Why do you need a Data protection declaration?
Almost every company today has its own website and every website collects user data (e.g. IP addresses), which also means that it invades the privacy of users.
What's more, a Data protection declaration can protect your company legally by setting out clear rules for data use. This can help to avoid or quickly resolve legal problems and disputes.
And: If you do not provide visitors to your website with complete, correct and timely information, you are committing an infringement of Section 11 of the German Telemedia Act (Telemediengesetz). In the worst case, this administrative offense can result in a fine of up to 50,000 euros.
You may also run the risk of being warned by a competitor (see, for example, the "Act to Improve the Civil Law Enforcement of Consumer Protection Provisions of Data Protection Law" (Gesetz zur Verbesserung der zivilrechtlichen Durchsetzung von verbraucherschützenden Vorschriften des Datenschutzrechts).
What points should your Data protection declaration contain?
A Data protection declaration for a website must contain certain information in order to comply with the requirements of the General Data Protection Regulation (DSGVO) and is also derived from the content of the homepage.
In any case, you must provide information about the use of the data obtained through general data collection and about special features that are integrated into the site. General data collection includes, for example, IP addresses, without which the website cannot be accessed. It also includes the data provided by the browser, such as the browser type, the operating system used and the websites visited. In addition, information must be provided on the use of all data collected via special categories such as competitions, newsletters, contact forms or web analysis tools. In particular, the handling of all personal data (information about a specific or identifiable person) must be clearly regulated in your Data protection declaration.
This Data protection declaration must be accessible at all times. That's why it belongs in its own tab - just like the legal notice.
Here are some important points that should be included in a Data protection declaration for your website
- Responsible body:
Name and contact details of the controller (e.g. company name, address, e-mail address).
- Data protection officer:
If available, the contact details of the data protection officer.
- Purpose of data processing:
Clear information on the purposes for which personal data is collected and processed. This could include, for example, the provision of services, responding to inquiries or marketing activities.
- Legal basis for processing:
Explanation of the legal basis(s) on which the data processing is based (e.g. consent, performance of contract, legal obligation).
- Types of data:
A list of the types of personal data being processed (e.g. name, address, email address).
- Data recipients:
An indication of whether and to whom personal data is disclosed, including third parties or processors.
- Transfer of data abroad:
If personal data is transferred outside the EU, this must be stated and it must be ensured that the process is legally secure.
- Storage period:
Determining the duration for which personal data is stored.
- Data subject rights:
Explanation of the rights of data subjects, including the right of access, rectification, erasure and objection.
- Right of withdrawal:
Indication that data subjects can withdraw their consent to data processing at any time.
- Right to lodge a complaint:
Information about the right to lodge a complaint with the data protection supervisory authority.
- Cookies and tracking technologies:
- Security measures:
Indication of security measures to protect personal data.
Provision of contact details for data protection inquiries.
- Social media:
The above points can of course only serve as general guidelines.
Therefore, as always, it is advisable to seek legal advice to avoid (costly) mistakes.