§ 34 NDSG
Technical and organisational measures for data protection and data security
(1)The controller shall, taking into account the nature, scope, circumstances and purposes of the processing as well as the likelihood and severity of the risk to the rights and freedoms of natural persons, take appropriate technical and organisational measures to ensure a level of protection appropriate to the risk when processing personal data, in particular with regard to the processing of special categories of personal data.
(2)The controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, take appropriate measures which are designed to implement data protection principles, such as data minimisation, in an effective manner and to ensure that the statutory requirements are met and the rights of data subjects are protected. In doing so, the controller shall take into account the state of the art, the costs of implementation, the nature, scope, circumstances and purposes of the processing as well as the varying likelihood and severity of the risks to the rights and freedoms and legitimate interests of data subjects associated with the processing. In particular, the processing of personal data and the selection and design of data processing systems shall be guided by the objective of processing as few personal data as possible. Personal data shall be anonymised or pseudonymised at the earliest possible point in time, insofar as the processing purpose allows.
(3)The controller shall take appropriate technical and organisational measures to ensure that, by default, only such personal data are processed as are necessary for each specific processing purpose. This shall apply to the amount of personal data collected, the extent of their processing, their storage period and their accessibility. In particular, the measures must ensure that personal data are not made accessible by default to an indefinite number of persons without human intervention.