Which data must be stored and for how long? This question sounds simple. The answer is not - because there is no single, uniform retention obligation in Germany. There is HGB and commercial law, tax law with AO and GoBD, GDPR deletion obligations, special professional regulations and industry-specific regulations. And some of these standards contradict each other: What must be kept for 10 years under tax law may have to be deleted earlier under GDPR.
This article provides IT managers, compliance officers and system administrators with a complete, practical overview - broken down by standard, data category, deadline and sanction. With a concrete answer to the question that always arises at the end: How do you ensure this technically?
THE MOST IMPORTANT POINTS IN BRIEF
|
BRIEFLY SUMMARIZED
|
There is no uniform archiving law in Germany. Instead, the obligations are spread across several areas of law - with different deadlines, different format requirements and different consequences in the event of non-compliance.
10 J.Tax-relevant documents AO §147 / HGB §257 |
6 J.Commercial letters & correspondence HGB §257 |
30 J.Wage and pension data BetrAVG / SV |
0 J.GDPR: delete if purpose no longer applies GDPR Art. 17 |
| Category | Category Details |
|---|---|
| Retention period | 6 / 10 years (basic period) |
| Legal basis | HGB §257 - German Commercial Code (retention of documents) |
| Data categories affected |
|
| Special features | The period begins at the end of the calendar year in which the last entry was made, the inventory was drawn up, the financial statements were established or a commercial letter was received or sent. For current contracts, the period only begins after the contract has ended. |
| Sanctions for breach |
|
| Category | Category Details |
|---|---|
| Retention period | 10 years (basic period) |
| Legal basis | HGB §257 - German Commercial Code (retention of documents) |
| Data categories affected |
|
| Special features | The period begins at the end of the calendar year in which the last entry was made, the inventory was drawn up, the financial statements were established or a commercial letter was received or sent. For current contracts, the period only begins after the contract has ended. |
| Sanctions for breach |
|
The GoBD (principles for the proper management and storage of books, records and documents in electronic form) of the Federal Ministry of Finance are the most technically demanding standard. They not only determine the duration of storage, but also the quality - and it is these quality requirements that cause most existing backup solutions to fail.
| Category | Retention period |
|---|---|
| Retention period | 10 years (basic period) |
| Legal basis | GOBD (BMF LETTER 2019) |
| Data categories affected |
|
| Special features |
Critical GoBD requirements beyond the deadline: (1) Immutability - archiving data must not be changed. (2) Machine readability - without special company software. (3) Completeness - no selective archiving. (4) Accessibility - immediate retrieval by auditors. (5) Process documentation - the archiving process itself must be documented. |
| Sanctions for non-compliance |
Rejection of the bookkeeping as improper. Right of the auditor to estimate. Unlimitedadditional payments . |
GOBD: THE MOST COMMON COMPLIANCE ERRORS IN PRACTICE
Error 1: Backup instead of archive - backups do not meet the GoBD requirements for immutability and machine readability.
Error 2: Format conversion without preserving the original - if digital receipts are converted into another format and the original is not preserved, this is a GoBD violation.
Error 3: Missing process documentation - the GoBD requires that the archiving process itself is documented. If it is missing, this jeopardizes the entire archiving process.
Error 4: Legacy system switched off without data migration - if data is stored in the proprietary format of a discontinued system, it can no longer be 'machine analyzed'.
Error 5: Selective archiving - archiving only certain postings or time periods violates the completeness requirement of the GoBD.
The GDPR follows a different logic to commercial and tax law: while the German Commercial Code (HGB) and Tax Code (AO) stipulate minimum periods (retention for at least 6 or 10 years), the GDPR stipulates maximum periods. Personal data may only be stored for as long as is necessary for the purpose of processing - after that, there is an active deletion obligation.
This leads to a real legal conflict: invoices to private customers contain personal data (name, address, possibly bank details) - and must be stored for 10 years under the German Commercial Code (HGB)/Ordinance (AO), but deleted under the GDPR as soon as the purpose no longer applies.
| Category | Category Details |
|---|---|
| Retention period | earmarked |
| Legal basis | GDPR ART. 5, 17, 25 |
| Categories of data concerned |
|
| Special features |
The GDPR-HGB conflict is resolved by archiving for a specific purpose: Tax-relevant personal data may be retained for tax purposes - but access must be limited to this purpose. In practice, this means that data is archived but blocked for marketing purposes or CRM. |
| Sanctions for non-compliance |
Up to €20 million or 4% global annual turnover (Art. 83 GDPR). Public register of fines (GDPR Art. 83 para. 5). |
The following table provides a complete overview of all relevant data categories with retention periods, legal basis and format requirements. It is designed as a quick reference for IT managers, compliance officers and system administrators.
|
Data category |
Deadline |
Legal basis |
Format requirement |
Sanction for violation |
|---|---|---|---|---|
|
Annual financial statements, balance sheets, inventories |
10 years |
HGB §257 / AO §147 |
Original or scanned copy with proof of integrity |
Audit risk, estimation |
|
Accounting documents (invoices, receipts) |
10 years |
AO §147 / GoBD |
Unalterable, machine analyzable |
Estimation notice, interest |
|
Commercial letters (received and sent) |
6 years |
HGB §257 |
Complete, legible, retrievable |
Loss of evidence in the event of a dispute |
|
Business e-mails (tax-relevant) |
10 years |
AO §147 / GoBD |
Audit-proof, with metadata |
Like accounting documents |
|
Business emails (general) |
6 years |
HGB §257 |
Complete and legible |
Loss of evidence |
|
Wage documents (SV contribution law) |
up to 30 years |
§28f SGB IV |
Complete, personalized |
Subsequent claim for social insurance |
|
Wage documents (tax-related) |
10 years |
AO §147 |
Automatically analyzable |
Wage tax back payment |
|
Travel expense reports |
10 years |
AO §147 |
Receipt + original receipts |
Recognition of operating expenses |
|
Contracts (ongoing) |
10 yrs. after end of contract |
HGB §257 / AO §147 |
Complete incl. attachments |
Loss of evidence, liability |
|
Patient data / treatment documents |
at least 10 years |
§10 MBO-Ä, §630f BGB |
Complete, legible |
Medical liability, professional court |
|
Production protocols (pharmaceutical/medical) |
at least 15 years |
AMG, MPDG |
GMP-compliant, auditable |
Product liability, official requirements |
|
Production records (general) |
5-10 years |
ProdhaftG, internal |
Complete, traceable |
Product liability lawsuit |
|
Architectural plans / building permits |
30 years |
LBO (state law) |
Original or certified copy |
Liability, fines |
|
Pension documents / BetriebsAVG |
permanent |
BetrAVG §1a |
Complete, permanently legible |
Personal liability GF |
|
DSGVO: Processing directory |
As long as processing is active |
GDPR Art. 30 |
Current, accessible for supervision |
Fines of up to € 10 million |
|
GDPR: Data breach log |
3 years after notification |
GDPR Art. 33 |
Fully documented |
Fines of up to €10 million |
|
GDPR: Proof of consent |
Until revocation + purpose of proof |
GDPR Art. 7 |
Unalterable, with date |
Fines, reversal of burden of proof |
|
Customs documents |
10 years |
AO / ZK |
Complete, officially recognized |
Additional duties, sanctions |
|
Bank statements / bank receipts |
10 years |
AO §147 |
Complete, legible |
Assessment notice |
In addition to the general retention periods under commercial and tax law, there are industry-specific retention obligations that stipulate significantly longer periods. For companies in these sectors, the 10-year rule is only the minimum standard.
|
Industry |
Min. deadline |
Max. Deadline |
Legal basis |
Special feature |
|---|---|---|---|---|
|
Pharmaceutical industry |
15 years |
30 years |
AMG §21, EU GMP guidelines |
Batch and production protocols; FDA obligation for US business |
|
Medical technology |
10 years |
15 years |
MPDG §107, EU MDR Art. 10 |
Safety and clinical data; traceability of implants |
|
Hospitals / medical practices |
10 years |
30 years |
§630f BGB, §10 MBO-Ä |
Treatment records; children: up to 28 years of age |
|
Food industry |
2 years |
5 years |
VO (EG) 178/2002 |
Traceability of raw materials and batches; longer in case of outbreak |
|
Financial sector |
5 years |
10 years |
KWG, WpHG, EMIR |
Reporting obligations, audit trail for securities transactions |
|
Insurance companies |
5 years |
30 years |
VVG, industry law |
Claims documents; life insurance: term + 10 yrs. |
|
Construction industry |
5 years |
30 years |
BGB §634a, LBO |
Warranty; for buildings 5 years from acceptance |
|
Tax consultancy / WP |
6 years |
10 years |
StBerG, WPO |
Client documents; professional law own documentation obligation |
|
Motor vehicle / automotive |
5 years |
15 years |
ProdhaftG, IATF 16949 |
Production data, CAF screwdriving certificates, recall traceability |
|
Public administration |
5 years |
permanent |
BArchG, LArchivgesetze |
Depending on relevance; historically important documents: permanent |
This is the most complex issue in archiving practice. An IT manager who only aims to 'comply with deletion periods' risks tax law problems. Someone who only aims to 'keep everything for 10 years' risks GDPR fines. The solution lies in a concept that meets both standards at the same time.
THE PRINCIPLE OF EARMARKED ARCHIVING
Step 1 - Separate: Tax-relevant personal data is archived for tax purposes - not for CRM, marketing or product development.
Step 2 - Blocking: Access to this data is technically blocked for non-tax purposes - the data still exists, but can no longer be actively processed.
Step 3 - Logging: Every access to blocked data is logged without gaps and is only permitted for defined purposes.
Step 4 - Deletion after expiry of the retention period: After 10 years, the data is deleted completely and verifiably - with a deletion log in accordance with GDPR Art. 17.
The result: Tax law compliance (data available) + GDPR compliance (access for a specific purpose + proof of deletion). Without an earmarking concept, it is almost impossible to achieve both at the same time.
Many companies think that GDPR and tax law are mutually exclusive. They are not - if archiving is consistently implemented for a specific purpose.
-Korbinian Hermann Managing Director, CSP Intelligence GmbH
Managing retention periods manually is a reliable recipe for compliance gaps: Data categories are misclassified, deletion runs are forgotten, new case law is not incorporated. CHRONOS fully automates this process.
☐ I can name the applicable retention period for each data category in our system.
☐Our archiving solution technically ensures immutability - no employee can change archived data.
☐ Accounting data from 2015 can still be analyzed automatically today - without having to restart the legacy system.
We have a documented deletion concept that synchronizes GDPR obligations and tax retention periods.
☐Our archiving solution is vendor-independent: Even if the provider becomes insolvent, our data is still readable.
☐Our process documentation is up-to-date and would stand up to a GoBD audit.
☐ Today, a tax auditor could receive automatically analyzable accounting data for 2016-2025 within 24 hours.
☐ We have a verifiable deletion log for all deleted personal data.
When does the retention period begin?
The period generally begins at the end of the calendar year in which the last entry was made in the trading book, the inventory was drawn up, the opening balance sheet or the annual financial statements were adopted, the commercial letter was received or sent or the accounting document was created. Important: In the case of ongoing contracts, the deadline only begins after the contract has ended. In the case of tax audits, the deadline may be extended until the audit is completed.
Do emails have to be archived?
Yes - if they are commercial or business letters or have tax-relevant content. Business emails that document the conclusion of a contract, an order, an invoice or payment agreements are commercial letters according to HGB §257 and must be stored for 6 years. E-mails with tax-relevant content are subject to the 10-year retention obligation according to AO §147. Archiving must be audit-proof - mere backup storage on the mail server does not satisfy the GoBD.
What happens if I delete data too early?
Deleting tax-relevant documents too early can lead to an assessment notice according to §162 AO - the tax office may then estimate the tax base, always to the disadvantage of the company. In civil law, a lack of documentation means loss of evidence. If evidence is deliberately destroyed, there is a risk of criminal prosecution under §274 StGB (suppression of documents). The solution is not a contradiction: with a dedicated archiving concept, data is retained for tax purposes and at the same time blocked for other purposes.
Does the retention obligation also apply to cloud data?
Yes, in full. The statutory retention obligations apply regardless of the storage location. Cloud data must be retained in the same way as local data. Special feature: In the event of a cloud exit - if the cloud provider discontinues the service or the company changes - the data must remain accessible in an audit-proof manner. This requires a manufacturer-independent archive format. Pure cloud backup solutions without an open export format are risky here.
Can paper documents be destroyed after scanning?
In many cases, yes - but not for all document types. GoBD and AO §146 allow the replacement digitization for most accounting documents if the scanning process is documented in accordance with GoBD (procedural documentation) and the digital copy is archived in an audit-proof manner. Exceptions: Opening balance sheets and annual financial statements must be kept in the original. The same applies to notarized documents. And: Scanning only replaces the original if a documented scanning procedure exists.
What is the difference between retention period and deletion period?
Retention period (commercial/tax law): Minimum period for which data must be stored - it may not be deleted before this period. Deletion period (GDPR): Maximum period for which personal data may be stored - after which it must be actively deleted. The conflict arises when both apply to the same data: Invoices to private customers are subject to the 10-year retention obligation (AO) and the GDPR deletion obligation at the same time. Solution: Earmarked archiving with access restrictions - the data is retained for tax purposes but is blocked for other purposes.
What happens to archive data after a company sale or insolvency?
Retention obligations do not end with the sale of a company or insolvency. When a company is sold, the archiving obligations are transferred to the buyer - or the seller remains responsible for the data created up until the sale (to be contractually regulated). In the event of insolvency, the insolvency administrator is responsible for proper storage and, if necessary, subsequent deletion. CHRONOS has accompanied this scenario in practice on several occasions - including the complete insolvency liquidation of Schlecker.
How long must production data be stored in production?
This depends on the industry and product. In general, the tax deadline of 10 years applies to production-related accounting documents. In the automotive industry, IATF 16949 and customer requirements often demand 15 years for safety-related production records. In the pharmaceutical industry, the EU GMP guidelines require at least 15 years for batch records - for some products until the end of the product life cycle. In medical technology, the EU MDR stipulates traceability for the entire product life cycle.