A-TEC
AEA Airguns
AKAH
ASG
Aimpoint
Alpen Optics
Alpha Industries
Anschütz
Antonio Zoli
Ares
B&T Schalldämpfer
Baikal
Ballistol
Balzer
Barbour
Barnes
Barnett
Benelli
Beretta
Bergara
Blaser
Brandit
Bremer Tresor
Brenneke
If data is mishandled during mediation on an online marketplace, not only disputes arise, but also GDPR issues. For me, the core is quite simple: Mediation data may only be used for the dispute at hand, access must be tightly restricted, and data must be deleted or retained after fixed periods.
I take away mainly these points from the article:
- GDPR, BDSG, and the Mediation Act work together
- Confidentiality and data protection are not the same
- Platform, mediator, and IT service providers have different roles
- Each phase requires its own legal basis
- Rights to information and deletion apply, but not without limits
- Typical mistakes include too many accesses, missing deletion periods, and insecure transmission
In short: If I want to set up mediation on a platform like Gunfinder in compliance with the law, I need clear responsibilities, few data, separate case files, encrypted communication, and a deletion plan with periods such as 6 or 10 years, depending on the document.
My brief conclusion: Data protection in mediation is not an additional point. It belongs in forms, processes, contracts, and systems from the very beginning.
GDPR: The 5 Most Important User Questions Regarding the General Data Protection Regulation
sbb-itb-1cfd233
Legal Framework: GDPR, BDSG, and the Mediation Act
After confidentiality and data protection have been considered separately, we now turn to the legal rules behind them. For mediation procedures in Germany, three legal sources are particularly important. They work together, but each covers a different aspect.
| Law | Scope | Core Obligations | Relevance for Mediation |
|---|---|---|---|
| GDPR | All responsible parties in the EU | Principles according to Art. 5, legal basis (Art. 6), fines (Art. 83) | Basis for data processing in the procedure |
| BDSG | Public and private entities in Germany | DSB obligation (§ 38), employee data (§ 26), information restriction (§ 29) | Can limit rights of affected parties in case of confidentiality interests |
| Mediation Act | Mediators and their assistants | Confidentiality (§ 4) | Protects the content of the procedure beyond mere data processing |
For mediation cases, three points are particularly important: purpose limitation, a clear legal basis, and clearly defined roles. In the case of Gunfinder, this primarily concerns user, transaction, and communication data from the dispute.
GDPR Principles for Processing Mediation Data
Art. 5 GDPR states the basic rules that apply to any processing of personal data – including in mediation procedures [2]. Here, these rules are more than mere formalities. They practically determine what can and cannot be done with case data.
Purpose limitation means that data collected for dispute resolution cannot suddenly be used for other purposes. A typical example would be evaluation for marketing analyses. This cannot simply be done [2].
Data minimization means that forms may only request what is needed for the specific case. Not everything that "might be useful someday" automatically belongs in data collection. This is where good practice separates from unnecessary data collection.
Additionally, there is storage limitation. Case data must be deleted as soon as the purpose is fulfilled, unless tax retention periods apply [2]. For communication in the procedure, the principle of integrity and confidentiality also applies. In other words: The transmission should be technically secured, for example, via TLS/SSL or end-to-end encryption [2][8].
The processing is usually based on Art. 6 para. 1 lit. b GDPR. For individual communication channels, consent may also be required [2].
How these rules are applied in the individual procedural phases will be shown in the next part.
How BDSG and Mediation Act Add German Particularities
The GDPR is the framework at the EU level. The BDSG complements it for Germany. For practice, § 38 BDSG is particularly important: Anyone who regularly employs at least 20 persons for automated data processing must appoint a data protection officer [2][7]. Once this threshold is reached, the obligation applies.
Section 29 BDSG also plays an important role in the mediation context. The provision can limit the right to information under Art. 15 GDPR if the disclosure would violate the confidentiality interests of other parties involved. In plain language: One party cannot simply demand all information about the other party if it is protected by confidentiality [2][4].
In addition, there is § 4 MediationsG. It obliges mediators and participants to maintain confidentiality about everything that becomes known to them in the mediation [5]. This goes beyond mere data processing. Not only stored data is protected, but also spoken words, impressions, and non-verbal communication [8][4].
It is also important to note a point that is easily overlooked in practice: The mediator has a duty of confidentiality, but no independent right to confidentiality. If the parties release him from confidentiality, he may be obliged to testify [4].
Who is responsible for the data: Platform, mediator, and service provider
Who is legally responsible for data protection does not always remain in the same place during the mediation process. Depending on the phase, this can shift.
Gunfinder is initially responsible as a platform for user account and transaction data as well as for the acceptance of disputes [2]. The mediator, on the other hand, processes the case data for the conduct of the procedure as an independent responsible party [2].
The situation is different for IT service providers, such as cloud or video conferencing providers. They are processors according to Art. 28 GDPR. This means: They may only process data according to the instructions of the responsible party. This requires a written data processing agreement [2][8].
The compliance with these rules is monitored by the German state data protection authorities. Mediators are also subject to this control [2].
Confidentiality and Data Protection in Mediation
Confidentiality Obligations for Mediators and Parties
Anyone acting as a mediator or as a participant in a procedure is subject to confidentiality. This also applies to employees of a platform if they have access to a case. In such cases, confidentiality must be contractually established.
For the parties themselves, this obligation does not automatically apply. It must be expressly agreed upon, for example in a mediation agreement or in a separate confidentiality agreement [4][3]. That is precisely why a suitable clause should be included in every mediation agreement.
Statements made during mediation cannot generally be used in a later procedure without further ado [3]. Data protection and confidentiality overlap here, but they do not mean the same thing.
This results in clear guidelines for access, transfer, and storage. It is therefore not enough to just talk about confidentiality. The protection of case data must also be properly regulated.
Technical and Organizational Protection Measures for Digital Case Data
In order for confidentiality to not just exist on paper, technical and organizational protection measures are needed.
Case documents should only be accessible to the responsible mediator and the directly involved parties [2]. In practice, this usually operates through role-based access rights: Each role only sees the data it needs for the respective case. Additionally, there is the requirement for separation. Case data must be stored logically or physically separate from general marketplace data so that employees without case reference do not gain access [2].
For particularly sensitive content, end-to-end encryption is advisable, such as with S/MIME or PGP [2].
On the organizational side, clear rules are also necessary. These primarily include:
- a processing directory according to Art. 30 GDPR
- fixed deletion periods
- compliance with statutory retention periods, such as 10 years according to § 147 AO in tax law or 6 years for legal mediators according to § 50 BRAO [1][2]
Thus, confidentiality becomes more than just a promise in the contract. It is also practically secured in daily handling of digital case data.
Legally compliant data processing on Gunfinder: from the entry of disputes to the closure of cases
GDPR-compliant mediation: Data phases & legal bases at a glance
Data collection and legal bases in each mediation phase
After the protective measures, we now focus on the practical process of case handling on Gunfinder.
It is important to note: Not every phase processes the same data. And that is exactly why each step needs its own legal basis.
| Mediation Phase | Processed Data | Legal Basis (Art. 6 GDPR) | Recommended Protective Measures |
|---|---|---|---|
| Entry of Disputes | Name, contact details, Gunfinder-ID, transaction-ID | Art. 6 para. 1 lit. b GDPR (pre-contractual) | Encrypted entry forms; access only for the entry team; deletion after a short period if no procedure follows [2] |
| Identity Verification | blacked-out ID copy, proof of ownership | Art. 6 para. 1 lit. c GDPR | Deletion of the ID copy after verification; access only for authorized persons |
| Evidence Review | Chat logs, article photos, payment receipts, expert opinions | Art. 6 para. 1 lit. b GDPR | Blacking out irrelevant personal data; secured digital case folder |
| Sessions | Statements, video/audio recordings, mediator notes | Art. 6 para. 1 lit. b GDPR; for recordings additionally Art. 6 para. 1 lit. a GDPR | Consent before recordings; separate storage of mediator notes |
| Agreement and Conclusion | Agreement text, account details for refunds, signatures | Art. 6 para. 1 lit. b GDPR | Digital signatures; restricted access to the final agreement |
| Storage/Archiving | Invoices, final agreements, tax-relevant communication | Art. 6 para. 1 lit. c GDPR | 10-year storage for tax-relevant documents [1][2]; automated deletion periods |
The logic behind this is quite clear: At the entry of disputes, basic data is usually sufficient for case assignment. Later, during identity verification or evidence review, it becomes significantly more sensitive. By the time of sessions, recordings, and final documents, you should therefore clearly separate who is allowed to see what and how long the data will be needed.
Data Subject Rights and Mediation Confidentiality
Data subject rights also apply in mediation proceedings. They do not simply stand still just because a dispute is ongoing.
However, there are limits. If a request for information or deletion would jeopardize the confidentiality of the mediation or the protection of the process, these rights may be set aside in individual cases. § 29 BDSG may additionally restrict the right to information. Mediator notes should therefore be kept separately in the file area; they are usually not subject to disclosure.
This is precisely where the importance of a clean file structure becomes evident. If everything ends up in a single folder, it quickly becomes confusing when requests for information or deletion inquiries arise.
Cross-Border Cases and Retention Periods
After completion and archiving, a few tricky points often arise, especially in cases with an international connection.
Within the EU and the EEA, the GDPR applies directly. For Switzerland, the adequacy decision applies. For other third countries, you need standard contractual clauses according to Art. 46 GDPR [1][2].
Regarding the retention periods, the situation is also clearer than it appears at first glance: The MediationsG itself does not specify fixed periods. For tax-relevant documents, a period of 10 years applies, and for legal mediators, an additional 6 years [1][2]. An automated deletion calendar is almost mandatory here. It helps to document deadlines clearly and to initiate deletions on time.
The greatest risks often lie not in the entry of a case but later in everyday operations:
- too broad access rights
- delayed deletion
- incomplete documentation
It is precisely here that it is determined whether data processing on Gunfinder runs smoothly in everyday life or whether a small oversight later becomes a serious data protection problem.
Risk Management and Conclusion: Keeping Mediation Procedures Compliant and Reliable
Once the process steps are established, it quickly becomes clear in practice what matters: Risk management makes the difference in quality.
Typical Compliance Risks in Mediation Files and Communication
Following the process logic from the previous section, we now come to the sensitive side of practice. In other words: Where does it often go wrong in everyday life?
| Risk Scenario | Possible Impact | Countermeasure |
|---|---|---|
| Unencrypted Transmission | Sensitive data can be intercepted | Encrypted transmission and storage |
| Excessive Data Retention | Violation of storage limitation | Documented deletion concept with fixed deadlines |
| Too Broad Internal Access Rights | Violation of confidentiality according to § 4 MediationsG | Role-based access controls; physical and digital data separation |
| Use of public cloud AI services | Confidential case data must not flow into public AI tools | Locally operated or secured AI systems; explicit consent of the parties [6] |
| Data breach (e.g., lost device) | Reporting obligation; fines according to Art. 83 GDPR; reputational damage | Full disk encryption; remote wipe; 72-hour reporting workflow [2] |
| Disclosure of mediation content in court | Mediation content is used as evidence | Contractual exploitation restriction in the mediation agreement [4] |
One point is often overlooked: § 4 MediationsG binds the mediator and auxiliary persons. However, this is not automatically sufficient for the parties themselves. A separate confidentiality clause is needed for that.
Documentation, training, and privacy by design
From these risks, three levers arise: Documentation, training, and technical limitation.
The processing directory according to Art. 30 GDPR records purpose, phase, and deletion period. This way, not everything remains in memory or in individual emails, but is neatly documented. This is particularly important in mediation processes because data flows can otherwise quickly become self-sustaining.
In addition, regular training for employees and mediators is necessary. This may sound dry at first, but in everyday life, it is often the point where mistakes are avoided. Many problems arise not from malicious intent but from routine, time pressure, or an unconsidered click.
For AI tools, there is a clear line: They operate only locally or in secured systems. Confidential case data does not belong in public services. And if a data protection incident occurs, the report is made within 72 hours.
Key statements
Legally compliant mediation requires clear responsibilities, as few data as possible, and clean deletion periods. For Gunfinder as a platform, this means: clear legal bases for each processing phase, strictly limited access rights, and a documented deletion concept.
FAQs
When do I need consent for mediation data?
You need consent when the processing of personal data in mediation does not already rely on another justification.
This is especially the case with sensitive data, for example, regarding health or political opinions. Consent is also required if you want to use data for purposes that were not mentioned in the original data protection information.
Who is legally responsible for data protection in mediation?
Legally responsible in terms of GDPR is the person or entity that decides on the purpose and means of data processing. In mediation, this is the mediators.
This means in practical terms: You are responsible for handling the data. You must comply with the principles of data protection, inform about the processing, uphold the rights of the affected individuals, and implement appropriate technical and organizational measures to protect the data.
Which mediation data must I retain and for how long?
Personal data may only be stored as long as there is a legal basis for it or the data is still needed for the respective purpose. There is no fixed standard retention period.
For lawyers, a retention period of five years applies to case files according to § 50 Abs. 2 BRAO. Longer periods may arise from § 147 AO, from pending legal disputes, or from § 3 Abs. 3 of the Mediation Act.
As soon as the purpose ceases to exist, the data must be deleted.
Auction
