The General Data Protection Regulation, which has been active since May 2018, continues to be a hot topic, especially when it comes to concrete implementation. After almost three years, various surveys confirm that the majority of companies have yet to take action. In a Statista survey from September 2020, only 37 percent of the 504 companies surveyed stated they had largely implemented the GDPR.  The reason for this low percentage is the sometimes unclear regulations and additional requirements that make GDPR a “bottomless pit.”

The regulations of GDPR extend to almost all business activities, which have been increasingly handled digitally—especially since last year. E-mail communication plays a particularly important role here, as it is almost impossible to imagine the business world without it. This is accompanied by increasing legal requirements regarding business correspondence – and its storage. And these requirements are often still completely underestimated.

The high cost that can result from using an archiving system that does not comply with data protection requirements is shown by the case of Deutsche Wohnen from 2019. The archiving system used at that time did not provide the possibility to delete personal tenant data, which should no longer have been stored according to the applicable DSGVO. This cost the German company dearly: a fine of ​14.5 million euros.

But what requirements must a flawless email archiving system meet? This is the subject of the following article.

Audit-proof e-mail archiving – what needs to be considered?

E-mail communication has become an integral part of everyday business life: Invoices for products and services are exchanged, offers are coordinated and orders are placed with suppliers. What used to take several days to send by post years ago can now be handled in a matter of seconds.

In the course of these developments, it is therefore hardly surprising that the legal and regulatory framework has been extended accordingly to include business e-mail communication. For example, the legal basis for archiving e-mails is provided by the Principles for the Proper Keeping and Retention of Books, Records and Documents in Electronic Form and for Data Access, or GoBD for short. In general, e-mail archiving means the long-term and systematic protection and storage of data in e-mail messages.

The archiving obligation therefore applies to every merchant, commercial company and also legal entities. The archiving duration varies depending on the type of correspondence. Although a 6-year archiving period is set for conventional commercial and business letters (any business email communication), a storage period of up to 10 years applies to accounting documents, invoices as well as balance sheets and annual financial statements.

According to the GoBD, archiving systems used by companies must meet the following basic criteria in order to ensure audit-proof email archiving:

There are numerous misconceptions surrounding the archiving obligation. For example, it is thought that only invoices are subject to archiving, that printing out e-mails is sufficient, that archiving is covered by backup systems, and that the archiving obligation only applies to the big players anyway. Wrong!

  • Emails must be archived in an unchanged manner
  • No email must be lost on the way to or in the archive
  • Emails must be retrievable and at short notice
  • Emails may not be deleted during the intended lifetime
  • Emails must be able to be displayed and printed exactly as they were entered
  • Documentation of changes in the organisation and structure of the archive must enable the original state to be restored
  • Migration to new platforms must be possible without loss of information

Moreover, users of the archive must comply with the legal and operational regulations concerning data security and data protection during the lifetime of the archive.

Audit-proof does not necessarily mean GDPR-compliant

By now, an attentive reader is probably asking the following question: How can an archiving system be warned or served notice about non-compliance with deletion obligations if emails are to be archived completely and in an audit-proof manner? Fair question. Here’s the answer:

The General Data Protection Regulation provides for an obligation to delete all personal data that are no longer used. This also includes all email communication. According to the GDPR, the storage and processing of such data is therefore always for a specific purpose. The purpose may, for example, relate to the provision of a specific service that would not be possible without the processing of customer data. If this purpose ceases to exist after some period of time, these data must be deleted.

U

An example from the Human Resources Department:

Monica M. applies for a job as a clerk at a medium-sized company in the tourism industry. Typically, the application contains relevant personal data, such as address, date of birth and much more. The documents are checked by the Human Resources Department and the respective specialist department.

If Monica M. impresses them, she is invited for an interview and can ideally fill the position. In order to be able to act as an employee of the company and to be paid for this, the company must continue to store and process Monica’s data.

However, if Monica does not impress the company during the interview, the basis for data storage is no longer applicable. The company must therefore completely destroy the data at the latest six months after rejecting Monica’s application. And what is meant here is “delete”. This includes all documents available in paper and digital form, such as cover letters, curriculum vitae, copies of certificates, notes from the interview, test papers and all related emails received.

In addition to the situation just described here, there are two other cases in which archiving is restricted or not permitted at all. The first case concerns email communications between employees and the works council or company medical officer. This is confidential communication that needs to be excluded from archiving. If, in addition, employees are generally permitted to send and receive personal e-mails, these may also not be archived by the company. Private e-mail communication must be clearly distinguished from business communication.

The audit-proof and GDPR-compliant archiving system

As already described, the storage of personal data is tied to a specific purpose. And as we have seen, this purpose can also change. A legally imposed obligation to retain data can therefore also be considered a purpose for the storage of personal data.

In order to be able to comply with both the retention and deletion obligations, an enterprise should keep three important aspects in mind when archiving emails. First of all, it must be possible to recognise and mark personal information such as the private email communication of employees. The data must be classified to make it possible to answer the question of what they are about, so that appropriate retention periods can be guaranteed. Last but not least, the times for the retention periods must be defined. It is important that the storage is structured and indexed and also includes attachments. This ensures that documents can be found quickly.

It is therefore particularly important to pay attention to both unalterability and data protection conformity when selecting a company-wide archiving system – because not every archiving system can delete data and this can end up being expensive!

Hornetsecurity’s Archiving

An archiving system that fulfills all requirements, and also has low administrative and maintenance costs, is Hornetsecurity Archiving. All incoming and outgoing emails are archived fully, automatically, and securely in the cloud. This ensures the required unchangeability and completeness of the emails without any effort on your side.

Further features of the archive also include the marking of private emails as well as the complete exclusion of certain users from archiving, such as members of the works council. In this way, personal data can be protected in accordance with the GDPR. The archiving period for emails can be configured in advance, between six months for applications and 10 years. The existing full-text search function allows specific emails to be found quickly. Finally, Hornetsecurity’s Archiving also has a secure import and export function using a standardized format.