§ 20 HDSIG
Processing of Special Categories of Personal Data
(1)By way of derogation from Art. 9 para. 1 of Regulation (EU) No 2016/679, the processing of special categories of personal data within the meaning of Art. 9 para. 1 of Regulation (EU) No 2016/679 by public bodies shall be permissible where it 1. is necessary for exercising rights arising from the law of social security and social protection and for fulfilling the related obligations, 2. is necessary for the purposes of preventive health care, for the assessment of the working capacity of employees, for medical diagnostics, the provision of care or treatment in the health or social sector, or for the management of systems and services in the health and social sector, or on the basis of a contract between the data subject and a health professional, and such data are processed by medical staff or by other persons who are subject to a corresponding obligation of confidentiality, or under their responsibility, or 3. is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products and medical devices; in addition to the measures referred to in para. 2, the professional law and criminal law requirements for maintaining professional secrecy shall be complied with in particular, 4.
a)is absolutely necessary for reasons of substantial public interest,
b)is necessary for averting a significant danger to public security, or
c)is necessary for compelling reasons of defence or for humanitarian measures, and insofar as the interests of the controller in the data processing outweigh the interests of the data subject.
(2)In the cases referred to in para. 1, appropriate and specific measures to safeguard the interests of the data subject shall be provided for. Taking into account the state of the art, the cost of implementation and the nature, scope, circumstances and purposes of the processing as well as the varying likelihood and severity of the risks to the rights and freedoms of natural persons associated with the processing, these may in particular include: 1. technical and organisational measures to ensure that the processing complies with Regulation (EU) No 2016/679, 2. measures ensuring that it can subsequently be verified and established whether and by whom personal data have been entered, altered or removed, 3. raising the awareness of those involved in processing operations, 4. restricting access to personal data within the responsible body and of processors, 5. pseudonymisation of personal data, 6. encryption of personal data, 7. ensuring the ability to ensure the confidentiality, integrity, availability and resilience of systems and services in connection with the processing of personal data, including the ability to rapidly restore availability and access in the event of a physical or technical incident, 8. establishing a procedure for regular review, assessment and evaluation of the effectiveness of the technical and organisational measures to ensure the security of the processing, or 9. specific procedural rules which, in the case of a transfer or processing for other purposes, ensure compliance with the requirements of this Act and of Regulation (EU) No 2016/679.
(3)Where personal data are not processed by automated means, measures shall be taken in particular to prevent unauthorised access during handling, storage, transport and destruction. zur Einzelansicht § 20