§ 58 DSG NRW
Requirements for the security of processing
(1)The controller and the processor shall, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of the processing, and the likelihood and severity of the risks to the rights of the data subjects associated with the processing, take the necessary technical and organisational measures to ensure a level of security appropriate to the risk when processing personal data, in particular with regard to the processing of special categories of personal data. The controller shall take into account the relevant Technical Guidelines and Recommendations of the Federal Office for Information Security.
(2)The measures referred to in paragraph 1 may include, among other things, the pseudonymisation and encryption of personal data, provided that the effort involved is proportionate to the intended purpose of protection. The measures pursuant to paragraph 1 shall be designed to ensure that
(3)1. the confidentiality, integrity, availability and resilience of systems and services in connection with the processing are ensured on an ongoing basis, and
(4)2. the availability of personal data and access to them can be restored rapidly in the event of a physical or technical incident.
(5)In the case of processing of personal data, the controller and the processor shall, on the basis of a risk assessment, take measures to ensure that
(6)1. only authorised persons can access personal data (confidentiality),
(7)2. personal data remain intact, complete and up to date during processing (integrity),
(8)3. personal data are available in a timely manner and can be properly processed (availability),
(9)4. personal data can be attributed to their origin at all times (authenticity), and
(10)5. the procedures for the processing of personal data are documented in a complete, current and comprehensible manner within a reasonable time (transparency).
(11)For the implementation of paragraph 2, in particular the following measures shall be taken:
(12)1. denying unauthorised persons access to data processing equipment used to process personal data (access control),
(13)2. preventing data storage media from being read, copied, modified or removed without authorisation (data storage media control),
(14)3. preventing the unauthorised input and the unauthorised access to, modification or erasure of stored personal data (storage control),
(15)4. preventing automated data processing systems from being used by unauthorised persons by means of data transmission equipment (user control),
(16)5. ensuring that persons authorised to use an automated data processing system have access only to the data covered by their access authorisation (access rights control),
(17)6. ensuring that it is possible to verify and determine to which bodies personal data have been or may be transmitted or made available by means of data transmission equipment (transmission control),
(18)7. ensuring that it is subsequently possible to verify and determine which personal data have been entered into automated data processing systems, when and by whom (input control),
(19)8. ensuring that personal data processed on behalf can only be processed in accordance with the instructions of the controller (instructions control),
(20)9. preventing the unauthorised reading, copying, modification or erasure of personal data during the transmission thereof and during the transport of data storage media (transport control),
(21)10. organising the internal structure of the authority or the enterprise in such a way that it meets the specific requirements of data protection (organisation control),
(22)11. ensuring that personal data are protected against destruction or loss (availability control),
(23)12. ensuring that deployed systems can be restored in the event of a malfunction (recovery),
(24)13. ensuring that all functions of the system are available and any malfunctions are reported (reliability),
(25)14. ensuring that stored personal data cannot be damaged by system malfunctions (data integrity), and
(26)15. ensuring that personal data collected for different purposes can be processed separately (separability).
(27)A purpose under sentence 1, numbers 2 to 5, may in particular be achieved by using encryption procedures that correspond to the state of the art.