§ 14 DSG LSA
Protective measures for the processing
(1)of special categories of personal data
(2)Where, in the context of data processing pursuant to Sections 8 and 26 to 29, special categories of personal data within the meaning of Article 9(1) of Regulation (EU) 2016/679 are processed, the controllers and processors shall take the following measures to safeguard the fundamental rights and the interests of the data subject: 1. ensuring that it can subsequently be established whether and by whom personal data have been processed, 2. restricting the authorisations for access to personal data to the extent necessary and documenting the authorisations, and 3. awareness-raising for persons who have access to personal data.
(3)Insofar as it is necessary for the protection of special categories of personal data, the controllers and processors shall, in addition to paragraph 1, take further appropriate and specific measures. Suitable measures may include in particular: 1. ensuring that personal data are released for processing only on a four-eyes principle, 2. ensuring that personal data are accessed only after two-factor authentication, 3. ensuring that the electronic transmission of personal data takes place only with end-to-end encryption, 4. ensuring that in a networked IT system personal data are stored only with encryption, 5. ensuring that data loss is prevented through a redundant design of systems, power supply and data transmission facilities, 6. ensuring that data are not altered without authorisation and their integrity is maintained, for example through the use of an electronic signature, 7. training of persons who have access to personal data.
(4)The nature and extent of the measures pursuant to paragraphs 1 and 2 shall be determined by the state of the art and the costs of implementation, the nature, scope, context and purpose of the data processing, and the likelihood and severity of the risks to the fundamental rights and interests of the data subject posed by the data processing. zur Einzelansicht § 14