GoBD Compliance: Email Archiving Requirements for German Businesses
Learn how to meet GoBD requirements for audit-proof email archiving. Covers retention periods, technical requirements, and practical implementation for German businesses.
German businesses face strict requirements for email archiving under the GoBD (Grundsätze zur ordnungsmäßigen Führung und Aufbewahrung von Büchern, Aufzeichnungen und Unterlagen in elektronischer Form sowie zum Datenzugriff). This guide explains the requirements and how to implement compliant email archiving.
What is GoBD?
GoBD is a German administrative regulation from the Federal Ministry of Finance that defines requirements for:
- Electronic bookkeeping and record-keeping
- Retention of tax-relevant documents
- Data access rights for tax authorities during audits
Important: GoBD applies to all businesses subject to German tax law, regardless of size. Non-compliance can result in rejected bookkeeping, estimated tax assessments, and penalties.
Retention Periods Under GoBD
German law requires different retention periods depending on document type:
| Document Type | Retention Period |
|---|---|
| Invoices and financial records | 10 years |
| Commercial correspondence | 6 years |
The retention period begins at the end of the calendar year in which the document was created or received.
Which Emails Must Be Archived?
Tax-Relevant Emails (10 Years)
- Invoices (incoming and outgoing)
- Invoice corrections and credit notes
- Contracts with financial implications
- Payment confirmations
- Correspondence with tax authorities
- Financial statements
Commercial Emails (6 Years)
- Offers and quotations
- Order confirmations
- Delivery notes
- General business correspondence
Emails That Do NOT Require Archiving
- Private correspondence (if permitted by company policy)
- Spam and advertising
- Newsletters without business relevance
Key GoBD Requirements for Email Archiving
1. Immutability (Unveränderbarkeit)
Archived emails must not be modifiable after archiving. Any changes must be logged and traceable.
How Piler addresses this:
- Emails stored in original EML format
- AES-256 encryption at rest
- SHA-256 hash verification on retrieval
- Optional WORM storage support (S3 Object Lock)
- Optional TSA timestamps for cryptographic proof
2. Completeness (Vollständigkeit)
All tax-relevant and commercially relevant emails must be captured completely.
How Piler addresses this:
- Automatic capture via SMTP journaling
- Real-time archiving as emails arrive
- Full preservation of attachments and headers
- No manual intervention required
3. Traceability (Nachvollziehbarkeit)
All access to archived documents must be logged.
How Piler addresses this:
- Comprehensive audit logging
- Who accessed what, when, from where
- SIEM integration for external log storage
- Tamper-proof audit trails
4. Machine Readability (Maschinelle Auswertbarkeit)
Tax authorities must be able to search and export data during audits.
How Piler addresses this:
- Full-text search across all content
- Export in standard formats (EML, MBOX, PDF, CSV)
- Dedicated auditor role for tax inspections
- Z1, Z2, Z3 data access support
2025 E-Invoicing Update
As of January 2025, Germany mandates e-invoicing for B2B transactions. The July 2025 GoBD amendment clarifies:
- E-invoices must be stored in the format received
- XML component of structured invoices (ZUGFeRD, XRechnung) is legally binding
- If PDF can be generated from XML, separate PDF storage is not required
Piler automatically complies because all email attachments are stored in their original format without modification.
Implementing GoBD-Compliant Archiving
Step 1: Configure Journal Transport Rules
Set up your mail server to send a copy of all emails to Piler:
- Exchange: Journal rules
- Postfix: always_bcc or sender_bcc_maps
- Google Workspace: Content compliance rules
Step 2: Define Retention Policies
Configure appropriate retention periods:
- 10 years for financial/tax-relevant emails
- 6 years for general commercial correspondence
- Use categories or mailbox rules to apply correct retention
Step 3: Enable Audit Logging
Ensure all access is logged:
- Enable access logging in Piler
- Forward logs to external SIEM for tamper protection
- Regular log review for compliance monitoring
Step 4: Create Procedural Documentation
GoBD requires written documentation (Verfahrensdokumentation) describing:
- System architecture
- Archiving processes
- Access controls
- Backup procedures
Tax Audit Preparation
When tax authorities request access, Piler supports:
| Access Type | Description |
|---|---|
| Z1 | Direct system access via auditor role |
| Z2 | Indirect access through reports and exports |
| Z3 | Data carrier provision (export to external media) |
The auditor role provides read-only access with full audit trail documentation.
GoBD vs. GDPR: Balancing Requirements
German businesses must balance GoBD retention requirements with GDPR data minimization principles:
- GoBD requires retention for 6-10 years
- GDPR requires deletion when no longer necessary
Solution: Piler's legal hold feature ensures compliance with both:
- Retain tax-relevant data as required by law
- Delete non-relevant data after appropriate period
- Document the legal basis for retention
Why Self-Hosted Archiving for German Businesses?
German data protection and sovereignty concerns make self-hosted archiving attractive:
- Data stays in Germany - No cross-border data transfer issues
- Full control - You manage encryption keys and access
- Predictable costs - No per-user cloud fees that grow with company size
- Audit-ready - Direct access for tax authorities without third-party involvement
Summary: GoBD Compliance Checklist
| Requirement | Status |
|---|---|
| Immutable storage | Built-in (encryption, hashes, audit logs) |
| Complete capture | Configuration required (journal rules) |
| Systematic organization | Built-in (search, indexing, categories) |
| Timely archiving | Built-in (real-time capture) |
| Full traceability | Built-in (comprehensive audit logging) |
| Machine readability | Built-in (search, export) |
| Configurable retention | Configuration required |
| Auditor access | Built-in (auditor role) |
| Procedural documentation | Customer responsibility |
Conclusion
GoBD-compliant email archiving is not optional for German businesses. The requirements for immutability, completeness, traceability, and machine readability demand a purpose-built archiving solution.
Piler Enterprise provides all technical capabilities needed for GoBD compliance, while self-hosted deployment ensures full data sovereignty and control. Combined with proper configuration and procedural documentation, German businesses can confidently meet their legal obligations.
For detailed technical documentation, see our GoBD Compliance Guide.
This article provides general information about GoBD requirements. It does not constitute legal advice. Consult with your tax advisor or legal counsel for guidance specific to your situation.
Ready to Enhance Your Email Security?
Discover how Piler Enterprise can help you with advanced email archiving, compliance, and security features.