The GoBD (principles for the proper keeping and storage of books, records and documents in electronic form), like the DSGVO, contains storage obligations. Which ones do companies have to adhere to in order to avoid fines or similar? Does the retention obligation from the GoBD possibly even contradict the GDPR?
What is the GoBD?
GoBD is an abbreviation for "Principles for the proper keeping and storage of books, records and documents in electronic form". This is an administrative instruction from the Ministry of Finance that came into force in 2014 and was revised at the beginning of 2020. It contains basic principles that entrepreneurs must follow for their books and other records. The purpose is to have these documents recognized by the tax authorities for tax evidence purposes. All companies are affected by these regulations, regardless of their size.
The GoBD only regulates the basic principles of retention and storage. However, it does not regulate which documents are to be retained at all and how long they are to be retained. However, this results from other laws.
Which storage obligation does the GoBD regulate?
According to the GoBD, everything that is of significance for the taxation of the company must be documented and stored. For this purpose, it contains the principle of traceability and verifiability. In addition, the principles of truth, clarity and continuous recording are also found here (these contain the principles of completeness, accuracy, timely document backup, order and immutability).
Accordingly, all entries must be accompanied by a receipt. This must be made in a timely manner and must be correct. These must be subject to audit security, i.e. the bookings must be recorded systematically and the vouchers and records must be unalterable. A procedure directory must be kept for this procedure. All this must also be archived.
Contradiction to the GDPR?
In practice, the question often arises as to whether the regulations on storage and archiving according to the GoBD are in conflict with the GDPR. If this were the case, all entrepreneurs who follow the requirements of the GoBD would be acting in violation of data protection.
The core of the problem is that the documents to be retained in accordance with the GoBD often contain personal data and thus fall under the scope of the GDPR. The GDPR itself regulates storage limitations until the end of the purpose (Art. 5 GDPR). Does the GoBD contradict this regulation?
The answer is clear: No! Legal deadlines must be observed for storage in accordance with the GoBD. This applies regardless of whether the document to be stored contains personal data or not. During this storage, there is a purpose, namely the tax law purpose of the GoBD. If the period under the GoBD expires, the purpose of data processing within the meaning of the GDPR also ceases to apply and the data must be deleted. An appropriate deletion concept is important here.
A violation of data protection law only occurs if personal data is stored beyond the statutory retention obligation or the concept of the GoBD is used as a cover for the unauthorized storage of data.
The retention obligation according to the GoBD does not contradict the GDPR. Entrepreneurs who follow this retention and the corresponding legal deadlines do not act contrary to data protection. If the data to be retained contains personal data, however, the DSGVO and its basic principles must also be observed within the framework of the GoBD. After expiry of the retention obligations, the data must be deleted in accordance with data protection requirements.
Our team of experts will be happy to advise you on all topics relating to data protection and data security!