§ 40 LDSG SH — Anforderungen an die Sicherheit der Datenverarbeitung

Requirements for the security of data processing

(1)The controller and the processor shall, taking into account the state of the art, the costs of implementation, and the nature, scope, circumstances and purposes of the processing, as well as the likelihood and severity of the risks to the rights of data subjects associated with the processing, take the necessary technical and organisational measures to ensure a level of protection appropriate to the risk when processing personal data, in particular with regard to the processing of special categories of personal data. The controller shall take into account the relevant Technical Guidelines and Recommendations of the Federal Office for Information Security in doing so.

(2)The measures referred to in paragraph 1 may include, inter alia, the pseudonymisation and encryption of personal data, insofar as such means are possible in view of the processing purposes. The measures pursuant to paragraph 1 shall ensure that 1. the confidentiality, integrity, availability and resilience of the systems and services relating to processing are ensured on an ongoing basis, and 2. the availability of and access to personal data can be restored promptly in the event of a physical or technical incident.

(3)In the case of automated processing, the controller and the processor shall, following a risk assessment, take measures designed to: 1. deny unauthorised persons access to processing equipment used for processing (access control), 2. prevent the unauthorised reading, copying, altering or removal of data carriers (data carrier control), 3. prevent the unauthorised input of personal data and the unauthorised inspection, alteration and erasure of stored personal data (storage control), 4. prevent the use of automated processing systems by means of data transmission equipment by unauthorised persons (user control), 5. ensure that persons authorised to use an automated processing system have access only to the personal data covered by their access authorisation (access rights control), 6. ensure that it is possible to verify and ascertain to which bodies personal data have been or may be transmitted or made available by means of data transmission equipment (transmission control), 7. ensure that it is possible to verify and ascertain subsequently which personal data were entered or altered in automated processing systems, at what time and by whom (input control), 8. ensure that the confidentiality and integrity of data are protected during the transmission of personal data and during the transport of data carriers (transport control), 9. ensure that systems used can be restored in the event of disruption (recoverability), 10. ensure that all functions of the system are available and that malfunctions are reported (reliability), 11. ensure that stored personal data cannot be corrupted by system malfunctions (data integrity), 12. ensure that personal data processed on behalf of others can only be processed in accordance with the instructions of the client (order control), 13. ensure that personal data are protected against destruction or loss (availability control), 14. ensure that personal data collected for different purposes can be processed separately (separability). A purpose within the meaning of sentence 1 numbers 2 to 5 may be achieved in particular by the use of encryption methods in accordance with the state of the art.

(4)Automated procedures shall, before their initial deployment and after material changes, be released by the controller or a person authorised by the controller with regard to the effective implementation of technical and organisational measures to ensure the security of data processing. The testing procedure shall be documented.

(5)The Land Government shall regulate by ordinance the requirements for the security concept as well as the release of automated procedures and further details of proper data processing by public bodies. The Land Commissioner for Data Protection shall be consulted.

(6)An automated procedure in which several controllers jointly determine the purposes and means of processing (joint procedure) or which enables the transmission of personal data by retrieval (retrieval procedure) may be established, provided that this is proportionate, taking into account the legitimate interests of the data subjects and the tasks of the participating bodies.

(7)For procedures pursuant to paragraph 6, the competent supreme Land authority may also establish provisions under this provision by ordinance and designate a central body to which responsibility for ensuring the proper functioning of the automated procedure is transferred.

(8)Paragraph 6 shall not apply to retrieval from data sets which are open to anyone without or upon special authorisation for use, or the publication of which would be permissible. zur Einzelansicht § 40