GDPR

Frequently Asked Questions

Consent

Does a user have to explicitly accept being contacted when filling out a contact form?

No, the fact that it is a contact form and the user fills it out is already “consent”. The user (person) does however need to be informed about the processing activities that occur with the data entered.

Do I need consent to send a user a newsletter?

That depends. In Austria, if you are in a business relationship with the data subject, you do not need explicit consent for sending a newsletter. This falls under “Legitimate Interest”. If this is not the case the legal basis needs to be “Consent” and then you do need explicit consent.

Do users have to accept a privacy policy?

No, all that is required is that users are informed about how you process their data at the point of collection. There is no legal requirement for them to give you explicit consent.

Consent is not consent. What does this mean?

You can only ask for consent if the reason is based on a legitimate purpose. E.g: if you sell shoes, you have a legitimate purpose for collecting your customers shoe size, but you have no business collecting their height or clothing size. Even if they consent to you collecting their data, other than shoe size, you need a legitmate reason for collecting it.

Cookies

What exactly are cookies?

A cookie is a small text file that saves your settings when you surf the web. Almost all websites use cookies and similar technologies. The first time you visit a website the cookies are downloaded and saved in your browser*. When you return to the website the next time, with the same device and using the same browser, the cookie information gets sent to the website to improve your surfing experience. This can mean, remembering your login details, so that you don’t have to login again. What you have liked in the past to optimise what you see in the future and it also means faster loading times for you. Cookies also give businesses information about what people click on and what not, what they read, etc. so for marketing and sales purposes they are important.

*Apple Safari, Mozilla Firefox, Google Chrome, Opera, Microsoft Internet Explorer and Edge are the most commonly used browsers.

What is the ePrivacy law?

“ePrivacy” is the abbreviation commonly used for the EU “Directive on Privacy and electronic communications” from the year 2002.

An EU regulation to replace (repeal) the current ePrivacy directive is currently being drafted called the “Regulation on Privacy and Electronic Communications” (link: ePrivacy Regulation Draft).

The cookie notifications that you always see when first visiting a website is a result of the ePrivacy law.

Do I have to provide an Opt-in and Opt-out for cookies?

Yes your website has to provide an “opt-in” and “opt-out” for cookies. Cookies that are required for the website to function properly can be set automatically.

How do you know whether a cookie is no longer set if you opt-out?

The cookies does not get deleted, it falls into a dorment (sleeping) state and it does not send any information to the company that would like your data.

How can I delete cookies?

Cookies a have to be deleted in the browser that you are using. You can follow the links and delete cookies in your browers. ATTENTION: deleting the cookies in your browser will mean that websites that you often visit will forget your personalised settings e.g. “remember me” or “stay logged in”. Chromechrome://settings/clearBrowserData
Mozilla Firefox: copy and paste this: “about:preferences#privacy” into the address bar and look for Cookies and Site Data
Operaopera://settings/cookies
Edge: Menu (top-right corner) → Settings → Clear browser history
Internet Explorer: depends on the version you are using: cilck here
Safari: Select preferences from Safari menu → Privacy tab → Remove all website data → Remove now

Processing

What exactly does processing personal data mean?

When personal data is collected it needs to be processed. Maintaining employee payrolls, managing business partnerships, maintaining and managing customer data, collecting email addresses for a newsletter all falls under processing personal data.

Is TRUENDO a processor or controller?

TRUENDO is not a controller or a processer of the personal data an organization has. It is a tool that helps you make your website GDPR compliant.

We are however, the controller of the personal data that we hold about our customers.

What is a controller?

In almost all cases a controller is a legal entity, that means a business, a club or an organization. A controller can also just be a person, but this is the exception. It is the responsibility of the controller to make sure that the GDPR is correctly implemented in an organization. They are also responsible for the personal data in an organization.

What is a processor?

A processor, as the name suggests, processes personal data. The controller gives the processor the task of processing personal data. It is the responsibility of the controller to make sure that data is processed in compliance with the GDPR. A processor can be company/organisation internal or could also be a cloud service (external processor).

Legal Info

Brexit - What will the status of the United Kingdom be after it leaves the EU in March 2019?

The current status is as follows: The UK will be treated as a “third country” (a country that is not a member of the EU) as of the 29th March 2019. Depending on the agreement that the UK and the EU negotiate, the status of a “third country” could change, depending on the negotiated deal.

Does the GDPR apply to my business?

The GDPR applies as soon as an organisation collects any sort of personal data from an EU citizen. This can be a persons name or their IP-address, basically anything that can be used to identify a person. It does not matter where the company is based, what matters is whether they are collecting and processing an EU-citizens personal data.

When do I need a Data Protection Office (DPO)?

In one of 3 cases:
Case 1 – where the processing is carried out by a public authority or body.
Case 2 – where the core activities consist of regular and systematic monitoring of data subjects (people) on a large scale.
Case 3 – where the core activites of the business consist of processing large scale special categories of data (e.g. genetic data, religious, sexual, political orientations etc. see What is “sensitive data”? under General info) or personal data relating to criminal convictions and offences.

Examples of core activites:
1) a hospital processes medical data (which is sensitve data) as part of their core activity, to provide health care, they need to appoint a DPO.
2) A security company moniters public spaces such as a mall. They process large amounts of personal data. This is their core activity, they therefore need a DPO. In essence, if the business model is built on processing personal data then they need a DPO.

“Large Scale” – there is no specific definition of what large scale means. This can be regulated at a national level (so each EU country can determine what they consider large scale). We would therefore recommend that you contact your Data Proctection Authority in your country for further information or the EU Data Protection Authority if you processing data across countries.

“Regular and systematic monitoring” – this term is also not defined in the GDPR, again we recommend contacting your national Data Protection Authority or access your countries national law. Further information can be found here (http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612048)

Fines - €20million or €10million

€20mil (or 4% of global revenue, whichever is higher) is specifically for the infringement of the following:

  • Violation of data-subject (a person’s) rights (see Chapter 3)
  • Violation of international data transfer (transfering data to a country that is not allowed to process the data)
  • Violation of the legal basis for processing (See Article 6)
  • Violation of Chapter 9 of the GDPR (Chapter 9 of the GDPR is country specific, contact your national data protection authority)

€10mil (or 2% of global revenue, whichever is higher) is for:

  • Violation of the responsibilities of the controller
  • Violation of a contract of processing (i.e. a contract to process personal data)
  • Technical and Organisational Meansures (TOMs) not implemented
  • other organizational violations (Procedural directory, DPIA)

See Article 83 for the full details on fines.

When do I have to construct an impact assement?

Contact your national Data Protection Authority for further details about the requirements of an impact assement. They should publish a list of when it is required but in general:
Impact assements have to be carried out when the processing of data creates a high risk, if there is a data leak/breach. One also has to consider the context, the scope, the nature and the purpose  of the processing (purpose = why am I processing the data).
If a company processes data in the following 3 ways then an impact assesment must be constructed:
1) systematic processing of personal data that is based on automatic decision making, this includes profiling amoung other things.
2) processing sensitive data on a large scale (a large scale is not defined but a hospital falls into this category).
3) when public accessible areas are monitored on a large scale (e.g. a train station or airport).

General Info

What is sensitive data?

The following categories are considered sensitive data (Article 9): racial or ethnic origin, political opinions, religious or philisophical beliefs, trade union membership, genetic data, biometric data (e.g. fingerprints) to be able to identify a person, medical data and information about sex life and or sexual orientation.

What are data types?

Data types can be divided into various categories. Some categories are contact details of customers, contact details of suppliers, employee data. This can further be broken down into email addresses, addresses, names, date of births, shoe size, weight, blood type etc. Data types can be company/business specific and businesses can define their data types.

Which language does information have to be provided in?

There is no mention of language in the GDPR document, but it is the concensus that the language that information has to be provided in, is the nation language in which a person currently finds themselves in i.e. where they make their request for information or rectification etc.

Does the GDPR apply to employees in a business?

Yes. The GDPR applies to all people in the EU, regardless of their relationship with your business. As soon as a business has personal data about a person the GDPR applies.

What is "Data Protection by Design and Default"?

When systems are designed that will process personal data, the GDPR should be considered. This means that systems should be designed in such a way that the GDPR is, where possible, imlpemented. There is no norm that exists where “Data Protection by design and default” is defined. Norms may develope in the next few years and these are likely to be industry specific. .

When do I have to delete a persons personal information?

Personal information has to be deleted within 30 days of a person making such a request.
There are exceptions however, when information has to be stored for a pre-defined amount of time. E.g in Austria, the information of business transactions has to be stored for 7 years. This means a business has to store a certain amount of personal data relating to the transaction, even if the person in question makes a request for their data to be deleted.
These retention/storage times of personal data vary within the EU and are situation specific. If the collected personal data is based on consent i.e. no business transaction has taken place, then the data has to be deleted within 30 days of the request being made.

What do I do if there is a data breach/data leak relating to personal information?

If there is a breach it is the responsibility of the controller of that organisation to report the breach to the national Data Protection Authority within 72 hours.

Where do I start when building a Data Directory?

A so-called “Data Directory” is the cornerstone of GDPR compliace. The Data Directory should be (as a minimum requirement) a list of processing activites that your business follows when collecting personal data.
It should entail things like: data categories, purposes for collection, purposes for processing, retention times, who has access to the data, both within the company and externally.
Here are 4 steps that you can start with:
1) Who is the Data Controller? (Normally this is the business/organization)
2) What to do I need to the data for?
3) Is this the easiest way to collect data?
4) Does the data collection align with the purpose (is it logical for me to be collecting this specific data)?

What is the difference between analogue and digital data and when does the GDPR apply?

Analogue data is data that is not stored in a digital form. This includes documents on paper or a stack of business cards is analogue data.
Digital data is data which is stored in a digital format. Surveillance videos that are stored on a harddrive are digital. If you transfer the information from your business cards to an excel sheet, this information becomes digital data.

Why is this important? The GDPR only applies to data that is stored in a structured manor, like an alaphabetical order, making it easy to search through. Analogue data that is a random collection of data does not fall under the GDPR e.g. the random stack of business cards. If however, they are sorted alphabetically, they fall under the GDPR law.

What is Article 29 Working Party?

Article 29 Working Party was the advisory board that consisted of members from each data protection authority from the EU member states. They released inforamtion regarding the GDPR and its implementation.

On May 25th 2018 Article 29 Working Party was replaced by the European Data Protection Board (EDPB). It is their task to ensure that the GDPR is applied consistently across the EU. They have to ensure that all Data Protection Authorities from the member states cooperate. They will issue guidelines on the correct implementation of the GDPR and handle disputes regarding cross-boarder processing. To find out more click here.

How do I make sure that I am collecting data lawfully?

When collecting data always ask the following questions:
1) What do I need the data for?
2) Does the data I collect fulfil my minimum requirements for me to run my organisation?
3) Can I easily justify the reason for collecting the data?

What is data minimisation? (Article 5(c))

This is a very important article in the GDPR. It is to make sure that you only collect the data you need to collect, to run your organization.

What are TOMs?

TOM stands for Technical and Organizational Measures.
These are steps (measures) that an organization makes to become GDPR compliant and to remain GDPR compliant. This can mean using a new software (a technical measure), or create new processes within the organiszation (an organizational measure) to improve data security.

Pseudonymisation vs Anonymization in the context of the GDPR.

Pseudonymized data, is data that you cannot link with a person unless you have a key or code that allows you to link the data to a person.
An example: you have a list of Date of Births (DOB) and they are listed 1 -100. The DOB could belong to anybody and is therefore pseudomized data. There is a second list with names on it, where the names are listed 1 – 100. This second list is the key to the DOB list, allowing you to match the DOB with a name. As long as the two lists are seperated, the Date of Births are pseudomized.

Anonymized personal data can in no way be associated with a person. It is impossible to say who the data belongs to. Some people use this method to exicute the “right to be forgotten” i.e. deleting data.

If you have any further questions, please do not hesitate to contact us and we will get back to you ASAP.