§ 59 LDSG RP
Data Protection by Design and
(1)by Default
(2)The controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, take appropriate measures that are designed to implement data protection principles such as data minimisation effectively, and to ensure that the legal requirements are met and the rights of the data subjects are protected. In doing so, the controller shall take into account the state of the art, the cost of implementation and the nature, scope, context and purposes of the processing, as well as the varying likelihood and severity of risks to the rights of the data subjects. In particular, the processing of personal data and the selection and design of data processing systems shall be aimed at processing as few personal data as possible. Personal data shall be anonymised or pseudonymised at the earliest possible time insofar as the processing purpose permits.
(3)The controller shall take appropriate technical and organisational measures to ensure that, by default, only personal data which are necessary for each specific purpose of the processing are processed. This applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, the measures shall ensure that, by default, the data are not made accessible to an indefinite number of persons without the intervention of a natural person. zur Einzelansicht § 59