§ 41 NDSG
Notification of a personal data breach to the supervisory authority
(1)1The controller shall notify a personal data breach to the authority headed by the Land Commissioner for Data Protection in accordance with Article 33(1) to (4) of the General Data Protection Regulation applied mutatis mutandis, and shall document it in accordance with Article 33(5) of the General Data Protection Regulation applied mutatis mutandis. 2Where personal data have been transmitted to or from the controller of another Member State, the information in accordance with Article 33(3) of the General Data Protection Regulation applied mutatis mutandis shall also be notified to that controller without undue delay.
(2)In criminal proceedings against the person obliged to notify or his or her relatives designated in § 52(1) of the Code of Criminal Procedure, the notification pursuant to paragraph 1 may only be used with the consent of the person obliged to notify.