Frequently Asked Questions
Does a user have to explicitly accept being contacted when filling out a contact form?
Do I need consent to send a user a newsletter?
Consent is not consent. What does this mean?
E.g: if you sell shoes, you have a legitimate purpose for collecting your customers shoe size, but you have no business collecting their height or clothing size. Even if they consent to you collecting their data, other than shoe size, you need a legitmate reason for collecting it.
What exactly are cookies?
Cookies also give businesses information about what people click on and what not, what they read, etc. so for marketing and sales purposes they are important.
*Apple Safari, Mozilla Firefox, Google Chrome, Opera, Microsoft Internet Explorer and Edge are the most commonly used browsers.
What is the ePrivacy law?
“ePrivacy” is the abbreviation commonly used for the EU “Directive on Privacy and electronic communications” from the year 2002. An EU regulation to replace (repeal) the current ePrivacy directive is currently being drafted called the “Regulation on Privacy and Electronic Communications” (link: ePrivacy Regulation Draft).
The cookie notifications that you always see when first visiting a website is a result of the ePrivacy law.
Do I have to provide an Opt-in and Opt-out for cookies?
How do you know whether a cookie is no longer set if you opt-out?
How can I delete cookies?
Cookies a have to be deleted in the browser that you are using. You can follow the links and delete cookies in your browers. ATTENTION: deleting the cookies in your browser will mean that websites that you often visit will forget your personalised settings e.g. “remember me” or “stay logged in”.
Mozilla Firefox: copy and paste this: “about:preferences#privacy” into the address bar and look for Cookies and Site Data
Edge: Settings → Settings → Clear browser history
Internet Explorer: depends on the version you are using: cilck here
Safari: Select preferences from Safari menu → Privacy tab → Remove all website data → Remove now
What exactly does processing personal data mean?
When personal data is collected it needs to be processed. Maintaining employee payrolls, managing business partnerships, maintaining and managing customer data, collecting email addresses for a newsletter all falls under processing personal data.
Is TRUENDO a processor or controller?
We are however, the controller of the personal data that we hold about our customers.
What is a controller?
It is the responsibility of the controller to make sure that the GDPR is correctly implemented in an organization. They are also responsible for the personal data in an organization.
What is a processor?
Brexit - What will the status of the United Kingdom be after it leaves the EU in March 2019?
The current status is as follows:
The UK will be treated as a “third country” (a country that is not a member of the EU) as of the 29th March 2019.
Depending on the agreement that the UK and the EU negotiate, the status of a “third country” could change, depending on the negotiated deal.
Does the GDPR apply to my business?
When do I need a Data Protection Office (DPO)?
Case 1 – where the processing is carried out by a public authority or body.
Case 2 – where the core activities consist of regular and systematic monitoring of data subjects (people) on a large scale.
Case 3 – where the core activites of the business consist of processing large scale special categories of data (e.g. genetic data, religious, sexual, political orientations etc. see What is “sensitive data”? under General info) or personal data relating to criminal convictions and offences.
Examples of core activites:
1) a hospital processes medical data (which is sensitve data) as part of their core activity, to provide health care, they need to appoint a DPO.
2) A security company moniters public spaces such as a mall. They process large amounts of personal data. This is their core activity, they therefore need a DPO. In essence, if the business model is built on processing personal data then they need a DPO.
“Large Scale” – there is no specific definition of what large scale means. This can be regulated at a national level (so each EU country can determine what they consider large scale). We would therefore recommend that you contact your Data Proctection Authority in your country for further information or the EU Data Protection Authority if you processing data across countries.
“Regular and systematic monitoring” – this term is also not defined in the GDPR, again we recommend contacting your national Data Protection Authority or access your countries national law.
Further information can be found here (http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612048)
Fines - €20million or €10million
- Violation of data-subject (a person’s) rights (see Chapter 3)
- Violation of international data transfer (transfering data to a country that is not allowed to process the data)
- Violation of the legal basis for processing (See Article 6)
- Violation of Chapter 9 of the GDPR (Chapter 9 of the GDPR is country specific, contact your national data protection authority)
€10mil (or 2% of global revenue, whichever is higher) is for:
- Violation of the responsibilities of the controller
- Violation of a contract of processing (i.e. a contract to process personal data)
- Technical and Organisational Meansures (TOMs) not implemented
- other organizational violations (Procedural directory, DPIA)
See Article 83 for the full details on fines.
When do I have to construct an impact assement?
Contact your national Data Protection Authority for further details about the requirements of an impact assement. They should publish a list of when it is required but in general:
Impact assements have to be carried out when the processing of data creates a high risk, if there is a data leak/breach. One also has to consider the context, the scope, the nature and the purpose of the processing (purpose = why am I processing the data). If a company processes data in the following 3 ways then an impact assesment must be constructed:
1) systematic processing of personal data that is based on automatic decision making, this includes profiling amoung other things.
2) processing sensitive data on a large scale (a large scale is not defined but a hospital falls into this category).
3) when public accessible areas are monitored on a large scale (e.g. a train station or airport).
What is sensitive data?
What are data types?
Which language does information have to be provided in?
Does the GDPR apply to employees in a business?
What is "Data Protection by Design and Default"?
There is no norm that exists where “Data Protection by design and default” is defined. Norms may develope in the next few years and these are likely to be industry specific. .
When do I have to delete a persons personal information?
If the collected personal data is based on consent i.e. no business transaction has taken place, then the data has to be deleted within 30 days of the request being made.
What do I do if there is a data breach/data leak relating to personal information?
Where do I start when building a Data Directory?
1) What to do I need to the data for?
2) Is this the easiest way to collect data?
3) Does the data collection align with the purpose (is it logical for me to be collecting this specific data)?
What is the difference between analogue and digital data and when does the GDPR apply?
Digital data is data which is stored in a digital format. Surveillance videos that are stored on a harddrive are digital. If you transfer the information from your business cards to an excel sheet, this information becomes digital data.
Why is this important? The GDPR only applies to data that is stored in a structured manor, like an alaphabetical order, making it easy to search through. Analogue data that is a random collection of data does not fall under the GDPR e.g. the random stack of business cards. If however, they are sorted alphabetically, they fall under the GDPR law.
What is Article 29 Working Party?
How do I make sure that I am collecting data lawfully?
1) What do I need the data for?
2) Does the data I collect fulfil my minimum requirements for me to run my organisation?
3) Can I easily justify the reason for collecting the data?
What is data minimisation? (Art 5(c))
What are TOMs?
These are steps (measures) that an organization makes to become GDPR compliant and to remain GDPR compliant. This can mean using a new software (a technical measure), or create new processes within the organiszation (an organizational measure) to improve data security.
Pseudonymisation vs Anonymization in the context of the GDPR.
An example: you have a list of Date of Births (DOB) and they are listed 1 -100. The DOB could belong to anybody and is therefore pseudomized data. There is a second list with names on it, where the names are listed 1 – 100. This second list is the key to the DOB list, allowing you to match the DOB with a name. As long as the two lists are seperated, the Date of Births are pseudomized.
Anonymized personal data can in no way be associated with a person. It is impossible to say who the data belongs to. Some people see this as a way to exercise the “right to be forgotten” i.e. deleting data.