Data privacy is a complex issue

No, the fact that it is a contact form and the user fills it out is already “consent”. The user (person) does however need to be informed about the processing activities that occur with the data entered.

That depends. In Austria, if you are in a business relationship with the data subject, you do not need explicit consent for sending a newsletter. This falls under “Legitimate Interest”. If this is not the case the legal basis needs to be “Consent” and then you do need explicit consent.

No, all that is required is that users are informed about how you process their data at the point of collection. There is no legal requirement for them to give you explicit consent.

You can only ask for consent if the reason is based on a legitimate purpose. E.g: if you sell shoes, you have a legitimate purpose for collecting your customers shoe size, but you have no business collecting their height or clothing size. Even if they consent to you collecting their data, other than shoe size, you need a legitimate reason for collecting it.

A cookie is a small text file that stores your settings when you surf the web. Almost all websites use cookies and similar technologies. The first time you visit a website the cookies are downloaded and stored in your browser*. When you return to the website the next time, with the same device and using the same browser, the cookie information gets sent to the website to improve your surfing experience. This can mean, remembering your login details, so that you don’t have to login again. What you have liked in the past to optimize what you see in the future and it also means faster loading times for you. Cookies also give businesses information about what people click on and what not, what they read, etc. so for marketing and sales purposes they are important.
*Apple Safari, Mozilla Firefox, Google Chrome, Opera, Microsoft Internet Explorer and Edge are the most commonly used browsers.

“ePrivacy” is the abbreviation commonly used for the EU “Directive on Privacy and electronic communications” from the year 2002.
An EU regulation to replace (repeal) the current ePrivacy directive is currently being drafted called the “Regulation on Privacy and Electronic Communications” (link: ePrivacy Regulation Draft).
The cookie notifications that you always see when first visiting a website is a result of the ePrivacy law.

Yes, your website has to provide an “opt-in” and “opt-out” for cookies. Cookies that are required for the website to function properly can be set automatically.

The cookies does not get deleted, it falls into a dormant (sleeping) state and it does not send any information to the company that would like your data.

Cookies a have to be deleted in the browser that you are using. You can follow the links and delete cookies in your browser. ATTENTION: deleting the cookies in your browser will mean that websites that you often visit will forget your personalized settings e.g. “remember me” or “stay logged in”.

Chrome: chrome://settings/clearBrowserData
Mozilla Firefox: copy and paste this: “about:preferences#privacy” into the address bar and look for Cookies and Site Data
Opera: opera://settings/cookies
Edge: Menu (top-right corner) → Settings → Clear browser history
Internet Explorer: depends on the version you are using: cilck here Safari: Select preferences from Safari menu → Privacy tab → Remove all website data → Remove now.

When personal data is collected it needs to be processed. Maintaining employee payrolls, managing business partnerships, maintaining and managing customer data, collecting email addresses for a newsletter all falls under processing personal data.

TRUENDO is neither controller nor a processer of the personal data an organization has. It is a tool that helps you make your website GDPR compliant.
We are however, the controller of the personal data that we hold about our customers.

In almost all cases a controller is a legal entity, that means a business, a club or an organization. A controller can also just be a person, but this is the exception. It is the responsibility of the controller to make sure that the GDPR is correctly implemented in an organization. They are also responsible for the personal data in an organization.

A processor, as the name suggests, processes personal data. The controller gives the processor the task of processing personal data. It is the responsibility of the controller to make sure that data is processed in compliance with the GDPR. A processor can be company/Organization internal or could also be a cloud service (external processor).

The UK will be treated as a “third country” (a country that is not a member of the EU) as of October 31st, 2019. Depending on the agreement that the UK and the EU negotiate, the status of a “third country” could change and will be updated accordingly.

The GDPR applies as soon as an organization collects any sort of personal data from an EU citizen. It does not matter where the company is based, what matters is whether they are collecting and processing an EU-citizen's personal data, for example a name, an IP-address or any other piece of information that can be used to identify a person.

In one of 3 cases:
Case 1 – where the processing is carried out by a public authority or body.
Case 2 – where the core activities consist of regular and systematic monitoring of data subjects (people) on a large scale.
Case 3 – where the core activities of the business consist of processing large scale special categories of data (e.g. genetic data, religious, sexual, political orientations etc. see What is “sensitive data”? under General info) or personal data relating to criminal convictions and offences.

Examples of core activities:
1. A hospital processes medical data (which is sensitive data) as part of their core activity, to provide health care, they need to appoint a DPO.
2. A security company monitors public spaces such as a mall. They process large amounts of personal data. This is their core activity, they therefore need a DPO. In essence, if the business model is built on processing personal data then they need a DPO.

“Large Scale” – there is no specific definition of what large scale means. This can be regulated at a national level (so each EU country can determine what they consider large scale). We would therefore recommend that you contact the Data Protection Authority in your country for further information or the EU Data Protection Authority if you processing data across countries.
“Regular and systematic monitoring” – this term is also not defined in the GDPR, again we recommend contacting your national Data Protection Authority or access your countries national law. Further information can be found here (http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612048)

€20mil (or 4% of global revenue, whichever is higher) is specifically for the infringement of the following:

- Violation of data-subject (a person’s) rights (see Chapter 3)
- Violation of international data transfer (transferring data to a country that is not allowed to process the data)
- Violation of the legal basis for processing (See Article 6)
- Violation of Chapter 9 of the GDPR (Chapter 9 of the GDPR is country specific, contact your national data protection authority)

€10mil (or 2% of global revenue, whichever is higher) is for:

- Violation of the responsibilities of the controller
- Violation of a contract of processing (i.e. a contract to process personal data)
- Technical and Organizational Measures (TOMs) not implemented
- Other organizational violations (Procedural directory, DPIA)
See Article 83 for the full details on fines.

Contact your national Data Protection Authority for further details about the requirements of an impact assessment. They should publish a list of when it is required but in general:
Impact assessments have to be carried out when the processing of data creates a high risk, if there is a data leak/breach. One also has to consider the context, the scope, the nature and the purpose of the processing (purpose = why am I processing the data).
If a company processes data in the following 3 ways then an impact assesment must be constructed:
1. Systematic processing of personal data that is based on automatic decision making, this includes profiling among other things.
2. Processing sensitive data on a large scale (a large scale is not defined but a hospital falls into this category).
3. When public accessible areas are monitored on a large scale (e.g. a train station or airport).