Art. 32 BayDSG
Requirements for the Security of Processing
(1)Art. 32 paras. 3 and 4 GDPR shall not apply.
(2)In the case of automated processing, the controller or the processor shall, on the basis of a risk assessment, take measures that are suitable for
(3)denying unauthorised persons access to data processing systems used for the processing of personal data (access control),
(4)designing the internal organisation in such a way that it meets the specific requirements of data protection (organisational control),
(5)preventing
(6)the unauthorised reading, copying, alteration or removal of data carriers (data carrier control),
(7)the unauthorised entry of personal data and the unauthorised reading, alteration or deletion of stored personal data (storage control),
(8)the use of automated data processing systems by means of data transmission facilities by unauthorised persons (user control),
(9)the unauthorised reading, copying, alteration or deletion of data during the transmission of personal data and during the transport of data carriers (transport control),
(10)ensuring that
(11)persons authorised to use an automated data processing system can access only those data that are subject to their access authorisation (access rights control),
(12)it can be verified and established to which bodies personal data have been transmitted or made available by means of data transmission facilities (transmission control),
(13)it can subsequently be verified and established which personal data have been entered into automated data processing systems, at what time and by whom (input control),
(14)systems deployed can be restored in the event of a malfunction (recovery),
(15)all functions of the system are available and malfunctions that occur are reported (reliability),
(16)stored personal data cannot be damaged by system malfunctions (data integrity),
(17)personal data processed on behalf of others can only be processed in accordance with the instructions of the controller (processing control).