks

Automatic reminders and task management between users


Non-form applications

Receipt and processing of requests received by email, telephone, etc.


Management of user rights

Personal, secure and controlled access to application processing



Visual reporting of application volumes and processing times

Management of data breaches

Rumya GDPR/FADP supports companies if their data is breached.

The application aims to describe and document the breaches according to legal principles. It guides the company in its decisions according to the type of breach and enables it to act accordingly by transmitting information to the persons concerned and to the supervisory authorities.

Personal data breaches

Any organisation that processes personal data must have measures in place to:
  • prevent breaches,
  • document any breaches,
  • notify the supervisory authority,
  • communicate the breach to the persons concerned.

Description of the notification

Form for recording breach-related information according to the recommendations of the supervisory authorities


Entering the chronology of breach

Details of the discovery and management of the breach


Presentation of the measures in place

Description of the measures in place prior to the breach and the consequences for those affected


Action planning

Description of future actions and measures to be implemented to address the breach


Collaborative space for crisis management

Discussion forum and secure data room for crisis management coordination between stakeholders


Automated reporting to data subjects

Email or direct mail notification of the breach and follow-up of the statements


Automated reporting to the supervisory authority

Sending the notification to the supervisory authority according to the reporting methods in force (electronically, Excel file, email)


Versioning and historization according to legal principles

Saving and archiving each version of the notification, comments and changes made

Consent management

Rumya GDRP/FADP aims to manage all information related to the consents of individuals, whether they are customers, employees, or otherwise.

This processing of information extends from the collection of consent, in all its forms, to its withdrawal or deletion and also manages versions of contractual clauses.


Defined as "any freely given, specific, informed and unambiguous indication of a data subject’s wishes by which they signify their agreement, through a declaration or a clear positive act, to have their personal data processed.
Special attention should be paid to the following points:
  • allowing for the right of withdrawal,
  • making it possible to prove consent,
  • managing the consent of minors,
  • special case of explicit consent.

Management of the consent life cycle

Consultation of consent status and management of the versions of associated documents


Collection of consent

Multi-channel consent request and collection via form, email, SMS or dedicated API


Traceability and guarantee of inalterability

Historization of consents using algorithms and chain signatures


Management of parental consent

Integration of the particularities related to the consent of minors and management of the transition to legal age


Managing explicit consent

Integration of handwritten signatures where necessary


Withdrawal of consent

Timestamp of withdrawal and visualisation of impacts on processing activities


Connectors and PLCs

Tailor-made integration of consents into the company's IT ecosystem

Noteworthy information


Data encryption

Transversal securing of exchanges and data


Fully customisable

Customisation of request and response forms according to the particularities of a company


Data historization

Archiving of requests and responses according to legal principles


Automated cleaning

Automatic procedure for destroying access and information


White mark

Possibility of customising the software to your own colours



Forms and management interfaces available in several languages