Looking for an external Data Protection Officer?DATUREX GmbH Dresden
DATUREXData Protection Laws
HDSIG — Table of Contents

§ 60 HDSIG

Notification of Personal Data Breaches to

(1)the Hessian Data Protection Commissioner
(2)The controller shall notify a personal data breach to the Hessian Data Protection Commissioner without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the Hessian Data Protection Commissioner is not made within 72 hours, it shall be accompanied by reasons for the delay. § 59 para. 1 sentence 2 shall apply accordingly.
(3)Where the processor becomes aware of a personal data breach, he or she shall notify the controller without undue delay.
(4)The notification under para. 1 shall contain at least the following information: 1. a description of the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned, the categories of personal data concerned and the approximate number of personal data records concerned, 2. the name and contact details of the data protection officer or other contact point for further information, 3. a description of the likely consequences of the personal data breach, and 4. a description of the measures taken or proposed by the controller to address the personal data breach and, where applicable, measures to mitigate its possible adverse effects.
(5)Where, and insofar as, the information under para. 3 cannot be provided at the same time, the controller shall provide the information in phases without undue further delay.
(6)The controller shall document personal data breaches. The documentation shall comprise all facts relating to the incidents, their effects and the remedial measures taken.
(7)Where a personal data breach involves personal data that were transmitted by or to a controller in another Member State of the European Union, the information referred to in para. 3 shall be transmitted to the controller in that Member State without undue delay.
(8)§ 37 para. 4 shall apply accordingly.
(9)Further obligations of the controller to notify personal data breaches shall remain unaffected. zur Einzelansicht § 60
Source:
https://www.rv.hessenrecht.hessen.de/bshe/document/jlr-DSIFGHErahmen
Citation:
GVBl. HE I 2018 S. 82
As of:
2024-01-01
Retrieved:
2026-02-28