Looking for an external Data Protection Officer?DATUREX GmbH Dresden
DATUREXData Protection Laws
HDSIG — Table of Contents

§ 61 HDSIG

Notification of Data Subjects

(1)in the Event of Personal Data Breaches
(2)Where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall notify the data subjects of the breach without undue delay. § 59 para. 1 sentence 2 shall apply accordingly.
(3)The notification under para. 1 shall describe, in clear and plain language, the nature of the personal data breach and contain at least the information and measures referred to in § 60 para. 3 nos. 2 to 4.
(4)The notification of the data subject under para. 1 shall not be required where 1. the controller has implemented appropriate technical and organisational safeguards and those safeguards were applied to the personal data affected by the breach; this shall apply in particular to safeguards such as encryption that render the data unintelligible to any person who is not authorised to access it; 2. the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of the data subjects within the meaning of para. 1 is in all likelihood no longer materialising; or 3. it would involve a disproportionate effort; in that case, a public communication or a similar measure shall be made instead, by which the data subjects are informed in an equally effective manner.
(5)Where the controller has not notified the data subjects of a personal data breach, the Hessian Data Protection Commissioner may require the controller to do so, or may establish with binding effect that certain of the conditions referred to in para. 3 are met. In doing so, he or she shall take into account the likelihood that the personal data breach will result in a high risk within the meaning of para. 1.
(6)The notification of the data subjects under para. 1 may be postponed, restricted or omitted under the conditions referred to in § 51 para. 2, insofar as the interests of the data subject do not prevail on account of the high risk arising from the breach within the meaning of para. 1.
(7)§ 37 para. 4 shall apply accordingly.

Unofficial translation

The authoritative version is the German text published by the competent German authority. This English translation is provided for convenience only and carries no legal force.

Source:
https://www.rv.hessenrecht.hessen.de/bshe/document/jlr-DSIFGHErahmen
Citation:
GVBl. HE I 2018 S. 82
As of:
2024-01-01
Retrieved:
2026-02-28