Similar to imprints, the data protection declaration must be easy to find. That means that it must be visible directly on your website - not only after navigating 3 clicks. In addition, it must communicate clearly in plain language which data is collected on the website and how it is processed.
The basis for your data protection declaration are your records of data processing activities. This will now come in handy as the most important element of a data protection declaration is a listing of which data you process, how you process it and with whom.
The following aspects should also be included:
One of the most important things is the name and address of the website operator. Should you have a compulsory data protection officer (compulsory in Germany from 10 employees), you must also provide further information on how to contact him.
This is information about disclosure, correction, erasure, processing limitation, data transferability, and the right to not be profiled. A passage about the right to withdrawal of consent and the right of appeal of supervisory authorities also belongs here.
Here, you should clearly state the erasure dates of the data that you store. For more information, see chapter 9.
List exactly which data is extracted, saved and also transferred to third parties. Do this as transparently and precisely as possible. If you are processing data on the basis of a legitimate interest (e.g. Google Analytics), mention this here.
As soon as you have compiled all the content, you can also in principle formulate the data protection declaration yourself. However, it is more advisable to have this taken care of by a specialist lawyer, since investigating lawyers will actively search for gaps and formal errors in your data protection declaration.
The investment in a specialist lawyer makes sense to me when you take the impending penalties into consideration.
My recommendation: Let a professional advise you about this. While there are also data security generators who can support you, they often don’t include all the tools that you personally use. More importantly: You also bare responsibility here yourself as they always have a liability disclaimer.
To be on the safe side, you should therefore have a data protection declaration individually prepared for you by a lawyer. This way, your lawyer will be liable, not you. Considering the potential costs that could come from paying a fine, this is money very well spent.