§ 46 ThürDSG
Obligations of the controller
(1)(Article 20 of Directive (EU) 2016/680)
(2)The controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, take appropriate measures designed to effectively implement data protection principles such as data minimisation and to integrate the necessary safeguards into the processing in order to meet the legal requirements and to protect the rights of the data subjects. In doing so, the controller shall take into account the state of the art, the cost of implementation and the nature, scope, circumstances and purposes of the processing, as well as the varying likelihood and severity of the risks to the rights and interests of the data subjects associated with the processing.
(3)The controller shall take appropriate technical and organisational measures to ensure that, by default, only such personal data are processed whose processing is necessary for each specific processing purpose. This obligation shall apply to the amount of personal data collected, the extent of their processing, their storage period and their accessibility. Such measures shall, in particular, ensure that personal data are not made accessible to an indefinite number of natural persons without the intervention of the individual by default. zur Einzelansicht § 46