The data intermediary is designed and operated in a manner that ensures all processing of personal data complies with the General Data Protection Regulation (GDPR) and that data protection responsibilities are clearly defined.
All personal data is processed exclusively on the basis of the GDPR, with the EU Data Governance Act not introducing independent data protection legal bases but complementing the organisational and governance-related framework for data intermediation.
Data protection roles, in particular controllers, joint controllers, or processors, are clearly defined depending on the use case and documented contractually, ensuring that responsibilities for each processing activity are transparent at all times.
Personal data is processed only for clearly defined and contractually agreed purposes and is limited to what is necessary, with technical and organisational measures preventing use beyond the authorised purposes.
The data intermediary implements appropriate technical and organisational measures to ensure the confidentiality, integrity, and availability of data, including access controls, logging, encryption, and separation of processing environments.
Data subjects are informed transparently about the processing of their data and can exercise their rights under the GDPR, in particular the rights of access, rectification, erasure, and restriction of processing, within the scope of the applicable responsibilities.
The service follows the principles of data protection by design and by default, ensuring that data protection requirements are embedded in the system architecture and operational processes from the outset.