Nowadays, a large part of corporate communication takes place via e-mail. As great as the advantages of digital communication are, it is important to remember that handling stored or at least storable data requires a certain amount of sensitivity.
So here are three things you need to know about email archiving.
Where is email archiving regulated?
In Germany, e-mail archiving is not regulated in a single law. The archiving requirements are primarily found in an administrative regulation, the GoBD (Principles for the Proper Keeping and Retention of Books, Records and Documents in Electronic Form and for Data Access). The German Commercial Code (HGB) and the German Fiscal Code (AO) also play a major role in this topic.
According to legal requirements, e-mails that are relevant for taxation must be retained (§ 257 HGB, § 140 AO).
Do you have to archive every email?
No, only certain e-mails have to be archived. These are e-mails that contain business or commercial letters or that are related to tax law. These can be inventories, accounting documents or annual financial statements, for example. If this information is attached and the e-mail only serves as a means of transport without having its own message content, the e-mail itself does not have to be archived.
However, all other e-mails, including spam and newsletters, are exempt from the archiving obligation.
It should be noted that not every e-mail may be archived either. Archiving is prohibited, for example, in the case of private messages from employees or applicant data. To ensure that no personal data is inadvertently archived, there should be a company agreement on private messages via the company e-mail address, for example. Alternatively, the configuration of the archiving software can be adapted accordingly.
How must emails be archived?
In Germany, the GoBD (Verwaltungsvorschrift: Principles for the proper keeping and storage of books, records and documents in electronic form as well as for data access) regulates the manner in which e-mails are archived. Accordingly, e-mails must be archived properly, completely, at the earliest possible point in time, consistent with the original and unchanged, viewable with authorization, retrievable and reproducible, and traceable via logging (in the event of changes). These requirements must be maintained for the entire retention period. Compliance with these requirements must also be ensured after and during a system change.
Do you need support in the area of data protection and data security? Our team of experts will be happy to advise you. Contact us here!