Notification obligations under German data protection law

Automated processing procedures must be reported before they are commissioned to the relevant supervisory authority pursuant to § 4e BDSG.

Contents of the reporting obligation 4e BDSG

  • Name or company of the responsible authority,
  • Owners, management boards, managing directors or other managers who are statutory or qualified as per the charter of the company and the persons commissioned with the management of the data processing,
  • Address of the responsible authority,
  • Intended purposes of data collection, data processing or use,
  • a description of the concerned groups of the persons and concerned data or data categories,
  • Receivers or categories of receivers, to whom the data can be communicated,
  • Standard periods for deleting data,
  • a planned data transmission in third countries,
  • a general description, which enables to assess beforehand whether the measures as per 9 BDSG for guaranteeing the security of processing are appropriate.


The reporting obligation shall not apply if the responsible authority has appointed an employee for data protection. The reporting obligation shall further not apply if the responsible authority collects, processes or uses personal data for own purposes. In this respect, normally, at the most nine persons shall be continuously employed with the collection, processing or use of personal data and either there is a consent of the concerned person or the collection, processing or use is necessary for the justification, execution or ending of a transactional or, similar to transactional, contractual obligation with the concerned person. These regulations shall not apply if it is automated processing, in which businesslike personal data is saved by the respective authority

  • for purpose of transmission,
  • for purpose of anonymous transmission or
  • for purposes of market or opinion research.
  • Procedure index

With that, every company, which normally processes personal data automatically with more than nine employees, has to keep a procedure index. A procedure index in turn contains several procedure descriptions. The procedure steps of personal data are documented in the procedure descriptions. The documents must show which personal data has been processed by the authority with the help of which automated procedure in which way, and what are the technical-organisational measures that it has taken for protecting this data. One differentiates between an external and internal procedure index. In the internal procedure index, the individual procedures, wherein personal data is processed and is described in detail in any way and the measures are set out, which were taken for the protection of this data. These internal procedure descriptions are not intended for the public, but serve, among other things, for submission to inspections by the state office and replace the statutory reporting obligation. They are aimed at documenting the company-specific processes, which serve in appropriate coverage of confidential data. The processes become more transparent by the description and can be designed more efficiently. The external procedure index is intended for every man and must be made publicly available upon request. It is mostly created from the internal procedure index, but does not contain any detailed information about the individual procedures. Upon the creation of an internal procedure index, determine, group and name the procedures first for purpose of personal data processing. Describe the process in greater detail. After that document which data is affected by this procedure: Employee, customer, interested parties or miscellaneous personal data.

Templates for procedure indices

In case of activeMind AG, you will find matching Templates for procedure indices