Data protection

A data protection declaration describes how data (in particular personal data ) is processed by an organization, i.e. how this data is collected, used and whether it is passed on to third parties. In addition, it is often described which measures the organization takes to protect the privacy of its customers or users.

In many countries there is a legal obligation to keep data protection declarations available. In addition, private organizations such as the Platform for Privacy Preferences Project or the Internet Content Rating Association have set their own standards for data protection declarations.

A data protection declaration must be differentiated from consent under data protection law . In the case of a data protection declaration, the person responsible explains to the data subject whether and how he processes their data. Consent, on the other hand, serves to justify data processing that is otherwise not permitted by law, for example the sending of advertising emails.

Legal situation in the European Union

In the European Union, everyone who processes personal data as the person responsible must inform those concerned about certain aspects of data processing in accordance with Articles 13 and 14 of the General Data Protection Regulation .

Legal situation in Germany

In addition to the aforementioned provision in the General Data Protection Regulation, there are further obligations to maintain a data protection declaration in the law of individual member states, for example in Germany for providers of telemedia (such as websites) in Section 13 (1) of the Telemedia Act .

Users of telemedia must then be informed "at the beginning of the usage process" "in a generally understandable form" "about the type, scope and purpose of the collection and use of personal data", in particular whether data processing takes place in countries outside the European Union or the European Economic Area.

If necessary, in this context, providers must inform users in accordance with Section 15 (3) TMG that they can object to the creation of pseudonymous user profiles ( web tracking ). Finally, the user is to be informed of the possibility of using the online offer anonymously or under a pseudonym (Section 13 (6) sentence 2 TMG).

If the data protection declaration is missing on a website, this constitutes a warning against competition law .

The data protection declaration must be included on a website under a separate menu item, separate from the legal notice (for example “data protection” or “data protection declaration”).

Web links

OECD : Working Party on Information Security and Privacy: Making Privacy Notices Simple (PDF; 0.23 MB)

Individual evidence

↑ Matthias Lachenmann: Form manual for data protection law . Ed .: Ansgar Koreng, Matthias Lachenmann. 2nd Edition. Beck, Munich 2018, ISBN 978-3-406-69542-1 , FI 1.

[1] Matthias Lachenmann: Form manual for data protection law . Ed .: Ansgar Koreng, Matthias Lachenmann. 2nd Edition. Beck, Munich 2018, ISBN 978-3-406-69542-1 , FI 1.