§ 8 SDSG
Processing of special categories of personal data
(1)The processing of special categories of personal data within the meaning of Article 9(1) of Regulation (EU) 2016/679 shall, without prejudice to the exceptions set out in Article 9(2) of Regulation (EU) 2016/679, be lawful insofar as it is necessary 1. for the exercise of rights and obligations arising from the law of social security and social protection, 2. for the exercise of rights and obligations of public bodies in the field of employment and service law, 3. for the purposes of preventive health care or occupational medicine, for the assessment of the working capacity of employees, for medical diagnostics, care or treatment in the health or social sector or for the management of systems and services in the health and social sector or pursuant to a contract of the data subject with a health professional, where such data are processed by medical personnel or other persons subject to a confidentiality obligation, or under their responsibility, 4. for reasons of public interest in the area of public health and infection protection, such as protection against serious cross-border health threats or to ensure high standards of quality and safety of health care and of medicinal products and medical devices; in addition to the measures referred to in paragraph 2, the professional and criminal law requirements for maintaining professional secrecy shall in particular be complied with, 5. to avert substantial detriment to the public interest or threats to public safety and order, 6. for the prosecution of criminal offences or administrative offences, for the enforcement or execution of criminal penalties or measures within the meaning of Section 11(1)(8) of the Criminal Code, or of educational measures or disciplinary measures within the meaning of the Youth Courts Act, or for the enforcement of decisions on administrative fines, 7. for the purposes referred to in Section 7(1).
(2)1When processing special categories of personal data, appropriate and specific measures shall be taken to safeguard the interests of the data subjects. 2Taking into account the state of the art, the costs of implementation and the nature, scope, circumstances and purposes of the processing, as well as the varying likelihood and severity of the risks to the rights and freedoms of natural persons posed by the processing, such measures may include in particular: 1. technical and organisational measures to ensure that the processing complies with Regulation (EU) 2016/679, 2. measures to ensure that it can subsequently be verified and established whether and by whom personal data have been entered, altered or removed, 3. awareness-raising among those involved in processing operations, 4. restricting access to personal data within the responsible body and by processors, 5. pseudonymisation of personal data, 6. encryption of personal data, 7. the permanent ensuring of the confidentiality, integrity, availability and resilience of the systems and services related to the processing of personal data, including the ability to restore the availability of personal data and access to them without undue delay in the event of a physical or technical incident, 8. establishing a procedure for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures to ensure the security of processing, or 9. specific procedural rules to ensure compliance with the requirements of this Act and of Regulation (EU) 2016/679 in the event of transmission or processing for other purposes. zur Einzelansicht § 8