Looking for an external Data Protection Officer?DATUREX GmbH Dresden
DATUREXData Protection Laws
LDSG SH — Table of Contents

§ 41 LDSG SH

Notification of a personal data breach to the Land Commissioner

(1)The controller shall notify the Land Commissioner of a personal data breach without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the breach is unlikely to result in a risk to the rights of natural persons. Where the notification to the Land Commissioner is not made within 72 hours, the reasons for the delay shall be stated.
(2)A processor shall notify the controller of a personal data breach without undue delay.
(3)The notification pursuant to paragraph 1 shall at least contain the following information: 1. a description of the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned, the categories of personal data concerned and the approximate number of personal data records concerned, 2. the name and contact details of the data protection officer or another contact point where more information can be obtained, 3. a description of the likely consequences of the breach, and 4. a description of the measures taken or proposed by the controller to address the breach and the measures taken to mitigate its possible adverse effects.
(4)Where the information pursuant to paragraph 3 cannot be provided at the same time as the notification, the controller shall provide it without undue delay as soon as it is available.
(5)The controller shall document personal data breaches. The documentation shall comprise all facts relating to the incidents, their effects and the remedial measures taken.
(6)Where a personal data breach concerns personal data that have been transmitted to or from a controller in another Member State of the European Union, the information referred to in paragraph 3 shall be communicated to that controller without undue delay.
(7)A notification pursuant to paragraph 1 may only be used in criminal proceedings against the person obliged to notify or the person making the notification, or against his or her relatives designated in § 52(1) of the Code of Criminal Procedure, with the consent of the person obliged to notify or the person making the notification.
(8)Further obligations of the controller to notify personal data breaches shall remain unaffected. zur Einzelansicht § 41
Source:
https://www.gesetze-rechtsprechung.sh.juris.de/bssh/document/jlr-DSGSHrahmen
Citation:
GVOBl. SH 2018 S. 162
As of:
2024-01-01
Retrieved:
2026-02-28