Art. 5 (5a) DGA:

"[...] Re-users [...] shall take technical and operational measures to prevent reidentification and to notify any data breach resulting in the reidentification of the data subjects concerned to the public sector body. [...]"