§ 19 LDSG RP
Processing of Special Categories of
(1)Personal Data
(2)The processing of special categories of personal data within the meaning of Article 9(1) of the General Data Protection Regulation shall be lawful on the basis of the express consent of the data subject. Consent to the processing of genetic or biometric data or health data shall require written form. The transmission of such data on the basis of consent shall only be effective where the receiving body has knowledge of the content and scope of the consent.
(3)The processing of special categories of personal data within the meaning of Article 9(1) of the General Data Protection Regulation by public bodies shall be lawful where it is strictly necessary for reasons of substantial public interest and insofar as the interests of the controller in the data processing outweigh the legitimate interests of the data subject. A substantial public interest within the meaning of sentence 1 shall be deemed to exist in particular in the case of 1. averting a threat to public security, 2. prosecution of significant criminal offences, 3. defence or the fulfilment of supranational or international obligations of a public body of the Federation in the field of crisis management or conflict prevention or for humanitarian measures, or 4. averting disadvantages to the common good or safeguarding the interests of the common good.
(4)When processing genetic or biometric data or health data, the controllers shall provide for appropriate and specific measures, in particular technical and organisational measures, to safeguard the fundamental rights and interests of the data subject. At a minimum, the controllers shall 1. ensure that it can be verified and established retroactively whether and by whom personal data have been entered, altered or removed, 2. raise the awareness of those involved in processing operations, 3. restrict access to the data at the controller and by processors, 4. take into account the principles of data minimisation and storage limitation as well as the need for a data protection impact assessment, 5. encrypt the data in the event of transmission, 6. ensure the ability to ensure the confidentiality, integrity, availability and resilience of systems and services related to the processing of data, 7. ensure the ability to restore availability and access to data in a timely manner in the event of a physical or technical incident, 8. establish a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing, and 9. ensure compliance with the requirements of this Act and of the General Data Protection Regulation in the event of a transmission or processing for other purposes through specific procedural rules. Article 32 of the General Data Protection Regulation shall remain unaffected.
(5)The processing of genetic or biometric data or health data on behalf of another shall only be permissible where the processor has taken appropriate data protection measures commensurate with the level of protection required by the data in accordance with paragraph 3 and overriding legitimate interests of the data subject do not preclude the outsourcing of the data processing. The commissioning of bodies outside the territorial scope of the General Data Protection Regulation shall be unlawful.
(6)Insofar as bodies subject to this Act are involved in joint processing of personal data within the meaning of Article 26 of the General Data Protection Regulation that includes at least genetic or biometric data or health data, such processing shall only be lawful where compliance with the requirements contained in the General Data Protection Regulation has been demonstrated to the State Commissioner for Data Protection and Freedom of Information prior to the commencement of the data processing. zur Einzelansicht § 19