A statutory regulation regarding the archiving of emails has now existed for some time. In this respect, the GoBD regulation (principles for the proper keeping and storage of books, records and documents in electronic form as well as for data access) of the German Federal Ministry of Finance, which replaced the 2001 GDPdU regulation (principles of data access and auditing of digital documents) in 2017, is decisive.
The GoBD stipulates, among others, that every form of business correspondence, including emails, must be archived on a legally-compliant and audit-proof basis.
Even though the GoBD has now been around for some time, many myths continue to circulate around the topic of email archiving. In this article, we want to clear up the most common of these and to clarify what really applies.
The 7 most common mistakes
- Archiving emails regarding invoices and receipts is sufficient
- All emails have to be archived
- Printing the emails out is sufficient
- Small businesses do not need any email archiving
- Email archiving is not compatible with the GDPR and data protection
- I can archive my emails myself in Outlook
- Emails are archived anyway during backups
1st mistake: Archiving emails regarding invoices and receipts is sufficient
The GoBD stipulates that companies are required to archive every form of business correspondence for six to ten years starting from the end of the calendar year. Although invoices and receipts are an important part of such correspondence, various other business records are also affected which are relevant to the taxation, for example:
- Orders placed
- Cases of warranty
- Cancellations, etc.
This means that emails relating to the entire business process have to be archived.
2nd mistake: All emails have to be archived
There is no question that emails are an important format in the area of business correspondence today. Which emails actually have to be archived as email, however? In principle, not every email is subject to archiving, but only those which fulfill the function of a commercial or business letter or an accounting document.
In this respect, it is important to distinguish between the function that an email has. Newsletters or spam mails, for example, are exempt from the archiving requirement. And if an email only serves the purpose of sending an attachment such as a digital invoice, and does not itself contain any tax-related information, it is not the email, but only the attachment that has to be archived. The email then has a comparable function to an envelope.
In addition, companies may not indiscriminately store every email automatically. An important exception is the private emails of the employees. This becomes particularly relevant if employees are allowed to use their business email address privately. The storage is then only permitted if the employees have given their consent. In many companies, the private use of the email account is not therefore permitted.
3rd mistake: Printing the emails out is sufficient
The idea of simply printing out and filing all the emails that need to be archived may seem like a pragmatic solution.
However, the GoBD stipulates that all documentation has to be archived in its original form. An email printout would only be a copy, and would therefore not meet the requirements. Emails must be kept in their original format – i.e. in electronic form.
Moreover, in view of the flood of emails that companies receive every day, printing them out would be far from an adequate solution in terms of environmental protection or the space requirements.
4th mistake: Small businesses do not need any email archiving
Unfortunately, this assumption is also a misconception, as the question of who is required to archive emails can be answered quickly: The obligation to keep records applies to any company with a profit-making intention, regardless of its size, i.e. also to the smallest companies or sole traders.
Small companies, in particular, often struggle to comply with the numerous laws and regulations in force, as they quite simply lack the manpower. The digitalization and automation of business processes can help them to speed up and save valuable working time.
5th mistake: Email archiving is not compatible with the GDPR and data protection
The protection of personal data has been a key priority at least since the entry into effect of the GDPR in May 2018.
At first glance, the requirements of the GoBD do not appear to be compatible with the GDPR, as the storage of personal data as regards email archiving conflicts with the data protection regulations, which fundamentally prohibit the collection, processing and storage of such data.
However, the archiving obligation provides a relevant reason for storage of emails that contain personal data. With emails that do not fall under the archiving obligation, data protection takes top priority if there is no other important reason for storage. Emails from applicants who have been rejected must therefore be erased immediately.
To maintain an overview in this case, rule-based erasure is recommended, whereby emails can be selected according to certain criteria and erased automatically after a defined period of time.
6th mistake: I can archive my emails myself in Outlook
Those who work with email applications like Outlook are probably familiar with their archiving feature. The idea of archiving emails directly using this feature appears to be as obvious as it is straightforward. However, a closer look quickly reveals that emails are not archived here in the way which is required by the GoBD. The biggest problem surrounds the requirement that emails must be kept in original and audit-proof form, i.e. unchangeable. This cannot be guaranteed with archiving in the email application. It is also difficult to log any changes.
The GoBD also stipulates that emails must be archived in an orderly and retrievable way. The necessary structure is not usually available in email applications.
Moreover, email servers are not designed to store ever-increasing volumes of emails over the long term, which would result in a significant fall in their performance.
7th mistake: Emails are archived anyway during backups
Backups and archiving have different goals: While the goal of the archiving is the long-term storage of data for documentation purposes, backups only store data over the short to medium term. The main purpose of a backup is to secure the data and to provide for a source of recovery in the case of data loss. The relevant data is backed up at regular intervals, and older backups are overwritten after defined periods of time.
Therefore, a backup is not able to encompass the archiving of emails for the following reasons:
- The time period for which the data is stored may not be long enough for the backup.
- A backup is not able to ensure that all emails are saved on a complete and unchanged basis, as this usually only takes place at fixed times, such as once a day. Emails may have already been changed or deleted in the meantime. They are not, therefore, audit proof.
- The GoBD stipulates that archived emails must be retrievable. This would theoretically be possible in the case of a backup, but with a high workload.
Software solutions for email archiving – audit-proof and straightforward
The way in which emails should be archived is a complex issue. A good organization of this task is essential to be on the safe side from the legal perspective and to avoid spending unnecessary time on the subject. Email archiving software such as EASY for Exchange can help automate these tasks, allowing the archiving to take place directly from Microsoft Outlook or IBM Notes – so that you don’t have to transfer anything manually. In our webinar, you will learn how to archive emails in your company easily and on a legally-compliant basis using EASY for Exchange.