Data types can be divided into various categories. Some categories are contact details of customers, contact details of suppliers, employee data. This can further be broken down into email addresses, addresses, names, date of births, shoe size, weight, blood type etc. Data types can be company/business specific and businesses can define their data types. Any type of personal information is a data type. Data types can be divided into various categories e.g. necessary, marketing, statistics, social content, etc.

The following categories are considered sensitive data (Article 9): racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (e.g. fingerprints) to be able to identify a person, medical data and information about sex life and or sexual orientation.

This is a very broad subject. Books, PhDs etc are writtin on this subject. Briefly one can say, when systems are designed that will process personal data, the GDPR should be considered. This means that systems should be designed in such a way that the GDPR is, where possible, implemented. There is no norm that exists where “Data Protection by design and default” is defined. Norms may develop in the next few years and these are likely to be industry specific.

Personal information has to be deleted within 30 days of a person making such a request. There are exceptions however, when information has to be stored for a pre-defined amount of time. E.g. in Austria, the information of business transactions has to be stored for 7 years.

This means a business has to store a certain amount of personal data relating to the transaction, even if the person in question makes a request for their data to be deleted. These retention/storage times of personal data vary within the EU and are situation specific.

If the collected personal data is based on consent i.e. no business transaction has taken place, then the data has to be deleted within 30 days of the request being made.

If there is a breach it is the responsibility of the controller of that Organization to report the breach to the national Data Protection Authority within 72 hours.

When collecting data always ask the following questions:
1. What do I need the data for?
2. Does the data I collect fulfil my minimum requirements for me to run my Organization?
3. Can I easily justify the reason for collecting the data?

This is a very important article in the GDPR. It is to make sure that you only collect the data you need to collect, to run your organization.

Pseudonymized data, is data that you cannot link with a person unless you have a key or code that allows you to link the data to a person. For example: you have a list of Date of Births (DOB) and they are listed 1 -100. The DOB could belong to anybody and is therefore pseudomized data. There is a second list with names on it, where the names are listed 1 – 100. This second list is the key to the DOB list, allowing you to match the DOB with a name. As long as the two lists are separated, the Date of Births are pseudomized.

Anonymized personal data can in no way be associated with a person. It is impossible to say who the data belongs to. Anonymizing the data is a legitimate way implementing the “right to be forgotten” i.e. deleting data.

A so-called “Data Directory” is the cornerstone of GDPR compliance. The Data Directory should be (as a minimum requirement) a list of processing activities that your business follows when collecting personal data. It should entail things like: data categories, purposes for collection, purposes for processing, retention times, who has access to the data, both within the company and externally.

Here are 4 steps that you can start with:
1. Who is the Data Controller? (Normally this is the business/organization)
2. What do I need the data for?
3. Is this the easiest way to collect data?
4. Does the data collected align with the purpose (is it logical for me to be collecting this specific data)?

Analogue data is data that is not stored in a digital form i.e. documents of paper, a stack of business card etc. Digital data is data which is stored in a digital format. Surveillance videos that are stored on a hard drive are digital. If you transfer the information from your business cards to an excel sheet, this information becomes digital data.

Why is this important? The GDPR only applies to data that is stored in a structured manor, like an alphabetical order, making it easy to search through. Analogue data that is a random collection of data does not fall under the GDPR e.g. the random stack of business cards. If however, they are sorted alphabetically, they fall under the GDPR law.

1. Block all cookies before consent is obtained.
2. Show a cookie banner on the user’s first visit to your website.
3. A brief explanation of the purposes (marketing, statistics, social content etc.).
4. The user must have the option to consent to each purpose individually, the option to reject all non-necessary cookies and the option to accept all cookies.
5. Provide the cookie consent tool in all languages in which your website is provided in.
6. Make sure that your website works properly if all non-technical cookies are rejected.
7. Make sure your website works properly if only some purposes are being consented to.
8. Make sure your website does not set any non-consented cookies.
9. Provide a platform to allow the user to manage and view their consent.

There is no strict rule here, but there are recommendations. Some data protection authorities have made recommendations such as CNIL (France) or the Irish Data Protection Commission.  France: best practice at least 6 months for consent.Ireland: maximum of 6 months for consent according to the Irish data protection commission

1. Who provided the consent (user ID).
2. When and how consent was acquired from the user.
3. What user consented to.

There is no mention of language in the GDPR. Information should at a miminum be provided in the same languages that you offer your services in. If you offer your service in 4 languages, then any inforamtion to the user must be offered in the same 4 languages.

A cookie is a small text file that stores your settings when you surf the web. Almost all websites use cookies and similar technologies. The first time you visit a website the cookies are downloaded and stored in your browser*. When you return to the website the next time, with the same device and using the same browser, the cookie information gets sent to the website to improve your surfing experience. This can mean, remembering your login details, so that you don’t have to login again. What you have liked in the past to optimize what you see in the future and it also means faster loading times for you. Cookies also give businesses information about what people click on and what not, what they read, etc. so for marketing and sales purposes they are important.

*Apple Safari, Mozilla Firefox, Google Chrome, Opera, Microsoft Internet Explorer and Edge are the most commonly used browsers.

The TRUENDO Consent Management Platform (CMP) automatically blocks all non-necessary cookies, scripts, iframes, tags, pixels etc, that are not needed for the functionality of the website. Once the user gives their consent, the non-necessary cookies, scripts etc. are activated, a consent record is then stored in order for the website owner to prove that the user has consented.

Consent has to be given in-advance to the data being processed: there must be no non-necessary cookies/tracking/data processing before that. The easiest way to show the cookie banner is upon the first visit of your website. Then let the user decide which services/purposes they want to give their consent to. After that you can set cookies accordingly.

- Details of the cookies you intend to use: what kind of personal information does it collect? (e.g. ip address, browser attributes)    
- Life-time of the cookie    
- Is it a first-party cookie or a third-party cookie?    
- Who is the data processor?      
- The purpose for which you intend to use the cookies (marketing, statistics, etc.)

Cookies have to be deleted in the browser that you are using. You can follow the links and delete cookies in your browser. ATTENTION: deleting the cookies in your browser will mean that websites that you often visit will forget your personalized settings e.g. “remember me” or “stay logged in”.

Chrome: chrome://settings/clearBrowserData
Mozilla Firefox: copy and paste this: “about:preferences#privacy” into the address bar and look for Cookies and Site Data
Opera: opera://settings/cookies
Edge: Menu (top-right corner) → Settings → Clear browser history
Internet Explorer: depends on the version you are using: cilck here
Safari: Select preferences from Safari menu → Privacy tab → Remove all website data → Remove now.

Yes, your website has to provide an “opt-in” and “opt-out” for cookies. Cookies that are required for the website to function properly can be set automatically.

The cookies does not get deleted, it falls into a dormant (sleeping) state and it does not send any information to the company that would like your data.

Then no CMP or cookie banner is needed. You only need to add to your privacy policy the information what kind of (technical) cookies you use and what (technical) purpose they fulfill.

“ePrivacy” is the abbreviation commonly used for the EU “Directive on Privacy and electronic communications” from the year 2002. An EU regulation to replace (repeal) the current ePrivacy directive is currently being drafted called the “Regulation on Privacy and Electronic Communications”.

The cookie notifications that you always see when first visiting a website is a result of the ePrivacy law.

When personal data is collected it needs to be processed. Maintaining employee payrolls, managing business partnerships, maintaining and managing customer data, collecting email addresses for a newsletter all falls under processing personal data.

TRUENDO is both a controller and a processer of the personal data an organization has. It is a tool that helps you make your website GDPR and ePrivacy compliant. To make your website compliant, it processes personal data of your website visitors.We are the controllers of the personal data that we hold about our customers.

In almost all cases a controller is a legal entity, that means a business, a club or an organization. A controller can also just be a person, but this is the exception. It is the responsibility of the controller to make sure that the GDPR is correctly implemented in an organization. They are also responsible for the personal data in an organization.

A processor, as the name suggests, processes personal data. The controller gives the processor the task of processing personal data. It is the responsibility of the controller to make sure that data is processed in compliance with the GDPR. A processor can be company/Organization internal or could also be a cloud service (external processor).

You can send them an invitation via the console, they will receive an email with a link that will grant them access to your account. Navigate to User in the main menu, then go to the User Permissions section in My Account.

You can manage user access to specific projects and organizations within the console. Navigate to User in the main menu, then go to the User Permissions section in My Account.