Is the data intermediary GDPR-compliant?

The data intermediary is designed and operated in a manner that ensures all processing of personal data complies with the General Data Protection Regulation (GDPR) and that data protection responsibilities are clearly defined.

GDPR as a binding framework

All personal data is processed exclusively on the basis of the GDPR, with the EU Data Governance Act not introducing independent data protection legal bases but complementing the organisational and governance-related framework for data intermediation.

Clear roles and responsibilities

Data protection roles, in particular controllers, joint controllers, or processors, are clearly defined depending on the use case and documented contractually, ensuring that responsibilities for each processing activity are transparent at all times.

Purpose limitation and data minimisation

Personal data is processed only for clearly defined and contractually agreed purposes and is limited to what is necessary, with technical and organisational measures preventing use beyond the authorised purposes.

Technical and organisational measures

The data intermediary implements appropriate technical and organisational measures to ensure the confidentiality, integrity, and availability of data, including access controls, logging, encryption, and separation of processing environments.

Transparency and data subject rights

Data subjects are informed transparently about the processing of their data and can exercise their rights under the GDPR, in particular the rights of access, rectification, erasure, and restriction of processing, within the scope of the applicable responsibilities.

Data protection by design and by default

The service follows the principles of data protection by design and by default, ensuring that data protection requirements are embedded in the system architecture and operational processes from the outset.