§ 53 LDSG RP
Requirements for the Security
(1)of Data Processing
(2)The controller and the processor shall, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing, as well as the likelihood and severity of the risks to the rights of the data subjects, implement the necessary technical and organisational measures to ensure a level of security appropriate to the risk when processing personal data, in particular with regard to the processing of special categories of personal data. The controller shall, in doing so, take into account the relevant technical guidelines and recommendations of the Federal Office for Information Security.
(3)The measures referred to in paragraph 1 may include, inter alia, the pseudonymisation and encryption of personal data, insofar as such means are possible having regard to the processing purposes. The measures under paragraph 1 should lead to 1. ensuring on a lasting basis the confidentiality, integrity, availability and resilience of the systems and services in connection with the processing, and 2. the ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident.
(4)In the case of automated processing, the controller and the processor shall, following a risk assessment, take measures designed to 1. prevent unauthorised persons from accessing the processing equipment used for the processing (access control), 2. prevent the unauthorised reading, copying, alteration or removal of data media (data media control), 3. prevent the unauthorised input of personal data and the unauthorised inspection, alteration and erasure of stored personal data (storage control), 4. prevent the use of automated processing systems by unauthorised persons using data transmission facilities (user control), 5. ensure that persons authorised to use an automated processing system have access only to the personal data covered by their access authorisation (access rights control), 6. ensure that it is possible to verify and establish to which bodies personal data have been or may be transmitted or made available using data transmission facilities (transmission control), 7. ensure that it is possible to verify and establish retroactively which personal data have been input into or altered in automated processing systems and by whom and at what time (input control), 8. ensure the confidentiality and integrity of data during the transmission of personal data and the transport of data media (transport control), 9. ensure that installed systems can be restored in the event of a disruption (recoverability), 10. ensure that all functions of the system are available and that any malfunctions are reported (reliability), 11. ensure that stored personal data cannot be damaged by system malfunctions (data integrity), 12. ensure that personal data processed on behalf of another can only be processed in accordance with the instructions of the principal (instruction control), 13. ensure that personal data are protected against destruction or loss (availability control), 14. ensure that personal data collected for different purposes can be processed separately (separability). A purpose referred to in sentence 1 Nos. 2 to 5 may be achieved in particular through the use of state-of-the-art encryption procedures. zur Einzelansicht § 53