§ 22 BDSG
Processing of special categories of personal data
(1)By way of derogation from Article 9 Subsection (1) of Regulation (EU) 2016/679, the processing of special categories of personal data within the meaning of Article 9 Subsection (1) of Regulation (EU) 2016/679 shall be permissibleand insofar as in the cases of No. 1(d) and No. 2, the interests of the controller in the data processing override the interests of the data subject. 1 by public and non-public bodies, where it
a)is necessary to exercise rights or fulfil obligations arising from the law of social security and social protection,;
b)is necessary for the purposes of preventive medicine, for the assessment of the working capacity of the employee, for medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services or pursuant to a contract between the data subject and a health professional and where those data are processed by or under the responsibility of medical personnel or other persons subject to a corresponding obligation of secrecy,;
c)is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products and medical devices; in addition to the measures referred to in Subsection (2), in particular the professional and criminal law requirements for the preservation of professional secrecy shall be observed, or;
d)is strictly necessary for reasons of substantial public interest,; 2 by public bodies, where it
a)is necessary to avert a substantial danger to public security,;
b)is strictly necessary to avert substantial disadvantages to the common good or to safeguard substantial interests of the common good or;
c)is necessary for compelling reasons of defence or for the fulfilment of supra-national or inter-governmental obligations of a public body of the Federation in the field of crisis management or conflict prevention or for humanitarian measures
(2)In the cases referred to in Subsection (1), appropriate and specific measures to safeguard the interests of the data subject shall be provided. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the varying likelihood and severity of the risks for the rights and freedoms of natural persons posed by the processing, such measures may in particular include: 1 technical and organisational measures to ensure that processing is carried out in accordance with Regulation (EU) 2016/679,; 2 measures to ensure that it is possible to verify and establish subsequently whether and by whom personal data have been entered, modified or removed,; 3 awareness-raising of those involved in processing operations,; 4 designation of a data protection officer,; 5 restriction of access to personal data within the responsible body and by processors,; 6 pseudonymisation of personal data,; 7 encryption of personal data,; 8 ensuring the ability to ensure the confidentiality, integrity, availability and resilience of systems and services in connection with the processing of personal data, including the ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident,; 9 establishing a procedure to regularly test, assess and evaluate the effectiveness of technical and organisational measures for ensuring the security of the processing or; 10 specific procedural rules which, in the case of a transfer or processing for other purposes, ensure compliance with the requirements of this Act and of Regulation (EU) 2016/679.