Our customers have to comply with data protection regulations and so do we. At ResMed, our goal is to provide you with the technical and organisational support you need while ensuring transparency and accountability around our personal data processing activities.

Our privacy promise

ResMed is committed to operating with professional integrity and high ethical standards. Privacy is one of our core values. We build and support technology and services that help people live healthier, happier lives. We monitor and maintain our devices and solutions in ways that protect privacy and give people control over their information. We are committed to protecting your patients’ personal information.

Your patients’ personal data, protected



When you use our AirView platform, sensitive data is protected by best-in-class teams, systems and processes that have been certified by external auditors to support your compliance with GDPR.

Responsibilities, shared



We are actively working to create an environment of transparency around data collection, usage and storage until deletion. We believe that when we are transparent about our data responsibilities and activities, you will find it easier to comply with your own data protection responsibilities while remaining focused on your own priorities: quality of care and patient outcomes.

Personalised care, enabled



Work with a partner who can provide data privacy but also offer data usability. Our smart, secure solutions leverage the power of data so you can offer patients more personalised treatment and better support.

About GDPR

The data protection standards established by GDPR (General Data Protection Regulation) legislation are among the toughest in the world. GDPR applies to all individuals within the EU and EEA .


GDPR (General Data Protection Regulation) lays down rules for the processing and free movement of personal data. This regulation protects fundamental rights and freedoms of natural persons. Its purpose is to protect European citizens against the unauthorised usage of their personal data.

GDPR protects the personal data of an individual (data subject), namely any information that relates to an individual who can be directly or indirectly identified from that data. Pseudonymous data can be classed as personal data if it could be used to identify the data subject. Examples of personal data are names and email addresses, location information, ethnicity, gender, biometric data, religious beliefs, political opinions and health data. Health data is personal data that relates to the physical or mental health of a person and reveals information about their health status or which makes it possible to infer information about their state of health. Health data is classed as ‘sensitive data’ and, as such, it receives particularly stringent protection under GDPR.

The GDPR uses specific terms to identify different activities and responsibilities in the data workstream. ‘Data processing’ refers to any automated or manual action that is performed on data (e.g. collecting, recording, organising, deleting). The ‘data controller’ is the legal entity which decides why and how personal data will be processed while the ‘data processor’ is the organisation which processes the personal data on behalf of the data controller and under their instructions. Depending on the nature of the data processing in question, ResMed may be the data controller and/or the data processor.

ResMed, like any other individual or organisation that processes data, is obliged under GDPR to respect seven protection and accountability principles:

• Lawfulness, fairness and transparency: processing must be lawful, fair and transparent to the data subject.
• Purpose limitation: data must be processed for the legitimate purposes specified explicitly to the data subject when it was collected.
• Data minimisation: only as much data should be collected and processed as is absolutely necessary for the purposes specified.
• Accuracy: personal data must be kept accurate and up to date.
• Storage limitation: personally identifying data must only be stored for as long as is necessary for the specified purpose.
• Integrity and confidentiality: processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality.
• Accountability: the data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.

Data controllers are responsible for determining how and why that data is collected and processed, how long the data is kept, and when it is deleted. Data controllers must actively demonstrate full compliance with all data protection principles under GDPR and, if they choose to entrust processing to a third-party, are also responsible for the GDPR compliance of the data processor. This means that both the controller and the processor share responsibility for the compliant processing of sensitive data.

The fines for violating the GDPR are very high. There are two tiers of penalties, which max out at €20 million or 4% of global revenue of the company fined (whichever is higher). Data subjects also have the right to seek compensation for damages.