§ 56 ThürDSG
Notification of the data subject in the event of
(1)breaches of the protection of personal data (Article 31 of Directive (EU) 2016/680)
(2)Where a personal data breach is likely to result in a high risk to the rights of natural persons, the controller shall notify the data subjects of the breach without delay.
(3)The notification of data subjects pursuant to paragraph 1 shall describe, in clear and plain language, the nature of the personal data breach and shall contain at least the information and measures referred to in Section 55(3), numbers 2 to 4.
(4)The notification of data subjects pursuant to paragraph 1 shall not be required where 1. the controller has taken appropriate technical and organisational security measures and those measures have been applied to the personal data affected by the breach, in particular those that render the personal data unintelligible to any person who is not authorised to access them, such as encryption, 2. the controller has taken subsequent measures that ensure that the high risk to the rights of the data subjects referred to in paragraph 1 is in all likelihood no longer likely to materialise, or 3. it would involve disproportionate effort; in this case, a public communication or similar measure shall be made instead, by which the data subjects are informed in an equally effective manner.
(5)Where the controller has not already notified the data subjects of the personal data breach, the State Commissioner for Data Protection may, taking into account the likelihood that the breach will result in a high risk, require the controller to do so or may formally determine that certain of the conditions referred to in paragraph 3 are fulfilled.
(6)The notification of data subjects pursuant to paragraph 1 may be postponed, restricted or omitted under the conditions referred to in Section 41(2). zur Einzelansicht § 56 Fifth Sub-Section Transfer of Personal Data to Third Countries or International Organisations