§ 54 ThürDSG
Security of processing
(1)(Article 29 of Directive (EU) 2016/680)
(2)The controller and the processor shall, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, take appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in particular with regard to the processing of special categories of personal data.
(3)The measures referred to in paragraph 1 may include, among other things, the pseudonymisation and encryption of personal data, measures to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, measures to ensure the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, and a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
(4)The controller and the processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless required to do so by law. zur Einzelansicht § 54