Ensuring compliance with GDPR/FADP

Designed by data protection and IT security specialists, Rumya GDPR is a software that offers a concrete response to companies subject to data protection regulations. It is easy to implement, offers a very pragmatic approach and provides your company with efficient day-to-day support.

With 3 complementary modules, it is easy to simplify your compliance!

Would you like to test our product or have a demonstration?

Contact us

The GDPR - General Data Protection Regulation

The European Union regulation (EU 2016/679) which entered into force on 25 May 2018 aims to:

  • • Define the rules regarding the protection of personal data of individuals with respect to the processing of the data and the rules regarding the free movement of such data.
  • • Protect the fundamental rights and freedoms of individuals.
  • • Ensure the free flow of personal data within the European Union and the relevant countries.

Gestion des registres d'activités de traitement

Rumya RGPD / LPD vous assiste dans la création de votre registre d’activités de traitement à travers une utilisation simple et fluide se concentrant principalement sur la documentation des processus métier de l’entreprise.

Spécifiquement adaptée aux réglementations nationales, cantonales et régionales, l’application intègre des référentiels contenant des modèles de fiches de traitement, des rapports documentaires et un paramétrage complet selon les attentes des autorités relatives à la situation de l’entreprise.

Le registre d'activités de traitement est

l’élément fondamental de la stratégie de protection des données. L’obligation de tenir un registre d’activités de traitement est différente selon la législation à laquelle l’organisation est liée.
Sous le RGPD, tout organisme a l’obligation de tenir un registre des traitements. Les entreprises de moins de 250 salariés bénéficient d’une dérogation et ont seulement l’obligation d’inscrire au registre les traitements suivants :
  • les traitements non occasionnels,
  • les traitements susceptibles de comporter un risque pour les droits et libertés des personnes,
  • les traitements qui portent sur des données sensibles.
Sous la LPD, toute entreprise employant moins de 250 collaborateurs et présentant un risque limité pour la personnalité des personnes concernées est exemptée de la tenue d’un registre, charge à l’entreprise de démontrer le caractère limité du risque.

Descriptif des traitements

Saisie en toute simplicité des activités de traitement selon les attentes des autorités de contrôle.


Référentiel de modèles et recommandations

Base de données de traitements types, de listes pré-alimentées et de modèles de documents fournis en standard dans tous nos abonnements.


Détection des anomalies et points d’attention.

Analyse en temps réel des incohérences ou manques dans la documentation de l’entreprise.


Suivi des analyses d’impact

Assistance à réalisation des évaluations d’impact et suivi complet de la réalisation des analyses d’impact.


Annuaire des intervenants sur les traitements et liste des applications

Listes transversales de tous les contacts, entreprises et applications liés aux traitements. Mesure des impacts de ces collaborations en quelques clics.


Gestion des formations des collaborateurs

Consolidation en un seul lieu des formations suivies par les collaborateurs dans le cadre de la protection des données et de la sécurité de l’information.



Génération des documents de travail ou de conformité directement aux formats Word et PDF.


Solution groupe

Référentiel interne, duplication de traitements ou d’entités, gestion des équipes et attribution précise des droits et des rôles.

Managing individuals’ rights

Rumya GDPR/FADP offers you a tool that makes it easier to manage individuals’ data protection rights.

Specifically created to manage requests according to the principles of privacy by design, the application handles the entire process: from collecting the request to returning the information in a secure extranet via the standardised and traced processing of the request.

Individuals concerned have the following rights:

  1. The right to information
  2. The right to access their personal data
  3. The right to modify their personal data
  4. The right to have their personal data deleted (or the right to be forgotten)
  5. The right to restrict how their personal data is processed
  6. The right to data portability
  7. The right to object to their personal data being processed in certain circumstances
  8. The right to be given an explanation regarding any decision made pertaining to automation or profiling

Application forms

Automated creation and online publication of forms dedicated to the persons concerned


Assistance in processing applications

Providing users step-by-step support in the response process


Collection of personal data

Manual or automated import to collect the information to be communicated to data subjects


Customised connectors (API)

Personal data collection


Secure extranet

Secure area for data subjects to access their information



Interface to quickly view the status of applications


Archiving centre for completed applications

Recording and classification of requests and responses according to legal principles


Documentation centre

Documentary database to store all compliance-related files


Specific access for the Data Protection Officer

Management space, dashboard and multi-company settings



Integration of multiple forms by sector, industry, entity, etc.


Notifications and tasks

Automatic reminders and task management between users


Non-form applications

Receipt and processing of requests received by email, telephone, etc.


Management of user rights

Personal, secure and controlled access to application processing



Visual reporting of application volumes and processing times

Management of data breaches

Rumya GDPR/FADP supports companies if their data is breached.

The application aims to describe and document the breaches according to legal principles. It guides the company in its decisions according to the type of breach and enables it to act accordingly by transmitting information to the persons concerned and to the supervisory authorities.

Personal data breaches

Any organisation that processes personal data must have measures in place to:
  • prevent breaches,
  • document any breaches,
  • notify the supervisory authority,
  • communicate the breach to the persons concerned.

Description of the notification

Form for recording breach-related information according to the recommendations of the supervisory authorities


Entering the chronology of breach

Details of the discovery and management of the breach


Presentation of the measures in place

Description of the measures in place prior to the breach and the consequences for those affected


Action planning

Description of future actions and measures to be implemented to address the breach


Collaborative space for crisis management

Discussion forum and secure data room for crisis management coordination between stakeholders


Automated reporting to data subjects

Email or direct mail notification of the breach and follow-up of the statements


Automated reporting to the supervisory authority

Sending the notification to the supervisory authority according to the reporting methods in force (electronically, Excel file, email)


Versioning and historization according to legal principles

Saving and archiving each version of the notification, comments and changes made

Consent management

Rumya GDRP/FADP aims to manage all information related to the consents of individuals, whether they are customers, employees, or otherwise.

This processing of information extends from the collection of consent, in all its forms, to its withdrawal or deletion and also manages versions of contractual clauses.


Defined as "any freely given, specific, informed and unambiguous indication of a data subject’s wishes by which they signify their agreement, through a declaration or a clear positive act, to have their personal data processed.
Special attention should be paid to the following points:
  • allowing for the right of withdrawal,
  • making it possible to prove consent,
  • managing the consent of minors,
  • special case of explicit consent.

Management of the consent life cycle

Consultation of consent status and management of the versions of associated documents


Collection of consent

Multi-channel consent request and collection via form, email, SMS or dedicated API


Traceability and guarantee of inalterability

Historization of consents using algorithms and chain signatures


Management of parental consent

Integration of the particularities related to the consent of minors and management of the transition to legal age


Managing explicit consent

Integration of handwritten signatures where necessary


Withdrawal of consent

Timestamp of withdrawal and visualisation of impacts on processing activities


Connectors and PLCs

Tailor-made integration of consents into the company's IT ecosystem

Noteworthy information


Data encryption

Transversal securing of exchanges and data


Fully customisable

Customisation of request and response forms according to the particularities of a company


Data historization

Archiving of requests and responses according to legal principles


Automated cleaning

Automatic procedure for destroying access and information


White mark

Possibility of customising the software to your own colours



Forms and management interfaces available in several languages