1. In the same article[1] that you reference, the following paragraph might apply to your business: >27.2 The obligation laid down in paragraph 1 of this Article shall not apply to: >processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) I would ignore it for now. If any supervising authorities would contact you regarding compliance issues, talk to an expert.
2. This is if you use Consent as the legal basis for collecting the data. I have seen a few business use 6.1.f [2] (legitimate interests) as their legal basis, which has other issues like the weight test of interests not being tested in court, yet. The Article 29 Data Protection Working Party have released opinions on how 'legitimate interests' should be used [3]. However, there are other laws about marketing that could apply on a country per country basis. If you select the consent route, a double opt in with possibility to opt out at anytime that should be sufficient as long as you document the text for the opt-in's and record it together with the date&time of the opt-in. Oh, and you don't make the consent conditional on getting your goods/services. I can recommend the Article 29 WP guidelines on consent[4] for extended reading. It sounds like your current process is enough or requires very little tweaking, I would keep it as is.
3. I have not run a consent campaign. I have run information campaigns about our users rights with links to required documentation and they have been appreciated. I would not run a consent campaign as I believe your consent should be good enough based on the process mentioned above.
Hope this helps! - [1] https://gdpr-info.eu/art-27-gdpr/ [2] https://gdpr-info.eu/art-6-gdpr/ [3] http://ec.europa.eu/justice/article-29/documentation/opinion... [4] https://iapp.org/media/pdf/resource_center/20180416_Article2...
Re #1: To be exempt you must fit all 3 criteria: 1. processing is occasional 2. does not include, on a large scale, processing of special categories of data (e.g. religious, political, criminal backgrounds, sexual orientation, etc.) AND 3. unlikely to result in a risk to the rights and freedoms of natural persons I collect a number of emails on my website and apps every day, so I don't think my processing is "occasional". If I collected emails once a year or even once a month, sure I could argue that processing is occasional. But collecting 10-20 email signups per days doesn't seem occasional to me.
2. Thanks for this opinion on this. I think I agree your assessment.
3. Again, I think I agree with you - thanks for you opinion.
Very helpful, thanks!