Art. 5 BayDSG
Transmission (on Art. 6 paras. 2 to 4 GDPR)
(1)A transmission of personal data shall be permissible where
(2)it is necessary for the performance of a task incumbent upon the transmitting or the receiving public body, or
(3)the recipient is a non-public body, that body credibly demonstrates a legitimate interest in the knowledge thereof and the data subject has no overriding legitimate interest in the exclusion of the transmission; this shall also apply insofar as the data are transmitted for purposes other than those for which they were collected.
(4)In the case of a transmission pursuant to sentence 1 no. 2, the recipient may process the transmitted data only for the purpose for which they were transmitted.
(5)Where personal data are linked with further personal data of the data subject or of third parties in such a way that separation is not possible or is possible only with unreasonable effort, the transmission of such data to public bodies shall also be permissible, provided that the legitimate interests of the data subject or third parties do not manifestly prevail.
(6)Where the inspection or maintenance of automated procedures or data processing systems is carried out by other bodies and access to personal data cannot be excluded, Art. 28 paras. 1 to 4, 9 and 10 GDPR shall apply accordingly. If the contract or other legal instrument required by Art. 28 para. 3 GDPR cannot be drawn up in writing or electronically before the processing, this must be done without undue delay.
(7)Where personal data are transmitted to another public body at its request, the latter shall bear responsibility for the lawfulness of the transmission. The requested body shall only transmit data if the request falls within the scope of the recipient's tasks. Otherwise, it shall bear responsibility only where there is particular reason to examine the lawfulness.