§ 23 TDDDG
Information Procedure for Passwords and Other Access Data
(1)By way of derogation from Section 22, any person who provides digital services on a commercial basis, participates therein, or mediates access to the use thereof may use passwords or other data collected as inventory data, by means of which access to terminal equipment or to storage facilities used in or separately from such terminal equipment is protected, in accordance with this provision to fulfil obligations to provide information to the authorities referred to in paragraph 2. All internal data sources of the undertaking must be taken into account for the provision of information.
(2)Information under paragraph 1 sentence 1 may only be provided to Data under paragraph 1 must not be transmitted to other public or non-public bodies. Responsibility for the permissibility of the information lies with the authorities requesting the information. 1 authorities competent for the prosecution of criminal offences, insofar as they request the transmission in the individual case, citing a statutory provision that permits them to collect and use the data referred to in paragraph 1 for the prosecution of particularly serious criminal offences under Section 100b(2) No. 1 letters a, c, e, f, g, h, or m, No. 3 letter b first alternative, Nos. 5, 6, 9, or 10 of the Code of Criminal Procedure, upon order by a court, or; 2 authorities competent for the prevention of threats to public safety or order, insofar as they request the transmission in the individual case, citing a statutory provision that permits them to collect and use the data referred to in paragraph 1 for the prevention of a concrete danger to life, limb, or freedom of the person, to sexual self-determination, to the continued existence of the Federation or a Land, the free democratic basic order, and public interests whose threat affects the foundations of human existence, upon order by a court.
(3)Any person who provides digital services on a commercial basis, participates therein, or mediates access to the use thereof must transmit the data to be disclosed without delay and in full. Any encryption of the data shall remain unaffected. The obliged persons must maintain confidentiality vis-a-vis the data subjects and third parties regarding the request for information and the provision of information.
(4)Any person who provides digital services on a commercial basis or participates therein must take the measures necessary for the provision of information within his or her area of responsibility at his or her own expense. Every request for information must be reviewed by a responsible specialist for compliance with the formal requirements referred to in paragraph 2. Further processing of the request for information may only be released after a positive review result.