GDPR isn't easy. So we would like to help you by answering all the pressing questions.
No, the fact that it is a contact form and the user fills it out is already “consent”. The user (person) does however need to be informed about the processing activities that occur with the data entered.
That depends. In Austria, if you are in a business relationship with the data subject, you do not need explicit consent for sending a newsletter. This falls under “Legitimate Interest”. If this is not the case the legal basis needs to be “Consent” and then you do need explicit consent.
No, all that is required is that users are informed about how you process their data at the point of collection. There is no legal requirement for them to give you explicit consent.
You can only ask for consent if the reason is based on a legitimate purpose. E.g: if you sell shoes, you have a legitimate purpose for collecting your customers shoe size, but you have no business collecting their height or clothing size. Even if they consent to you collecting their data, other than shoe size, you need a legitimate reason for collecting it.
When personal data is collected it needs to be processed. Maintaining employee payrolls, managing business partnerships, maintaining and managing customer data, collecting email addresses for a newsletter all falls under processing personal data.
TRUENDO is neither controller nor a processer of the personal data an organization
has. It is a tool that helps you make your website GDPR compliant.
We are however, the controller of the personal data that we hold about our customers.
In almost all cases a controller is a legal entity, that means a business, a club or an organization. A controller can also just be a person, but this is the exception. It is the responsibility of the controller to make sure that the GDPR is correctly implemented in an organization. They are also responsible for the personal data in an organization.
A processor, as the name suggests, processes personal data. The controller gives the processor the task of processing personal data. It is the responsibility of the controller to make sure that data is processed in compliance with the GDPR. A processor can be company/organisation internal or could also be a cloud service (external processor).
The UK will be treated as a “third country” (a country that is not a member of the EU) as of October 31st, 2019. Depending on the agreement that the UK and the EU negotiate, the status of a “third country” could change and will be updated accordingly.
The GDPR applies as soon as an organization collects any sort of personal data from an EU citizen. It does not matter where the company is based, what matters is whether they are collecting and processing an EU-citizen's personal data, for example a name, an IP-address or any other piece of information that can be used to identify a person.
In one of 3 cases:
Case 1 – where the processing is carried out by a public authority or body.
Case 2 – where the core activities consist of regular and systematic monitoring of data subjects (people) on a large scale.
Case 3 – where the core activities of the business consist of processing large scale special categories of data (e.g. genetic data, religious, sexual, political orientations etc. see What is “sensitive data”? under General info) or personal data relating to criminal convictions and offences.
Examples of core activities:
1. A hospital processes medical data (which is sensitive data) as part of their core activity, to provide health care, they need to appoint a DPO.
2. A security company monitors public spaces such as a mall. They process large amounts of personal data. This is their core activity, they therefore need a DPO. In essence, if the business model is built on processing personal data then they need a DPO.
“Large Scale” – there is no specific definition of what large scale means. This can be regulated at a national level (so each EU country can determine what they consider large scale). We would therefore recommend that you contact the Data Protection Authority in your country for further information or the EU Data Protection Authority if you processing data across countries.
“Regular and systematic monitoring” – this term is also not defined in the GDPR, again we recommend contacting your national Data Protection Authority or access your countries national law. Further information can be found here (http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612048)
€20mil (or 4% of global revenue, whichever is higher) is specifically for the
infringement of the following:
- Violation of data-subject (a person’s) rights (see Chapter 3)
- Violation of international data transfer (transferring data to a country that is not allowed to process the data)
- Violation of the legal basis for processing (See Article 6)
- Violation of Chapter 9 of the GDPR (Chapter 9 of the GDPR is country specific, contact your national data protection authority)
€10mil (or 2% of global revenue, whichever is higher) is for:
- Violation of the responsibilities of the controller
- Violation of a contract of processing (i.e. a contract to process personal data)
- Technical and Organisational Measures (TOMs) not implemented
- Other organizational violations (Procedural directory, DPIA)
See Article 83 for the full details on fines.
Contact your national Data Protection Authority for further details about the
requirements of an impact assessment. They should publish a list of when it is required but in general:
Impact assessments have to be carried out when the processing of data creates a high risk, if there is a data leak/breach. One also has to consider the context, the scope, the nature and the purpose of the processing (purpose = why am I processing the data).
If a company processes data in the following 3 ways then an impact assesment must be constructed:
1. Systematic processing of personal data that is based on automatic decision making, this includes profiling among other things.
2. Processing sensitive data on a large scale (a large scale is not defined but a hospital falls into this category).
3. When public accessible areas are monitored on a large scale (e.g. a train station or airport).
The following categories are considered sensitive data (Article 9): racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (e.g. fingerprints) to be able to identify a person, medical data and information about sex life and or sexual orientation.
Data types can be divided into various categories. Some categories are contact details of customers, contact details of suppliers, employee data. This can further be broken down into email addresses, addresses, names, date of births, shoe size, weight, blood type etc. Data types can be company/business specific and businesses can define their data types. Any type of personal information is a data type. Data types can be divided into various categories e.g. necessary, marketing, statistics, social content, etc.
There is no mention of language in the GDPR document, but it is the consensus that the language that information has to be provided in, is the nation language in which a person currently finds themselves in i.e. where they make their request for information or rectification etc.
Yes. The GDPR applies to all people in the EU, regardless of their relationship with your business. As soon as a business has personal data about a person the GDPR applies.
When systems are designed that will process personal data, the GDPR should be considered. This means that systems should be designed in such a way that the GDPR is, where possible, implemented. There is no norm that exists where “Data Protection by design and default” is defined. Norms may develop in the next few years and these are likely to be industry specific.
Personal information has to be deleted within 30 days of a person making such a request. There are exceptions however, when information has to be stored for a pre-defined amount of time. E.g in Austria, the information of business transactions has to be stored for 7 years. This means a business has to store a certain amount of personal data relating to the transaction, even if the person in question makes a request for their data to be deleted. These retention/storage times of personal data vary within the EU and are situation specific. If the collected personal data is based on consent i.e. no business transaction has taken place, then the data has to be deleted within 30 days of the request being made.
If there is a breach it is the responsibility of the controller of that organisation to report the breach to the national Data Protection Authority within 72 hours.
A so-called “Data Directory” is the cornerstone of GDPR compliance. The Data
Directory should be (as a minimum requirement) a list of processing activities that your business follows
collecting personal data.
It should entail things like: data categories, purposes for collection, purposes for processing,
who has access to the data, both within the company and externally.
Here are 4 steps that you can start with:
1. Who is the Data Controller? (Normally this is the business/organization)
2. What do I need the data for?
3. Is this the easiest way to collect data?
4. Does the data collected align with the purpose (is it logical for me to be collecting this specific data)?
Analogue data is data that is not stored in a digital form i.e. documents of paper, a stack of business card etc.
Digital data is data which is stored in a digital format. Surveillance videos that are stored on a
hard drive are
digital. If you transfer the information from your business cards to an excel sheet, this information
Why is this important? The GDPR only applies to data that is stored in a structured manor, like an alphabetical order, making it easy to search through. Analogue data that is a random collection of data does not fall under the GDPR e.g. the random stack of business cards. If however, they are sorted alphabetically, they fall under the GDPR law.
Article 29 Working Party was the advisory board that consisted of members from
each data protection authority from the EU member states. They released information regarding the GDPR
On May 25th 2018 Article 29 Working Party was replaced by the European Data Protection Board (EDPB). It is their task to ensure that the GDPR is applied consistently across the EU. They have to ensure that all Data Protection Authorities from the member states cooperate. They will issue guidelines on the correct implementation of the GDPR and handle disputes regarding cross-border processing. To find out more click here.
When collecting data always ask the following questions:
1. What do I need the data for?
2. Does the data I collect fulfil my minimum requirements for me to run my organisation?
3. Can I easily justify the reason for collecting the data?
This is a very important article in the GDPR. It is to make sure that you only collect the data you need to collect, to run your organization.
TOM stands for Technical and Organizational Measures.
These are steps (measures) that an organization makes to become GDPR compliant and to remain GDPR compliant. This can mean using a new software (a technical measure), or create new processes within the organiszation (an organizational measure) to improve data security.
Pseudonymized data, is data that you cannot link with a person unless you have a
key or code that allows you to link the data to a person.
An example: you have a list of Date of Births (DOB) and they are listed 1 -100. The DOB could belong to anybody and is therefore pseudomized data. There is a second list with names on it, where the names are listed 1 – 100. This second list is the key to the DOB list, allowing you to match the DOB with a name. As long as the two lists are separated, the Date of Births are pseudomized.
Anonymized personal data can in no way be associated with a person. It is impossible to say who the data belongs to. Some people use this method to execute the “right to be forgotten” i.e. deleting data.
No, VAT (Value Added Tax) is not included in the price. For sales in member countries of the European Union, we charge the applicable VAT. If we are notified of a sales tax ID number of a non-Austrian company within the European Union, the service will be exempt from VAT.
The contract (or subscription) is valid for 1 year or 1 month, depending your preferred payment method.
Payment can be made with all major credit cards (VISA, MasterCard & AmEx). We use Stripe as a payment service provider.
The payment period lasts 1 year or 1 month, depending in your preferred payment method.
TRUENDO will be available to you for as long as you have paid, i.e. either 1 month or 1 year. You can cancel the contract at any time. To cancel the contract, log into your TRUENDO account and go to the “My Organization” tab, and then “Subscription”. We do not offer any refunds.