§ 12 LDSG SH
Processing of special categories of personal data
(1)By derogation from Article 9(1) of Regulation (EU) 2016/679, the processing of special categories of personal data within the meaning of Article 9(1) of Regulation (EU) 2016/679 by public bodies shall be lawful where 1. it is strictly necessary for reasons of substantial public interest, 2. it is necessary to avert a substantial danger to public security, 3. it is strictly necessary to avert substantial disadvantages to the public interest or to safeguard substantial interests of the public interest, or 4. it is necessary for compelling reasons of defence or the fulfilment of supranational or international obligations of a public body of the Land in the field of crisis management or conflict prevention, or for humanitarian measures, and provided that the interests of the controller in the data processing outweigh the interests of the data subject.
(2)Where, on the basis of this Sub-section or other statutory provisions of Land law, special categories of personal data within the meaning of Article 9(1) of Regulation (EU) 2016/679 are processed, the controller shall ensure by appropriate technical and organisational measures that the requirements of Regulation (EU) 2016/679 are complied with and the fundamental rights and interests of the data subject are safeguarded.
(3)Taking into account the state of the art, the cost of implementation and the nature, scope, context and purpose of the processing as well as the varying likelihood and severity of the risks for the rights and freedoms of natural persons associated with the processing, the measures to be taken may in particular include: 1. awareness-raising and training of those involved in processing operations, 2. restricting access to personal data within the responsible body and by processors, 3. measures ensuring that it can be subsequently established whether and by whom personal data have been entered, modified or removed, 4. pseudonymisation and encryption of personal data, 5. establishing specific review intervals for erasure, 6. ensuring the ability to safeguard the confidentiality, integrity, availability and resilience of the systems and services related to the processing of personal data, including the ability to restore availability of and access to data promptly in the event of a physical or technical incident, 7. establishing a process for regularly testing, assessing and evaluating the effectiveness of the technical and organisational measures for ensuring the security of the processing, 8. specific procedural rules which, in the event of transmission or processing for other purposes, ensure compliance with the requirements of this Act and of Regulation (EU) 2016/679. zur Einzelansicht § 12