§ 17 NDSG
Processing of special categories of personal data
(1)The processing of special categories of personal data within the meaning of Article 9(1) of the General Data Protection Regulation shall be lawful insofar as and as long as it is necessary
(2)for the exercise of rights and obligations arising from the law of social security and social protection,
(3)for the exercise of rights and obligations of public bodies in the field of service and employment law,
(4)for the purposes of preventive health care or occupational medicine, for the assessment of the working capacity of employees, for medical diagnostics, the provision of care or treatment in the health or social sector, or for the management of systems and services in the health and social sector, or on the basis of a contract between the data subject and a health professional, where such data are processed by medical personnel or by other persons subject to a duty of confidentiality, or under their responsibility,
(5)for reasons of public interest in the area of public health and protection against infection, such as protection against serious cross-border threats to health or to ensure high standards of quality and safety of healthcare and of medicinal products and medical devices; in addition to the measures referred to in paragraphs 2 and 3, the requirements of professional law and criminal law regarding the protection of professional secrecy shall in particular be observed,
(6)for the prevention of substantial disadvantages to the public interest or of dangers to public security and order,
(7)for the prosecution of criminal offences or administrative offences, for the enforcement or execution of sentences or measures within the meaning of § 11(1) number 8 of the Criminal Code (StGB) or of educational measures or disciplinary measures within the meaning of the Juvenile Courts Act, or for the enforcement of fines.
(8)Where, in the course of data processing pursuant to this Chapter or pursuant to other data protection provisions, special categories of personal data within the meaning of Article 9(1) of the General Data Protection Regulation are processed, the following measures shall be taken by the controllers and the processors to safeguard the fundamental rights and interests of the data subject:
(9)ensuring that it can be subsequently established whether and by whom personal data have been processed,
(10)restricting authorisations for access to personal data to what is necessary and documenting the authorisations,
(11)raising awareness among persons who have access to the personal data.
(12)1Insofar as it is necessary for the protection of special categories of personal data, the controllers and processors shall take further appropriate and specific measures in addition to those referred to in paragraph 2. 2The following measures may in particular be considered:
(13)ensuring that the personal data are only released for processing under the four-eyes principle,
(14)ensuring that the personal data are only accessed after two-factor authentication,
(15)ensuring that the electronic transmission of personal data is only carried out with encryption,
(16)ensuring that in a networked IT system the personal data are only stored with encryption,
(17)ensuring that data loss is avoided by means of a redundant design of systems, energy supply and data transmission equipment,
(18)ensuring that data are not unlawfully altered and that their integrity is maintained, for example by means of an electronic signature,
(19)training of persons who have access to the personal data.
(20)The nature and extent of the measures pursuant to paragraphs 2 and 3 shall be determined by the state of the art and the costs of implementation, the nature, scope, circumstances and purpose of the data processing, and the likelihood and severity of the risks for the fundamental rights and interests of the data subject associated with the data processing.