Under GDPR an EU Data Subject can request to have Personal Data removed that is being collected or processed by a separate entity. GDPR requires that when an individual invokes the right to be forgotten that an organization must delete the data from their systems within 30 days.
RMS has processes and procedures in place so that any client data received is only held and processed for as long as is necessary to fulfill any contractual obligations. Once the processing has finished, all received data is promptly removed from RMS systems in accordance with the contract terms.
Since RMS acts as a Data Processor of Personal Data and not a Data Controller with respect to the handling of client data, a request by an EU subject to invoke the right to be forgotten would be initiated with the client directly, and not RMS. At that point, RMS has procedures that will be invoked on behalf of the client so that the Data Subject’s information is removed from our systems.