I assure you that our legal team is quite familiar with GDPR and we/our sales team don't take any action that is not to my knowledge within the law.
Here's our cookie policy:
If you have concerns about our implementation of GDPR, you can contact our legal team here:__
It would appear that you've paid for bad advice, or that your legal team did not perform due diligence adequately. That's unfortunate, as it leaves you exposed.
You can be construed as doing business in the EU once you have EU citizens amongst your users, and you've got a responsibility under the Directive.
Your attempt a GDPR notice does not give site viewers the option of choosing what cookies are active on the site, required for an explicit opt-in of your viewers. Simply listing your desire to force cookie usage on viewers in order to view the site is a contravention of the GDPR as you're not allowed to withhold service based on the viewer's cookie management choices, your legal team should have made this clear to you. If they didn't, or if they have a differing interpretation, then it would appear they may need a reeducation on the subject.
Your advertising of your cookie policy as a defence is irrelevant for GDPR purposes as it does not allow an informed and explicit opt-in for the usage of the viewer's data.
The cookie policy also contravenes the Directive as it does not state how to opt-in, only how to opt-out - meaning you have designed things to be opt-in by default and that is a contravention.
Once I made it clear that I was an EU citizen and that I did not consent to my personally identifiable information to be used for 3rd party marketing purposes, and that I continued to receive 3rd party marketing material, that is also a contravention. It can be viewed as a data breach as a third party now has my data from this site without my explicit consent, and you neither inform me of exactly that nor requested my consent - and that's another contravention
I've no longer any need to contact your legal team about the issue, as it's perfectly clear that they haven't done their job correctly. It's not just the sales team that have GDPR responsibility - the data processor that gave the sales team the information also has failed their GDPR responsibility.
It'll be interesting to hear the responses from your legal team to my points as raised here.
IBJoel - emails are considered PII - and the spam emails show you've definitely given them to another group without consent. Doesn't matter if it's a parent company or whoever, if you've not gained explicit opt-in consent since GDPR came into force for the PII to be used elsewhere, you're in direct contravention.
As an aside, a clear and honest apology for the spam emails would also be useful, and entirely appropriate