Frequently asked questions
If you can't find what you're looking for you can always check out our comprehensive Documentation.
If you can't find what you're looking for you can always check out our comprehensive Documentation.
The TRUENDO console allows the user to copy the script and site-ID from Integration in the Banner section of the menu. The snippet must then simply be pasted in the <head> as the very first script on the page section of your website, and changes saved. For more information, including Wordpress, Wix, Magento, and Shopify integrations, please refer to our Documentation.
We value your time and want to make the compliance process as convenient as possible. After the implementation of the TRUENDO CMP on your website, the product will be updated automatically. The software will scan your website once a month in order to detect any new cookies that may have been set.
We have WordPress and Magento plugins. You can find all information about implementing TRUENDO on WordPress, Magento, Wix and Shopify in our Documentation.
You can find all the information you need in the TRUENDO Documentation. From how to use our CMP to technical information. If you can't find what you're looking for, you can always just click the chat bubble at the bottom right corner of the website.
You can choose the colour of your cookie manager and banner using the color picker or enter a specific HEX color code in the Banner section in your console.
This is a Premium-only feature. You can remove it in the Banner section in your console.
Premium plan subscribers may select from 5 different designs found in the Banner section of the console menu. Essential plan subscribers may only use the Standard Banner design.
Premium plan subscribers can choose from 31 languages, this option is located under the Banner section of the console menu. English is the default language for Essentials plan subscribers.
You can find information related to all consent records collected - User, URL, Region, as well as Date and Time in the Consent Records section in your console. You can also search for information related to a specific user or a period of time by using Filters.
Navigate to the Services section of the console menu. Click on the service and a panel will open when you can change the category.
You can do so by clicking the "+" icon in Settings, which you can find on the top right corner of the TRUENDO console.
You get an overview of all the valuable information that TRUENDO collects, while remaining fully compliant in the Overview tab in your console. By using insights, you will be able to learn more about your customers and improve the way you target potential clients.
You can choose whether your website displays the TRUENDO CMP in EU countries only, or worldwide. See the Advanced settings in the Banner Configuration section of the console menu.
You can do so in Advanced settings in the Banner Configuration section of the console menu.
TRUENDO has a standard Privacy Policy that is integrated in the Privacy Widget. But you can also add your own Privacy Policy in the Banner section of the console menu, under Policy Links.
TRUENDO has its own auto-generated, auto-updated Cookie Policy that is integrated in the Privacy Widget. But you can also add your own Cookie Policy in the Banner section of the console menu, under Policy Links.
You can do so in the Banner section of the console menu, under Policy Links.
You can access the TRUENDO Scanner in Settings, in the main navigation menu of the TRUENDO console.
You can upgrade/downgrade your subscription anytime you want in your console. If you're a Premium user, you can purchase extra unique visitors in your console if you're exceeding your current subscription limit.
You can send them an invitation via the console, they will receive an email with a link that will grant them access to your account. You can also manage access to projects and organizations within the console.
You can send them an invitation via the console, they will receive an email with a link that will grant them access to your account. You can also manage access to projects and organizations within the console.
A website is called/opened by a “headless” chrome browser on the TRUENDO server. The headless browser allows the website to open, as if a user was visiting the website.
Content on a website is often loaded asynchronously (not all at once, but one after the other). The Scanner starts identifying scripts (code) on the website that set cookies and collect personal identifiable information.
The Scanner has the ability to “click” on the “Accept All” button of a cookie banner (if the website has a cookie banner), allowing all cookies to load. This allows TRUENDO to scan a website twice, once with the “Accept All” click and then again without the click. The scan results are then compared.
No, VAT (Value Added Tax) is not included in the price. For sales in member countries of the European Union, we charge the applicable VAT. If we are notified of a sales tax ID number of a non-Austrian company within the European Union, the service will be exempt from VAT.
The contract (or subscription) is valid for 1 year.
The payment period lasts 1 year.
Payment can be made with all major credit cards (VISA, MasterCard & AmEx). We use Stripe as a payment service provider.
You can cancel your contract at any time in the TRUENDO console. TRUENDO will remain available to you for as long as you have paid for. We do not provide refunds for purchased subscriptions.
This is one person that visits your website. How often they visit your website is irrelevant. Please Note: If a person visits your website on a mobile phone and then on a laptop, TRUENDO will register 2 unique visitors. TRUENDO registers each new device as a unique visitor.
To remember who has visited your website, TRUENDO sets a cookie in the visitors browser. This is a necessary cookie to recognize the visitor. This cookie also stores the choices the visitor made with regard to their cookie settings.
The cookie TRUENDO sets to expires after 1 year. This means that after 1 year, TRUENDO will forget the visitor and they will be asked for their consent again. This ensures that your consent is always up-to-date.
We will notify you when you're about to reach the unique visitors limit of your usbscription and suggest that you purchase extra unique visitors in the console in order to stay compliant.
Yes. If you process data from customers from the European Union and/or target citizens of the EU with your website, you need to comply with EU law, even if you are located outside of the EU.
The UK is treated as a "third country" now. In June 2021 the EU adopted an adequacy agreement with the UK. This means you can transfer personal data to the UK.
The GDPR applies as soon as an organization collects any sort of personal data from an EU citizen. It does not matter where the company is based, what matters is whether they are collecting and processing an EU-citizen's personal data, for example a name, an IP-address or any other piece of information that can be used to identify a person.
In 1 of the following 4 cases:
1. Where the processing is carried out by a public authority or body.
2. Where the core activities consist of regular and systematic monitoringof data subjects (people) on a large scale.
3. Where the core activities of the business consist of processing largescale special categories of data (e.g. genetic data, religious, sexual, political orientations etc. see “sensitive data” under General info) orpersonal data relating to criminal convictions and offences.
4. Some countries may require businesses as of a certain size to have adedicated Data Protection Officer. Please check with your local law.
Examples of core activities:
1. A hospital processes medical data (which is sensitive data) as part of theircore activity, to provide health care, they need to appoint a DPO.
2. A security company monitors public spaces such as a mall. They process largeamounts of personal data. This is their core activity, they therefore need aDPO. In essence, if the business model is built on processing personal datathen they need a DPO.
“LargeScale” – there is no specific definition of what large scale means. This can beregulated at a national level (so each EU country can determine what theyconsider large scale). We would therefore recommend that you contact the DataProtection Authority in your country for further information or the EU DataProtection Authority if you processing data across countries.
“Regular and systematic monitoring” – this term is also not defined in the GDPR, againwe recommend contacting your national Data Protection Authority or access yourcountries national law. Further information can be found here.
€20M (or 4% of global revenue, whichever is higher) is specifically for the infringement of the following:
- Violation of data-subject (a person’s) rights (see Chapter 3)
- Violation of international data transfer (transferring data to a country that is not allowed to process the data)
- Violation of the legal basis for processing (See Article 6)
- Violation of Chapter 9 of the GDPR (Chapter 9 of the GDPR is country specific, contact your national data protection authority)
€10M (or 2% of global revenue, whichever is higher) is for:
- Violation of the responsibilities of the controller
- Violation of a contract of processing (i.e. a contract to process personal data)
- Technical and Organizational Measures (TOMs) not implemented
- Other organizational violations (Procedural directory, DPIA)
See Article 83 for the full details on fines.
TOM stands for Technical and Organizational Measures. These are steps (measures) that an organization makes to become GDPR compliant and to remain GDPR compliant. This can mean using a new software (a technical measure), or create new processes within the organiszation (an organizational measure) to improve data security.
Contact your national Data Protection Authority for further details about the requirements of an impact assessment. They should publish a list of when it is required but in general:Impact assessments have to be carried out when the processing of data creates a high risk, if there is a data leak/breach. One also has to consider the context, the scope, the nature and the purpose of the processing (purpose = why am I processing the data).
If a company processes data in the following 3 ways then an impact assesment must be constructed:
1. Systematic processing of personal data that is based on automatic decision making, this includes profiling among other things.
2. Processing sensitive data on a large scale (a large scale is not defined but a hospital falls into this category).
3. When public accessible areas are monitored on a large scale (e.g. a train station or airport).
Yes. The GDPR applies to all people in the EU, regardless of their relationship with your business. As soon as a business has personal data about a person the GDPR applies.
Data types can be divided into various categories. Some categories are contact details of customers, contact details of suppliers, employee data. This can further be broken down into email addresses, addresses, names, date of births, shoe size, weight, blood type etc. Data types can be company/business specific and businesses can define their data types. Any type of personal information is a data type. Data types can be divided into various categories e.g. necessary, marketing, statistics, social content, etc.
The following categories are considered sensitive data (Article 9): racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (e.g. fingerprints) to be able to identify a person, medical data and information about sex life and or sexual orientation.
This is a very broad subject. Books, PhDs etc are writtin on this subject. Briefly one can say, when systems are designed that will process personal data, the GDPR should be considered. This means that systems should be designed in such a way that the GDPR is, where possible, implemented. There is no norm that exists where “Data Protection by design and default” is defined. Norms may develop in the next few years and these are likely to be industry specific.
Personal information has to be deleted within 30 days of a person making such a request. There are exceptions however, when information has to be stored for a pre-defined amount of time. E.g. in Austria, the information of business transactions has to be stored for 7 years.
This means a business has to store a certain amount of personal data relating to the transaction, even if the person in question makes a request for their data to be deleted. These retention/storage times of personal data vary within the EU and are situation specific.
If the collected personal data is based on consent i.e. no business transaction has taken place, then the data has to be deleted within 30 days of the request being made.
If there is a breach it is the responsibility of the controller of that Organization to report the breach to the national Data Protection Authority within 72 hours.
When collecting data always ask the following questions:
1. What do I need the data for?
2. Does the data I collect fulfil my minimum requirements for me to run my Organization?
3. Can I easily justify the reason for collecting the data?
This is a very important article in the GDPR. It is to make sure that you only collect the data you need to collect, to run your organization.
Pseudonymized data, is data that you cannot link with a person unless you have a key or code that allows you to link the data to a person. For example: you have a list of Date of Births (DOB) and they are listed 1 -100. The DOB could belong to anybody and is therefore pseudomized data. There is a second list with names on it, where the names are listed 1 – 100. This second list is the key to the DOB list, allowing you to match the DOB with a name. As long as the two lists are separated, the Date of Births are pseudomized.
Anonymized personal data can in no way be associated with a person. It is impossible to say who the data belongs to. Anonymizing the data is a legitimate way implementing the “right to be forgotten” i.e. deleting data.
A so-called “Data Directory” is the cornerstone of GDPR compliance. The Data Directory should be (as a minimum requirement) a list of processing activities that your business follows when collecting personal data. It should entail things like: data categories, purposes for collection, purposes for processing, retention times, who has access to the data, both within the company and externally.
Here are 4 steps that you can start with:
1. Who is the Data Controller? (Normally this is the business/organization)
2. What do I need the data for?
3. Is this the easiest way to collect data?
4. Does the data collected align with the purpose (is it logical for me to be collecting this specific data)?
Analogue data is data that is not stored in a digital form i.e. documents of paper, a stack of business card etc. Digital data is data which is stored in a digital format. Surveillance videos that are stored on a hard drive are digital. If you transfer the information from your business cards to an excel sheet, this information becomes digital data.
Why is this important? The GDPR only applies to data that is stored in a structured manor, like an alphabetical order, making it easy to search through. Analogue data that is a random collection of data does not fall under the GDPR e.g. the random stack of business cards. If however, they are sorted alphabetically, they fall under the GDPR law.
1. Block all cookies before consent is obtained.
2. Show a cookie banner on the user’s first visit to your website.
3. A brief explanation of the purposes (marketing, statistics, social content etc.).
4. The user must have the option to consent to each purpose individually, the option to reject all non-necessary cookies and the option to accept all cookies.
5. Provide the cookie consent tool in all languages in which your website is provided in.
6. Make sure that your website works properly if all non-technical cookies are rejected.
7. Make sure your website works properly if only some purposes are being consented to.
8. Make sure your website does not set any non-consented cookies.
9. Provide a platform to allow the user to manage and view their consent.
There is no strict rule here, but there are recommendations. Some data protection authorities have made recommendations such as CNIL (France) or the Irish Data Protection Commission. France: best practice at least 6 months for consent.Ireland: maximum of 6 months for consent according to the Irish data protection commission
1. Who provided the consent (user ID).
2. When and how consent was acquired from the user.
3. What user consented to.
There is no mention of language in the GDPR. Information should at a miminum be provided in the same languages that you offer your services in. If you offer your service in 4 languages, then any inforamtion to the user must be offered in the same 4 languages.
Art 5 (3) ePD in conjunction with art 4 (11) GDPR require “informed consent”, which is defined as the following:
1. It has to be explicit.
2. Freely given: consent to data processing can’t be the condition to use your service/website. The user has the right to withdraw his consent any time.
3. User needs to be informed about:
- The purpose of the processing.
- Who the controller is.
- Are third-parties involved?
- their right to withdraw
4. It must be specific: it should be clear what data processing activities are carried out. The user has the opportunity to consent to each data processing activity.
5. Unambiguous: it is clear that the user has actively agreed on the data processing activities. You must not set cookies without consent, consent by "using the website", or pre-ticked boxes
6. Consent has to be given in-advance: no cookies/tracking before that.
1. A visitor ID to identify the visitor (ideally pseudonymized).
2. When and how consent was acquired from the visitor.
3. What the visitor consented to.
There is no strict rule here, but there are recommendations. Some data protection authorities have made recommendations such as CNIL (France) or the Irish Data Protection Commission.
France: best practice at least 6 months for consent.
Ireland: maximum of 6 months for consent according to the Irish data protection commission
Short answer: yes.
If your tracking method sets cookies on the persons' device, then consent must be collected.
No. It would make operating a website difficult and tedious if a user would have to consent to each cookie service, individually, before using your website.
It’s sufficient to categorize your cookie service by processing purposes (marketing, statistics, etc.). You can also provide an accept all button and a reject all button. Declining all non-necessary cookie services has to be as easy as accepting all.
No, all that is required is that users are informed about how you process their data at the point of collection. There is no legal requirement for them to give you explicit consent.
That depends. In Austria, if you are in a business relationship with the user, you do not need explicit consent for sending a newsletter. This falls under “Legitimate Interest”. If this is not the case the legal basis needs to be “Consent” and then you do need explicit consent.
Yes, if configured in such a way that it tracks your visitors and/or analyzes end user device information within your server data/logs. You also need to declare in your privacy policy that you self-host it and no third-parties get access to the collected data.
You can only ask for consent if the reason is based on a legitimate purpose. E.g: if you sell shoes, you have a legitimate purpose for collecting your customers shoe size, but you have no business collecting their height or clothing size. Even if they consent to you collecting their data, other than shoe size, you need a legitimate reason for collecting it.
A cookie is a small text file that stores your settings when you surf the web. Almost all websites use cookies and similar technologies. The first time you visit a website the cookies are downloaded and stored in your browser*. When you return to the website the next time, with the same device and using the same browser, the cookie information gets sent to the website to improve your surfing experience. This can mean, remembering your login details, so that you don’t have to login again. What you have liked in the past to optimize what you see in the future and it also means faster loading times for you. Cookies also give businesses information about what people click on and what not, what they read, etc. so for marketing and sales purposes they are important.
*Apple Safari, Mozilla Firefox, Google Chrome, Opera, Microsoft Internet Explorer and Edge are the most commonly used browsers.
The TRUENDO Consent Management Platform (CMP) automatically blocks all non-necessary cookies, scripts, iframes, tags, pixels etc, that are not needed for the functionality of the website. Once the user gives their consent, the non-necessary cookies, scripts etc. are activated, a consent record is then stored in order for the website owner to prove that the user has consented.
Consent has to be given in-advance to the data being processed: there must be no non-necessary cookies/tracking/data processing before that. The easiest way to show the cookie banner is upon the first visit of your website. Then let the user decide which services/purposes they want to give their consent to. After that you can set cookies accordingly.
- Details of the cookies you intend to use: what kind of personal information does it collect? (e.g. ip address, browser attributes)
- Life-time of the cookie
- Is it a first-party cookie or a third-party cookie?
- Who is the data processor?
- The purpose for which you intend to use the cookies (marketing, statistics, etc.)
Cookies have to be deleted in the browser that you are using. You can follow the links and delete cookies in your browser. ATTENTION: deleting the cookies in your browser will mean that websites that you often visit will forget your personalized settings e.g. “remember me” or “stay logged in”.
Chrome: chrome://settings/clearBrowserData
Mozilla Firefox: copy and paste this: “about:preferences#privacy” into the address bar and look for Cookies and Site Data
Opera: opera://settings/cookies
Edge: Menu (top-right corner) → Settings → Clear browser history
Internet Explorer: depends on the version you are using: cilck here
Safari: Select preferences from Safari menu → Privacy tab → Remove all website data → Remove now.
Yes, your website has to provide an “opt-in” and “opt-out” for cookies. Cookies that are required for the website to function properly can be set automatically.
The cookies does not get deleted, it falls into a dormant (sleeping) state and it does not send any information to the company that would like your data.
Then no CMP or cookie banner is needed. You only need to add to your privacy policy the information what kind of (technical) cookies you use and what (technical) purpose they fulfill.
“ePrivacy” is the abbreviation commonly used for the EU “Directive on Privacy and electronic communications” from the year 2002. An EU regulation to replace (repeal) the current ePrivacy directive is currently being drafted called the “Regulation on Privacy and Electronic Communications”.
The cookie notifications that you always see when first visiting a website is a result of the ePrivacy law.
When personal data is collected it needs to be processed. Maintaining employee payrolls, managing business partnerships, maintaining and managing customer data, collecting email addresses for a newsletter all falls under processing personal data.
TRUENDO is both a controller and a processer of the personal data an organization has. It is a tool that helps you make your website GDPR and ePrivacy compliant. To make your website compliant, it processes personal data of your website visitors.We are the controllers of the personal data that we hold about our customers.
In almost all cases a controller is a legal entity, that means a business, a club or an organization. A controller can also just be a person, but this is the exception. It is the responsibility of the controller to make sure that the GDPR is correctly implemented in an organization. They are also responsible for the personal data in an organization.
A processor, as the name suggests, processes personal data. The controller gives the processor the task of processing personal data. It is the responsibility of the controller to make sure that data is processed in compliance with the GDPR. A processor can be company/Organization internal or could also be a cloud service (external processor).
In the TRUENDO console, you can copy the script and site-ID Under Integration in the Banner Configuration tab. Then you just need to paste the snippet in the <head> as the very first script on the page section of your website, and save your changes. For more information, including Wordpress, Wix, Magento, Shopify, and Drupal integrations, please refer to our Documentation.
We have WordPress and Magento plugins. You can find all information about implementing TRUENDO on WordPress, Magento, Wix and Shopify in our Documentation.
Refunds will be credited to your account
Everything you have purchased will be available to you until the renewal date.
You can send them an invitation via the console, they will receive an email with a link that will grant them access to your account. Navigate to User in the main menu, then go to the User Permissions section in My Account.
You can manage user access to specific projects and organizations within the console. Navigate to User in the main menu, then go to the User Permissions section in My Account.