MRI Software and GDPR

As a global organisation with offices, people and data located at multiple locations across the world, MRI Software recognises the important of protecting data and complying with jurisdictional data laws.

This page provides a summary of GDPR in relation to MRI and the various software solutions provided by MRI only. All answers are provided based upon MRI’s interpretation of the GDPR legislation. MRI is not providing legal advice, and we advise our clients to consult with their own independent legal counsel for any information related to compliance with GDPR.

Please note, that this page will be updated regularly, check back for more updates.

Content:

GDPR Frequently Asked Questions
1. What is GDPR?

GDPR refers to the General Data Protection Regulation, EU 2016-679, which took effect on 25 May 2018. GDPR applies to all companies located within the European Economic Area (and the UK until the end of the Brexit transitional period on 1 January 2021) but it also has extra-territorial reach and extends to any person organisation accessing, utilising, or processing personal information of EEA data subjects. GDPR outlines the rights due to a data subject with respect to their own Personal Information and the obligations of the data controllers and data processors with respect to that same Personal Information.

Personal Information, under GDPR, is any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is a person (not a business) who can be identified, directly or indirectly, by using the data without reference to separately stored information. Some examples of Personal Information would be a name, an identification number, location data, an online identifier. All data points must be viewed in light of whether that data would, without reference to separately stored information, be likely to relate to an identified or identifiable natural person.

2. Does GDPR apply to the MRI products?

Possibly. If the product that you are using from MRI contains Personal Information (see previous question) of an EEA data subject, then it will likely fall under GDPR. Personal Information might be stored in obvious locations, such as fields identified by the personal data label like name and address, or Personal Information may be stored in less obvious locations, for example as unstructured data such as comments, notes, custom fields, or file attachments. As the data controller, the client (you) ultimately determine what Personal Information you will store within the system and where you store it. Your record management policies should identify where you have recorded Personal Information.

As the data processor, MRI has taken and is continuing to take steps to protect the Personal Information that is intended to or likely to be stored or input into the MRI system or provided to MRI and its subcontractors. As such, it is important for you to consider the intended use of the software as an aid to your overall compliance with GDPR. As always, MRI is happy to assist you in determining recommended uses of the software fields and storage locations.

3. In what capacity does MRI process Personal Information?

MRI is most commonly acting as the data processor and processes Personal Information in order to perform its obligations under the governing agreement between the client (you) and MRI. MRI processes information as permitted under that governing agreement. For SaaS (cloud) or MRI-hosted clients, the Personal Information is held within MRI’s systems and data centres (see more information on data centres below). For on-premise (or client-hosted) clients, the Personal Information is held within your own systems and not held by MRI. Additionally, clients will send Personal Information to MRI for implementation, testing, or support purposes.

MRI does act as a data controller also where it holds data on its clients to perform its contracts, such as if an individual is named as a billing contact in our internal CRM system or where individuals information is collected for marketing purposes so we can share updates with you or invite you to events. You can access our privacy policy here.

4. What types of Personal Information are held within the MRI systems and who are the data subjects of that Personal Information?

The type of Personal Information held will vary depending on what product lines you are using as well as how you individually are utilising the system. With that in mind, we have provided a table below that outlines what Personal Information is likely to be contained within MRI’s product lines and which data subjects are likely to be impacted. We will add additional information outlining the type of data and data subject which are likely to be held within the specific MRI products that you use on this page as it becomes available.

Type of Data Data Subjects Impacted
Personal data such as name, identification number, etc.;

Contact details such as phone number, email address, home address;

Financial or payment details;

Files, images, or videos;

Contract details

Contractor insurance information

Customers and potential customers of the Client;

Client’s employees and staff;

Client’s consultants or other professional experts;

Suppliers;

Children (13 or under)

For specific product information click here.

5. Do we need to get consent from every data subject about whom we hold Personal Information?

MRI does not determine the lawful basis for processing. It’s for the data controller – our clients – to decide what the right lawful basis for processing personal data is and to make that clear to the data subjects in its privacy policies and processes. Consent is just one of several different bases for data processing.

6. Does MRI use third-party data centres for holding Personal Information?

Yes. MRI utilises state-of-the-art data centres for its cloud-based offerings. As of April 2018, MRI utilised data centres in London, Ireland, Germany, Chicago, Virginia, Georgia, Singapore, Netherlands, and Sydney for its production and backup environments. We will add additional information, specific to the MRI products that you use, on this page as it becomes available.

For general reference, MRI’s UK data centres are:

Product Line Primary Data Centre Location Secondary Data Centre Location
Castleton Castleton Maidenhead
Iomart – Maidenhead
Iomart – London
Microsoft Azure (UK West – Cardiff)
AWS (service)
Castleton Newport
Castleton Gosport
Iomart – Nottingham
Iomart – Leicester
Azure UK West(Cardiff)
Orchard ITPS
Angel House, Drum Industrial Estate
DH2 1AQ Chester Le Street
United KingdomCastleton DCAzure (UK South)
Azure (Azure North Europe – Dublin)
Leopardstown, Dublin, Ireland
AWS (London eu-west-2)
ITPS
Angel House, Drum Industrial Estate
DH2 1AQ Chester Le Street
United KingdomCastleton DCAzure (UK South)
Azure (Azure North Europe – Dublin)
Leopardstown, Dublin, Ireland
AWS (London eu-west-2)
Housing Partners Azure North Europe (Dublin)
Leopardstown, Dublin, Ireland
Azure West Europe (Amsterdam)
Agriport 601,
1775 TK Middenmeer,
Netherlands
Property Management X
Investment Modeling
RAM
Screening Gateway
Connect Suite
Platform services
Digital Realty Cyrus
One DH216 Goldsworth Park Trading Estate Kestrel Way Woking GU21 3BAIreland Azure – DublinAzure UK West – EdinburghAzure UK South – London
Global Switch2
Suite J1, 10th Floor
3 Nutmeg Lane
London E14 2AX. London
Qube PM
Planet
Horizon
Sales and Lettings
Global Switch2
Suite J1, 10th Floor
3 Nutmeg Lane
London E14 2AX. London
Digital Realty Cyrus
One DH216 Goldsworth Park Trading Estate Kestrel Way Woking GU21 3BA
Engage Azure West Europe (Netherlands) – Middenmeer
Leverton Azure Germany West Central – Frankfort Azure Germany North Public – Berlin

You can find MRI’s privacy shield status here.

For product specific information click here.

7. What software changes are being made in order to better manage GDPR?

Although we cannot guarantee against all potential loss of Personal Data while processing, MRI has and will continue to institute technical measures which are appropriate to ensure a level of security which takes into account the nature, scope, context and purposes of processing of Personal Information. Where such measures cannot be accomplished automatically, we will recommend additional steps that can be taken (by either MRI or you) to continue to enhance the security of the Personal Information.

To provide one example to illustrate this, within a product suite there may be transactional records that contain Personal Information that cannot be automatically deleted or anonymised by the user real-time. These records additionally contain PDFs associated with these transactional records, for example a rent invoice. As such, MRI will provide a new routine for this product that purges the PDFs and anonymises the transactional record. This routine will operate as an automatic overnight process and will purge and anonymise based on a record retention policy value (i.e. 12 years) that you set within the system configuration and based upon your record retention policy.

8. What organisational measures does MRI have in place to protect our personal information?

MRI has and will continue to institute organisational measures which are appropriate to ensure a level of security which takes into account the nature, scope, context and purposes of processing of Personal Information. Specifically, MRI maintains a document information security plan which outlines the physical, technical, and organisational security guidelines, including outlined training, awareness and employee vetting procedures. MRI’s information security plan also outlines the encryption of client data, disaster recovery and business continuity plans, vulnerability testing, security audits, and data breach procedures.

As one example, MRI maintains employment policies relating to the handling of Personal Information, which ensures that access is restricted to authorised personnel only. These policies include password requirements, user authentication, and confidentiality obligations. MRI regularly trains its staff and management on these policies and monitors compliance with the same. Additionally, MRI’s Information Security Team and Data Privacy Practitioner(s) regularly monitor the policies, training and compliance with the same.

For specific product information click here.

9. How do I ensure the security of Personal Information?

You can protect the Personal Information of your data subject by establishing suitable controls and policies with respect to this information within your organisation which are aimed at preventing unauthorised access to the software and infrastructure where the data will be stored. Your controls may include education, and training to users about the importance of protecting the data, user authentication policies, user roles, privileges, security rights, segregation of duties and access management.

In addition, MRI provides its customers with tools which enable you, as the data controller, to set security controls to protect the Personal Information within your company. These tools will vary based on the products and delivery mechanism purchased (i.e. SaaS/cloud-based v. on-premise installation).

For specific product information click here.

10. Does MRI have a process in place for notification, containment and remediation in the event of a data breach?

MRI is committed to protecting the security of the client data within its systems. MRI has processes and protection in place to investigate any potential data breach, notify affected client(s) of such breach, provide information to the client related to the data breach, contain and correct the data breach, and to mitigate the effects of the data breach. Additionally, if a data breach were ever to occur, MRI will work with its clients to comply with the clients’ own obligations under GDPR.

For specific product information click here.

11. If we receive a request for Personal Information that is currently being held in the MRI SaaS active system, how can we get that information from MRI?

You will need to identify through your record management policies where that Personal Information is held (for example in structured and unstructured data fields) and then use the reporting features of the software to provide this, which could be a mixture of screen copies, spreadsheets or reports. Please contact MRI’s support team if you are having trouble extracting this information. Support will be provided in accordance with your governing agreement in place with MRI.

For specific product information click here.

12. How do we permanently delete Personal Information after the end of its retention period, or on a right to be forgotten request?

Most of our products provide you with the ability to delete Personal Information manually from the user interface within the active system. For those records that cannot be deleted using the user interface, you may have the ability to anonymise it so that it no longer identifies that individual by overwriting the fields that store the Personal Information, thus eliminating the data as Personal Information. If you have questions about deleting or overwriting such information, please contact MRI’s support team. Support will be provided in accordance with your governing agreement in place with MRI.

If you need to permanently delete or overwrite information stored within MRI’s backup data centres, please contact MRI’s support team as the process differs based on the length of time the Personal Information has been residing within the system. Support will be provided in accordance with your governing agreement in place with MRI.

For specific product information click here.

13. How long does MRI hold our data within its system and its backups?

MRI does not proactively delete Personal Information while you are still a client of MRI’s. If during that time you need to delete Personal Information, you will need to make those changes through the user interface or contact MRI support for assistance. Support will be provided in accordance with your governing agreement in place with MRI. While you are a still a client of MRI’s, MRI will make regular backups of the database for backup and data restoration purposes.

Once you are no longer an active client and your contractual term has expired, MRI will remove your database, including all data, from its active environment and the database will not be included in periodic backup logs that are captured in the future.

For specific product information click here.

14. Can I run an audit of MRI’s system so that I am satisfied with its security?

MRI protects the privacy and security of the Personal Information that is entrusted to it. In order to maintain that privacy, we do not allow any of our clients to audit our systems or records, as such an audit could expose Personal Information of other data subjects and other clients. However, MRI does maintain records and information that are necessary to demonstrate its compliance with the data protection laws applicable to it in the processing of Personal Information. This information can be made available to our clients upon request.

If you feel that an audit of MRI’s systems is fundamentally required for your organisation, then we encourage you to reach out to your Account Manager to discuss alternatives. Such alternatives can only be considered if your database is housed within a dedicated SaaS environment, which you will need to purchase, and will come with restrictions.

15. How can I comply with a data subject’s request to correct their Personal Information within the SaaS System?

Many of our products provide you with the ability to correct Personal Information manually from the user interface within the active system. To start, you will need to identify, through your record management policies, where the Personal Information in question is being held and then update it.

If you are unable to perform this task within the user interface, please contact MRI’s client support for assistance.

16. Does MRI have a privacy manager or an equivalent?

MRI has a Data Privacy Practitioner(s) who oversees the organisation’s privacy practices and ensures ongoing GDPR compliance. The Data Privacy Practitioner can be reached at DataPrivacyPractitioner@mrisoftware.com.

17. Does MRI have a contract addendum that covers GDPR?

Where MRI is required by law to perform certain activities, we generally do not proactively contract for the same requirements. Where the obligations are not imposed automatically, or the client is required to have them outlined in contract, MRI does have a contractual addendum related to GDPR that you can obtain through your Account Representative. As such an addendum relates directly to MRI’s security and internal policies, we do not often incorporate a client’s data security addendum without revision.

MRI Software participates in the EU-US Privacy Shield Framework.

privacy shield

Privacy Shield was created to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce. On 12 July 2016, the European Commission deemed the EU-U.S. Privacy Shield Framework adequate to enable data transfers under EU law.

You can find MRI’s privacy shield status here.

On 16 July 2020, the Court of Justice of the European Union issued its judgment in the Schrems II case. This ruling invalidated the use of EU-US Privacy Shield as a way to transfer personal data to the US. For the time being, MRI has decided to continue to subscribe to this framework as a way of evidencing its commitment to adhering to the highest standard of data protection compliance.

MRI did not rely solely on the EU-US Privacy Shield Framework as the basis for its international data transfers in any event. MRI has in place intergroup agreements incorporating the EU Standard Contractual Clauses. This agreement is in place between its key operational entities in Europe and MRI Software LLC.

It is important to note that the judgment of the Schrems II case did confirm that companies can continue to use the EU Standard Contractual Clauses as a valid mechanism for transferring data outside the EEA.

STANDARD CONTRACTUAL CLAUSES

In November 2020 the European Commissions released a draft of revised standard data contractual clauses (SCCs). This included the introduction of processor-processor and processor-controller transfers. These are expected to be finalised later this year/early next and a 12 month introductory period will commence in which existing SCCs should be repapered with these new texts.

MRI will be monitoring the launch of the new SCCs and repapering promptly following launch.

In addition to MRI’s current implementation of the existing EU SCCs for transfer already in place, MRI is considering including, MRI is also considering including the processor-controller SCCs for transfers of data to the UK following Brexit if there is no adequacy ruling granted (for more information please see section on Brexit).

BREXIT

The UK officially left the EU on 31 January 2020 and the Brexit transition period finished on 31 December 2021.

From a data protection perspective the UK is now in the “bridge” period. The EU has agreed to permit data transfers between the UK and EU for at least four months. This may be further extended to six months.

During the bridge period, the UK government are seeking an adequacy ruling to cover data transfers made between the EU and UK.

MRI are continuing to closely monitor this situation. At this point, we are not implementing any changes to our customer contracts or data processing documentation.

For our clients who are UK companies:

  • the GDPR will be effectively transposed into domestic UK law on 1 January 2021;
  • the UK government has confirmed that transfers from the UK to the EEA will not be restricted and it will affectively be granting “adequacy” to all EEA countries;
  • for transfers to other countries, the UK government also confirmed it intends to recognise current EU adequacy decisions, Binding Corporate Rules and the Standard Contractual Clauses as a basis for international data transfers;
  • but, unless the EU Commission makes an adequacy decision in favour of the UK which will authorise the flow of data from the EEA to the UK, MRI as a data processor could be in breach of GDPR when it transfers data from the EEA back to the UK. We are monitoring closely this situation and will take all necessary steps to legitimise this and comply with the GDPR. We are considering including the new processor-controller SCCs once approved as standard in our Data Privacy Schedule for UK clients.

For our client based in the European Economic Area:

  • MRI has updated its standard Data Privacy Schedule in its Master Agreement – accessible here – to incorporate EU Standard Contractual Clauses for controllers-processors for this data flow only. For the majority of our clients this update will automatically apply to your contract, If you are concerned as to whether or not this applies to your MRI contract please discuss with your Account Manager.
STANDARD DPA

We include a specific schedule in our Master Agreement that deals with data protection considerations. You can access this here.

If you are unsure whether this Schedule applies to your contract with MRI please contact your Account Manager to discuss further.

APPOINTED REPRESENTATIVE

MRI Software Ireland Limited will on 1 January 2020 become the “appointed representative” for MRI in the EEA.

Select your region

17000+

Clients

16.1m

Units

3.3m

Leases

200+

Partners

170+

Countries