Magazine

When considering the legal aspects of data backup, two key questions arise: What are you permitted to do, and what are you required to do? As long as your data remains within your organization, you may back up all data that has been stored in compliance with legal requirements. However, challenges can occur if data is backed up or archived externally. In particular, when personal data of customers or employees is involved, this constitutes a transfer of data to third parties. This is generally not problematic, provided that such transfers are explicitly covered in the relevant consent declarations.

What needs to be backed up?

In principle, all documents that could potentially serve as evidence in future civil proceedings must be backed up. This includes any documents created due to legal documentation obligations—such as invoices, delivery notes, and other business records that serve as proof of completed transactions. Additionally, professionals like doctors and lawyers are required to document the advice provided to patients or clients, while companies must record compliance with official regulations. All these documents must not only be backed up, but also archived in an audit-proof manner. Documents that can be altered after the fact lose their evidentiary value. Fortunately, there are numerous archiving systems available that utilize qualified time stamps and other technologies to ensure data integrity. Thus, this challenge can be addressed with the right technical solutions.

Principles of Data Access and Verifiability of Digital Documents

In Germany, all documents related to taxation are subject to the Principles of Data Access and Verifiability of Digital Documents (GDPdU). This is a binding administrative directive issued by the Federal Ministry of Finance, and no company operating in Germany can afford to ignore it. The core requirement is that a tax auditor must be granted read access to all tax-relevant digital documents at any time upon request. This goes far beyond simply storing backup tapes in a basement; it requires that backup archives from previous years are accessible at all times.

In practice, it is unlikely that any company fully complies with the GDPdU, as “tax-relevant digital documents” also include, for example, all internal emails related to tax-relevant transactions. It is virtually impossible for any organization to filter out every email sent years ago that might reference a specific transaction. Nevertheless, it is essential to observe the strict requirements of the GDPdU for all documents that are typically relevant in the context of a tax audit.

Look it up further: Data backup

Related articles

Which type of backup is the best choice for my data?
This is how important data backup is in real life
FAT32 or NTFS? Which format is better for backups?

Post a comment here...