§ 55 LDSG RP
Notification of Data Subjects
(1)in Case of Personal Data Breaches
(2)Where a personal data breach is likely to result in a high risk to the rights of data subjects, the controller shall notify the data subjects of the breach without undue delay.
(3)The notification referred to in paragraph 1 shall describe in clear and plain language the nature of the personal data breach and shall contain at least the information and measures referred to in Section 54(3) Nos. 2 to 4.
(4)The notification referred to in paragraph 1 may be dispensed with where 1. the controller has implemented appropriate technical and organisational protection measures and those measures have been applied to the personal data affected by the breach; this applies in particular to measures such as encryption which render the data unintelligible to any unauthorised persons, 2. the controller has taken subsequent measures which ensure that the high risk referred to in paragraph 1 is in all likelihood no longer likely to materialise, or 3. it would involve a disproportionate effort; in such cases, a public communication or a similar measure shall instead be made by which the data subjects are informed in an equally effective manner.
(5)Where the controller has not notified the data subjects of a personal data breach, the State Commissioner for Data Protection and Freedom of Information may formally determine that in his or her view the conditions referred to in paragraph 3 are not met. In doing so, he or she shall take into account the likelihood that the breach will result in a high risk.
(6)The notification of the data subject under paragraph 1 may, under the conditions referred to in Section 44(2), be delayed, restricted or omitted, provided that the interests of the data subject do not prevail on account of the high risks arising from the breach. Where the notification relates to the transmission of personal data to intelligence agencies of the Federation and the Laender, the Federal Intelligence Service or the Military Counter-Intelligence Service, it shall only be permissible with the consent of those bodies.
(7)Section 42(4) BDSG shall apply accordingly. zur Einzelansicht § 55