§ 34 NDSG
Technical and organisational measures for data protection and data security
(1)The controller shall, taking into account the nature, scope, circumstances and purposes of the processing as well as the likelihood and severity of the risk to the rights and freedoms of natural persons, take appropriate technical and organisational measures to ensure a level of protection appropriate to the risk when processing personal data, in particular with regard to the processing of special categories of personal data.
(2)1The controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, take appropriate measures which are designed to implement data protection principles, such as data minimisation, in an effective manner and to ensure that the statutory requirements are met and the rights of data subjects are protected. 2In doing so, the controller shall take into account the state of the art, the costs of implementation, the nature, scope, circumstances and purposes of the processing as well as the varying likelihood and severity of the risks to the rights and freedoms and legitimate interests of data subjects associated with the processing. 3In particular, the processing of personal data and the selection and design of data processing systems shall be guided by the objective of processing as few personal data as possible. 4Personal data shall be anonymised or pseudonymised at the earliest possible point in time, insofar as the processing purpose allows.
(3)1The controller shall take appropriate technical and organisational measures to ensure that, by default, only such personal data are processed as are necessary for each specific processing purpose. 2This shall apply to the amount of personal data collected, the extent of their processing, their storage period and their accessibility. 3In particular, the measures must ensure that personal data are not made accessible by default to an indefinite number of persons without human intervention.