Creation of a Data Protection Declaration

Data Protection Declaration for More Transparency in the Handling of Customer Data

Increasing technological development and globalization are also leading to a further increase in data protection requirements. One of the many resulting challenges for companies lies in the correct design of a GDPR-compliant data protection declaration. In practice, a comprehensive range of standardized data protection declarations and templates has already emerged. However, the use of such automatically generated data protection declarations is difficult for companies with complex business models that have an increased volume of data processing. This applies in particular to FinTech companies and digital financial companies in general. Individual data protection concepts must be developed in these cases. The data protection declaration is only the visible tip of the iceberg. BaFin also requires financial companies to comply with the data protection regulations applicable to them in many areas. Written law also imposes corresponding obligations on financial companies. For example, Regulation (EU) 2022/2554, known as the Digital Operational Resilience Act (DORA), contains numerous provisions that oblige financial companies to comply with data protection regulations. Data protection compliance is therefore also becoming increasingly important for the financial sector.

Legal Basis for the Processing of Personal Data

One of the principles of the GDPR is the principle of lawfulness. This means that personal data may only be processed if there is a legal basis for doing so. Consequently, all processing is subject to authorization. Processing includes any collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission of personal data. The legal basis can be, for example, the consent of the data subject, but also a contractual relationship or a balancing of interests. The data protection declaration must be distinguished from the declaration of consent, which can be an authorization basis for the processing of personal data. A data protection declaration serves to make the processing of personal data transparent to the data subjects. It must therefore inform the data subject in a simple and understandable way about the data collection and data processing as well as the underlying legal basis.

Content of a Compliant Data Protection Declaration

The data protection declaration must be complete and correct. If the required information is not provided or not provided in good time, this constitutes a breach of the GDPR. In addition, the GDPR sets out a number of content requirements that a data protection declaration must meet in order to comply with the principle of transparency. By reading a company’s data protection declaration, the data subject should be able to understand the scope of data processing in relation to the personal data concerning them. In addition, the data protection declaration should enable them to assess their legal options in connection with the data processing by the company in question. Among other things, the controller must provide information about the categories of data processed, the duration of storage, the recipients in the event of transfer and the underlying legal bases. If data is transferred to a third country, information on existing adequacy decisions or other guarantees must be provided. Finally, the data subject must be informed in detail about their rights as a data subject.

The competent lawyer for advice regarding the creation of a data protection declaration in our law firm is Attorney Lutz Auffenberg LL.M. (London) with assistance of Attorney Anton Schröder.