For some time now, one topic has been on the minds of management boards everywhere: Data protection and the General Data Protection Regulation, which entered into force in May 2018. The European-wide data protection law has been earning the approval and praise of many because it ensures that consumers have control over their data. However, the topic still often causes confusion and headaches. Companies are overburdened with non-transparent regulations and a considerable amount of additional work, not to mention the additional expenses:

Only a quarter of German companies surveyed are in full compliance with the requirements of the EU General Data Protection Regulation. These findings were the result of a Bitkom study that was carried out in September 2019, where 500 companies were asked about their progress in regard to the implementation of the GDPR.

The feared wave of warnings and dunning letters did not materialise, however, at least for the time being. Instead, smaller fines were imposed. Until November 2019, when everything changed. The residential property company, Deutsche Wohnen, was fined the largest amount ever in Germany for a data protection violation: 14.5 million euros. The reason for this enormous sum was the archiving system used throughout the company, which did not provide any possibility for the deletion of data that the company no longer required.

It is exactly this topic that we have dedicated ourselves to below and show which functions an email archive must have so that it is audit-proof AND data protection compliant.

Email archiving – but correctly!

In everyday business, email has long been considered a standard means of communication. Invoices for purchased products and services are sent to customers, offers and inquiries are sent to suppliers and much more. In the course of these developments, it is hardly surprising that the legal and regulatory framework for handling business emails has been expanded. Thus, the legal basis for the archiving of emails arises from the Regulations for the Proper Management and Storage of Books, Records and Documents in electronic Form as well as for Data Access, in short GoBD (German: Grundsätze zur ordnungsmäßigen Führung und Aufbewahrung von Büchern, Aufzeichnungen und Unterlagen in elektronischer Form sowie zum Datenzugriff).

The archiving obligation therefore applies to every merchant, commercial company and also legal entities. The archiving duration varies depending on the type of correspondence. Although a 6-year archiving period is set for conventional commercial and business letters, a storage period of up to 10 years applies to accounting documents, invoices as well as balance sheets and annual financial statements.

According to the GoBD, archiving systems used by companies must meet the following basic criteria in order to ensure audit-proof email archiving:

  • Emails must be archived in an unchanged manner
  • No email must be lost on the way to or in the archive
  • Emails must be retrievable and at short notice
  • Emails may not be deleted during the intended lifetime
  • Emails must be able to be displayed and printed exactly as they were entered
  • Documentation of changes in the organisation and structure of the archive must enable the original state to be restored
  • Migration to new platforms must be possible without loss of information

Moreover, users of the archive must comply with the legal and operational regulations concerning data security and data protection during the lifetime of the archive.

Audit-proof does not necessarily mean GDPR-compliant

By now, an attentive reader is probably asking the following question: How can an archiving system be warned or served notice about non-compliance with deletion obligations if emails are to be archived completely and in an audit-proof manner? Fair question. Here’s the answer:

The General Data Protection Regulation provides for an obligation to delete all personal data that are no longer used. This also includes all email communication. According to the GDPR, the storage and processing of such data is therefore always for a specific purpose. The purpose may, for example, relate to the provision of a specific service that would not be possible without the processing of customer data. If this purpose ceases to exist after some period of time, these data must be deleted.


An example from the Human Resources Department:

Monica M. applies for a job as a clerk at a medium-sized company in the tourism industry. Typically, the application contains relevant personal data, such as address, date of birth and much more. The documents are checked by the Human Resources Department and the respective specialist department.

If Monica M. impresses them, she is invited for an interview and can ideally fill the position. In order to be able to act as an employee of the company and to be paid for this, the company must continue to store and process Monica’s data.

However, if Monica does not impress the company during the interview, the basis for data storage is no longer applicable. The company must therefore completely destroy the data at the latest six months after rejecting Monica’s application. And what is meant here is “delete”. This includes all documents available in paper and digital form, such as cover letters, curriculum vitae, copies of certificates, notes from the interview, test papers and all related emails received.

In addition to the situation just described here, there are two other cases in which archiving is restricted or not permitted at all. The first case concerns email communications between employees and the works council or company medical officer. The second concerns personal emails, if employees are generally permitted to send and receive them.

The audit-proof and GDPR-compliant archiving system

As already described, the storage of personal data is tied to a specific purpose. And as we have seen, this purpose can also change. A legally imposed obligation to retain data can therefore also be considered a purpose for the storage of personal data.

In order to be able to comply with both the retention and deletion obligations, an enterprise should keep three important aspects in mind when archiving emails. First of all, it must be possible to recognise and mark personal information such as the private email communication of employees. Second, data must be classified in order to answer the question of what do said data concern. Last but not least, retention periods must be defined.

It is therefore particularly important to pay attention to both unalterability and data protection conformity when selecting a company-wide archiving system – because not every archiving system can delete data and, as we have seen, this can end up being expensive!

Hornetsecurity’s Archiving

An archiving system that fulfills all requirements, and also has low administrative and maintenance costs, is Hornetsecurity Archiving. All incoming and outgoing emails are archived fully, automatically, and securely in the cloud. This ensures the required unchangeability and completeness of the emails without any effort on your side.

Further features of the archive also include the marking of private emails as well as the complete exclusion of certain users from archiving, such as members of the works council. In this way, personal data can be protected in accordance with the GDPR. The archiving period for emails can be configured in advance, between six months for applications and 10 years. The existing full-text search function allows specific emails to be found quickly. Finally, Hornetsecurity’s Archiving also has a secure import and export function using a standardized format.