This white paper examines the different methods for deploying and managing an email archive solution in an organization and specifies the key requirements that a full featured email archiving system should include.
1. GFI Software | www.gfi.com
WhitePaper
Compliance with the Requirements of GDPdU
using the Software GFI MailArchiver 6 for Exchange
compiled in cooperation with
August 09
2. A. Introduction ................................................. 2 According to this regulation, all e-mails with tax-
B. Legal principles........................................... 3 relevant content are to be electronically retained
C. Technical and organisational for the duration of the statutory retention period
requirements ............................................... 4
and must be made available on request of the
I. Electronic evaluation ............................ 4
fiscal authorities.
II. Completeness and unalterability ......... 5
III. Secure and traceable data processing Specific requirements regarding nature, format and
and data storage.................................... 5 processability of electronically retained e-mails
IV. Adequate data accessibility ................. 5 must be satisfied.
V. Assignment capability of e-mails and
An arbitrary storage in individual mailboxes of
related business transactions.............. 6
personnel or a printout of tax-relevant e-mails are
VI. Provision of adequate process
documentation....................................... 6 now insufficient.
VII. Data protection requirements .............. 6 Companies that have not adjusted their financial
D. Risks............................................................. 6
accounting to the new statutory requirements of
E. GFI MailArchiver 6 Checklist ..................... 9
GDPdU may be subject to substantial sanctions in
their next tax audit. Exceptionally severe violations
A. Introduction
may result in an estimation of the tax basis as well
We can no longer imagine conducting busi- as penalty payments and a fine on arrears that can
ness without e-mail. Today entire transactions amount to EUR 250,000.
are conducted based on e-mail exchanges.
Electronic archiving systems offer a compliance
As e-mails often serve as business letters and solution to the high demands of e-mail retention.
so-called “commercial letters“ and are also
Note, however, that a solely technical solution by
significant for taxation, specific requirements
itself does not lead to compliance.
regarding processing and retention of these e-
mails are imposed. Compliance with retention requirements can be
achieved only through technical solutions in
The German Tax Code (§ 147 AO) controls
combination with coordinated procedures and
the requirements for tax-relevant e-mails.
processes.
Pursuant to the Tax Code, tax-relevant e-mails
must be retained for either six or ten years. It is a prevalent misapprehension that a “certified“
system by itself suffices to comply with the various
In addition, a detailed statutory regulatory
requirements. That is simply not true.
requirement on data access of the German
fiscal authority called GDPdU (broadly Many software producers leave their customers
translated as “Generally Accepted Principles unaware of the true extent of compliance
of Data Access and Auditability of Digital requirements and may conceal that in addition to
Documents“) has been in effect in Germany simple storage, organisational procedures in
for several years. connection with the filing structure for e-mails and
2
3. attachments as well as prompt retrieval must Documents subject to retention obligations are
be implemented. e. g.:
GFI Software strikes a new path. In addition to accounting vouchers, account books and
a certification issued by a German commercial letters
accountancy of the e-mail archiving software
physical documents in hard copy (e. g.
GFI MailArchiver 6 concerning compliance
incoming commercial letters or manually
with GDPdU, GFI Software offers a
generated accounting vouchers and other
comprehensive solution. In addition to the
vouchers)
proven technical archiving solution, support for
procedure documentation and user manual,
the structuring of the necessary organisational
documentation of the internal control system
procedures and processes is provided.
(ICS) as well as other documents needed for
This document is designed to provide
understanding the financial accounting
information about the requirements of German
E-mails with tax-relevant content also fall into the
fiscal authorities and to support, on the basis
category of documents with a retention obligation
of a pragmatic checklist, the implementation of
pursuant to § 147 (1) No. 5 AO.
procedures pursuant to statutes.
Details of the statutory specifications can be
B. Legal principles gathered from different relevant statements,
Pursuant to German commercial and fiscal law policies and regulations, including amongst others:
(§§ 238, 239, 257 HGB and §§ 145-147 AO) Grundsätze ordnungsmäßiger Buchführung
account books and other accounting records (GoB, broadly translated as “Generally Accept-
can be maintained under certain conditions on ed Principles of Proper Accounting“) in
an image carrier or any other data carrier. accordance with §§ 238 et seq., 257 HGB and
Accordingly, storage of tax-relevant docu- §§ 147 et seq. AO
ments on digital data carriers – e. g. in Grundsätze ordnungsmäßiger DV-gestützter
electronic archiving systems – is possible. Buchführungssysteme (GoBS, broadly trans-
Electronic archiving is defined as unalterable lated as “Generally Accepted Principles of
long-term storage of documents subject to Computer-Assisted Accounting Systems“),
retention obligations on machine-readable issued by the Federal Ministry of Finance
data carriers to fulfill the statutory retention (BMF) in a written communication on 7
requirements pursuant to § 257 HGB and 147 November 1995
AO.
3
4. Grundsätze zum Datenzugriff und zur assignment capability of e-mails and related
Prüfbarkeit digitaler Unterlagen (GDPdU), business transactions
issued by the BMF in a written communi-
provision of adequate process documentation
cation on 16 July 2001
data protection requirements
With an intent to provide details of these
requirements, the Institute of German Public I. Electronic evaluation
Auditors (“Institut der Wirtschaftsprüfer in
According to GDPdU, electronic evaluation must
Deutschland e.V.“, IDW) published on 11 July
be provided. The data sourcing archiving system
2006 a statement for proper accounting when
must have processing capacities, in a quantitive
applying electronic archiving, called
and qualitative degree, similar to that of the source
“Grundsätze ordnungsmäßiger Buchführung
system as if the data was still in the productive
beim Einsatz elektronischer Archivierungs-
system (broadly paraphrased from the BMF
verfahren“ (IDW RS FAIT 3).
pronouncement).
Additionally, there are data protection
During a transfer no changes may occur to the
requirements determined by the Federal Data
object to be archived or to its ability to be
Protection Act (“Bundesdatenschutzgesetz“,
evaluated.
BDSG).
With regard to generic digital documents, it is to be
C. Technical and organisational noted whether structural information is present in
requirements addition to content that is necessary for electronic
Regulations, including pronouncements of the evaluation.
German fiscal authorities, do not prescribe any For example, the “header“ of e-mails contains,
certain technique for electronic archiving. amongst other information, details about the
However, there is mutual agreement about sender, recipient and coding and is considered
certain technical and organisational part of the structural information.
requirements related to any system for
In addition to the e-mail itself and the structural
electronic archiving of e-mails:
information, e-mail attachments are also of
electronic evaluation importance. They are to be taken into
completeness and unalterability consideration when the tax relevance of an e-mail
is evaluated and should maintain their capability to
secure and traceable data processing and
be evaluated during the entire archiving process.
data storage
adequate data accessibility
4
5. II. Completeness and unalterability The complete storage of captured data is to be
ensured in a retraceable manner and error-free
All data must be fully archived. Therefore data
saving is to be ensured by suitable plausibility
from the source system may not be filtered in
controls.
any way.
To assure information security and data protection,
Fiscal authorities attach great importance that
the archiving software may allow for read-only data
no densification of information occur prior to
access in light of separation of functions and
acceptance by the archiving system or
authorised interest, and as required in interaction
subsequently to acceptance, because a loss
with the operating system as well as applied third-
of tax-relevant information cannot be
party software (e. g. database system).
precluded.
Thus, encrypted storage as well as encapsulation
The unalterability of archiving objects is to be
of the master file is permissable to the extent that
ensured during all stages of the archiving
the master file can be readably retrieved without
process. The duplicability of the process is to
causing a delay in the audit process.
be ensured through proper logging.
Storage in a data format deviating from the master
The applied archiving procedures have to be
file is not acceptable and may act only as a
performed such that the following
supplement to the master file.
requirements are fulfilled:
parameterisation of all systems of the IV. Adequate data accessibility
archiving solution that ensure the capture
The applied archiving system must technically
of tax-relevant data
enable free access to data and documents.
loss-free data transfer to the data capture
To ensure prompt data access for fiscal authorities
system
the archiving solution must allow for readability and
prompt periodic archiving
reproducibility of the archiving objects at any time
archiving of data true to the original in both during the entire retention period.
imagery and content
In order to ensure the retrievability of tax-relevant
III. Secure and traceable data e-mails, the requirements for proper filing must be
processing and data storage satisfied. Therefore it is essential that each e-mail
is assigned a unique index value.
Any subsequent changes to the archived
objects must be prevented at all levels Moreover the system should dispose of a suitable
including the operating system, database and method for keyword indexing to map relations on
application level. data outside the archiving system. This ensures
5
6. that the tax auditor is able to retrace a logical user documentation
chain of tax-relevant business transactions
technical system documentation
including the examination of particular data
operational documentation
objects.
Therein the applicable procedures are to be
V. Assignment capability of e-mails determined and verifed. This applies in particular
and related business transactions
to the controls designated to the respective
The assignment of tax-relevant e-mails to procedures.
corresponding business transactions is
Moreover the process documentation shall contain
mandatory. This is rather complicated due to
technical (e. g. interface definitions to preceding
the characteristics of e-mails.
and subsequent systems) and organisational
The following alternatives are possible: definitions (e. g. point in time and frequency of
tax-relevant e-mails with reference to one archiving processes).
business transaction
VII. Data protection requirements
tax-relevant e-mails with reference to
Along with the fundamental problem of automated
numerous business transactions
e-mail qualification, using server-sided archiving in
tax-relevant e-mails not in reference to any companies also includes difficulties with regard to
business transaction data protection requirements.
Fiscal authorities do not provide specific Through server-sided automated archiving of e-
operational guidelines on how such an mails, all incoming e-mails are captured before
assignment is to be made in a reliable they reach the recipient’s individual sphere of
manner. Insofar the taxpayer is not subject to control on his workstation computer. In this case,
any restrictions regarding his choice of private e-mails would also be subject to archiving.
procedures. A suitable archiving system
should nervertheless provide for convenient D. Risks
methods to allow for such an assignment. The risks resulting from a failure to satisfy statutory
requirements are numerous. In addition to potential
VI. Provision of adequate process
documentation legal consequences, they primarily affect image,
profitability and efficiency of the company.
The archiving solution must dispose of an
adequate process documentation, consisting Material risks are e. g.:
of the following components: non-deductibility of input VAT
6
7. sanctions for non-compliance with Loss of evidentiary value
regulations
Inadequate archiving may result in a loss of
loss of evidentiary value evidentiary value and thus result in an indefinite
financial risk.
data protection violations
This is particularly possible if the archived e-mails
increased in-house expenses
do not remain unaltered and in their original
disclosure of sensitive internal information
format, as required. For example, business
Non-deductibility of input VAT correspondence between customers and suppliers
may represent essential evidence in litigation
As a result of inadequate or incomplete
where the content and sequence of events are
archiving of incoming invoices received by the
material.
company via e-mail in the context of
transmission of electronic invoices (“e-billing“), Data protection violations
there is a danger of losing the deductability of
Violations of data protection requirements are
input VAT.
especially possible as a result of insufficient
In this context, the proper archiving of the so- physical and logical access restrictions to material
called “validated electronic signature“, data if access to or even manipulations of personal
accompanying an electronic invoice must be data are thereby possible.
considered. In Germany, the “Value Added
A violation of data protection regulations may
Tax Act“ (Umsatzsteuergesetz, UStG)
result in substantial monetary fines ranging, in the
demands a validated electronic signature on
worst case, from EUR 50,000 as a consequence of
electronically transmitted invoices in order for
violations of procedural rules to EUR 300,000 for
the company receiving the invoice to deduct
violations of material data protection regulations.
the input VAT.
Increased in-house expenses
Sanctions for non-compliance with
The in-house expense of providing prompt and
regulations
free data access to fiscal authorities must also be
Violations of regulations may result in
considered.
sanctions by fiscal authorities ranging from
For example, a subsequent sorting of a
penalties and fines on arrears for exeptionally
progressive increase of e-mail data may result in a
severe violations that can amount to EUR
considerable operating expense.
250,000 (§ 146 2b AO) and may extend to an
estimation of the tax basis. In contrast, proper filing normally results in
7
8. significant efficiency advantages.
In addition, the implementation of a dedicated
e-mail archiving solution avoids unnecessary
data redundancy and excess use of resources
(e. g. storage capacity).
Disclosure of sensitive internal information
The fiscal authorities are not subject to any
restrictions regarding exploitation of
information that has accidentally come into
their possession or which exceeds the object
of the audit.
Failed or flawed separation of tax-relevant e-
mails from non tax-relevant e-mails may lead
to a situation where, as a result of the
disclosure of internal information which was
not an object of the audit, fiscal authorities
could acquire facts that might be to the
company’s disadvantage. This represents an
avoidable risk.
8
9. E. GFI MailArchiver 6 Checklist Parameterisation and interfaces
System Design In order to allow for a configuration of the archving
solution that complies with the requirements of
Selection of a suitable archive storage
GDPdU, the following mandatory preparations on
Does the selected archive storage comply
the side of the source system (MS Exchange
with the requirements of unalterable and
Server) are to be made prior to the initial operation:
traceable archiving?
Definition and installation of the journaling
It is essential that the archive storage
mailbox that is to contain all e-mails designated
allows for comprehensive logging of all
for archiving of the corresponding server
saving processes and subsequent data
Activation of envelope journaling in MS
access (including the database level).
Exchange Server to ensure the completeness
The database system MS SQL Server
of the scope of archiving, comprising all
serves as a suitable data storage.
possible e-mail recipients including blind
Subject to appropriately configured access carbon copy recipients (BCC)
rights the above referenced requirements This feature is already activated by default
are fulfilled by complete storage of all data when using MS Exchange Server 2007.
within the database to enable GDPdU-
Activation of the message tracking function to
compliant storage.
allow for subsequent verification of complete
Security of data connection archiving
Does the archiving of e-mails occur via In addition to the mandatory preparations for
network connections from source systems GDPdU-compliant archiving, the following
that are not located within the user’s recommendations should be considered:
sphere of confidence (e. g. from remote
Is it ensured that the scope of e-mails
MS Exchange Servers)?
designated for archival storage is not limited by
In this case unalterability within the archiving option settings of GFI MailArchiver?
transmission path has to be ensured by
With regard to completeness aspects the
encryption protected file transfer.
following settings are to be made:
For this purpose it is necessary to select
Capture of e-mails in all possible directions
the transmission protocol IMAP with
(incoming, outgoing and internal)
secure sockets layer (SSL) in GFI
MailArchiver to connect with the source No exclusions based on blacklisted user
system.
9
10. accounts of the windows domain or archiving system and/or is an administration
specific e-mail addresses manual placed at its disposal?
No limitations on the number of users Are maintenance and operations control tasks
based on whitelisted user accounts of of the archiving system properly defined and
the windows domain or specific e-mail contained in a superordinated concept of IT
addresses related controlled operations?
Exceptions result from user accounts or e- Are all verification tasks properly defined?
mail addresses where tax relevance of the
Does the configured authorisation concept
e-mail traffic can definitely be excluded.
comply with the predetermined competencies
Is it ensured that no archiving policies are and is the procedure adequately documented?
installed which allow for a storage time
Capture
shorter than the statutory retention period
(e. g. retention policies for immediate Are all procedures and techniques that allow
deletion based on predefined features)? for verifiable complete and correct capture and
archival storage of e-mails properly defined
Processes and organisation
and documented?
Does the written definition serve as a
GFI MailArchiver does not support the logging
suitable method to allow a competent third
of e-mails transferred via standard interface
party to comprehend content, structure
from MS Exchange Server. Therefore the
and process flow of the procedures within
verification of loss-free and thus complete data
an appropriate timeframe?
transfer, according to the requirements of
Are all responsibilities for the particular GDPdU, must be provided by the logging
process steps (functional and IT related protocol generated by the particular source
operations) for all archiving components system (MS Exchange Server).
fully defined?
If necessary, it is possible to verify complete
Is it ensured that users are instructed on archiving by comparison of the logging
how to operate the archiving system protocols (which are generated by the
and/or is a user manual placed at their message tracking function of MS Exchange
disposal? Server and show the processed e-mails) with
the subsequently stored e-mails in the archive
Is it ensured that the system administration
on the basis of common identifying features.
is instructed on how to operate the
10
11. Are suitable procedures in place that based automated labelling – especially as a
ensure compliance with the requirements sole technique. An evaluation of tax relevance
of GDPdU with regard to the archival is usually too complex for predetermined
storage of signed and encrypted e-mails? policies to operate in a reliable manner.
A subsequent editing of archived e-mails In any case, such policy-based automated
and the combined capture of e-mails with procedures should be accompanied by a
additional data sets that are not directly manual verification.
obtained from MS Exchange Server are
Has a procedure been defined that allows for
not supported by GFI MailArchiver.
an assignment to one or multiple business
Therefore appropriate procedures should
transactions by means of a suitable keyword
be installed (e. g. manual keyword
indexing in GFI MailArchiver?
indexing) to allow for an assignment of
The option provided by GFI MailArchiver to
signed or encrypted e-mails to their
individually apply labels visible to all users to
corresponding verification records or
e-mails that are accessible by the user allows,
decrypted e-mails and related decryption
in addition to a labelling of tax relevance, for a
keys.
direct assignment to a corresponding business
Indexing and keyword indexing transaction.
Are the procedures for the labelling of tax- This can be implemented by applying a label
relevant archived e-mails unambiguously (e. g. keyword index) that contains identifying
specified? features allowing for a retrieval of
corresponding content in other systems.
There are two fundamentally different
options provided by GFI MailArchiver 6 on Has a procedure been defined that allows for a
how labels can be attached to e-mails: distinct assignment of the archived e-mails in a
separate accounting system?
Automatically through policy-based
labelling at the moment of archiving by In this regard, the identifier (“Identification
means of definable categorisation Code“) that enables distinct identification of
policies archived e-mails within GFI MailArchiver is
important.
Manually through subsequent manual
Assimilated in an external system (e. g. ERP
labelling of archived e-mails that are
system ), this identifier can serve as a so-called
accessible to the user
“foreign key” to establish a logical reference to
It is advisable to refrain from a policy-
11
12. the related e-mails and, in this way, an Addition of the second parameter, the
assignment to the business transaction. Connection-ID (“connectionId“):
http://localhost/mailarchiver/mailview-
The “Identification Code“ accessible at the
.aspx?id=-2147483647&connectionId-
application level provides valuable help in
=b44d3270-8bdb-43d2-8fa2-
enabling technical usage of such a foreign
67eb6ead54a9
key reference in a networked system
environment. Entering the URL results in a view of the
specific e-mail in the archive:
Subject to appropriately set up access
http://localhost/mailarchiver/mailview.aspx?id=
rights, the archived e-mails can be directly
-2147483647&connectionId=b44d3270-8bdb-
addressed out of external systems via
43d2-8fa2-67eb6ead54a9
hyperlink. However, for this to function, it is
necessary that the referencing system
Storage and administration
contain a method to generate the uniform
Is it ensured that the selected archive storage
resource locator (URL) autonomously.
provides the forseeably required storage
The utilisation of GFI MailArchiver’s
capacity and that this is monitored regularly?
identifier “Identification Code“ to serve as a
referencing linkage out of an external Is it ensured that subsequent verifiability of
software system is possible using the complete archiving based on a comparison of
therein contained parameters “id“ and e-mails transferred by MS Exchange and
“connectionId“. e-mails archived by GFI MailArchiver
Such a URL can be composed as follows: (preferably by means of their message-id) is
possible?
Addressing the user interface of GFI
MailArchiver to view the e-mail: Accordingly, it is necessary to assure that the
http://localhost/mailarchiver/mailview- MS Exchange Server logs which enable the
.aspx? comparison on the source side be stored loss-
free (e. g. no overwriting, only append mode)
Addition of the (“id“) representing the
as long as the archived data itself.
active archive store of GFI
MailArchiver: Readability and retrieval
http://localhost/mailarchiver/mailview-
Is a tax auditor user account set up that
.aspx?id=-2147483647
enables access to all tax-relevant e-mails?
12
13. As GFI MailArchiver does not support or Software security
allow for restricted access based on
Is there an authorisation concept that allows for
labels, it is advisable to install an
a determination of the required separation of
organisational procedure for labelling tax
functions and the assignment of access rights?
relevance to ensure separation of data
Are adequate access controls available at the
within the archive prior to a tax audit (e. g.
following access levels:
systematic designation of tax relevance
using the manual method for individual operating system
labelling). MS Windows including Active Directory,
web server and MS Exchange Server
In a further step, an export based on such
labels followed by a subsequent reimport database system
into a dedicated archive store can be MS SQL Server
conducted in preparation of a tax audit. In archiving software
this way a tax auditor is granted GFI MailArchiver 6
comprehensive access to exclusively tax-
relevant e-mails based on labels. Process documentation
Are all settings regarding the parameterisation
Retention and deletion
of software and interfaces properly
Is it ensured that no retention policies are documented?
defined that cause a deletion of archived
Are all interfaces between the particular
e-mails prior to expiration of the statutory
components of the archiving solution (e. g.
retention period?
designation, source/destination system,
Some tax-relevant e-mails – in certain interface content/type, matching) documented
cases – may contain information that in a comprehensible manner?
requires a retention period of ten years.
Are the interfaces between the archiving
Therefore it is advisiable to refrain from a solution and other software systems of the
policy-based determination of the retention company (e. g. ERP system or financial
period by means of the retention policies accounting system) with regard to referencing
of GFI MailArchiver to the extent that they business transactions documented in a
do not correspond with the longest comprehensible manner?
statutory minimum period for retention.
Are operating instructions for users available
that allow for proper performance of their
13
14. activities including the manual controls and Is it ensured that changes to the e-mail
matching (operational documentation) archiving solution are only applied subject to an
provided by the procedure? orderly procedure (change management)?
Is a description of the applied components
IT operations
available that illustrates the technical
Are the IT operations (controlled and
architecture of the archiving solution and
emergency operations) properly defined in
how the operational requirements are
organisational instructions (e. g. tasks and
realised (technical system documenta-
authority of administrators, rules for change
tion)?
management and the administration of storage
Are operating instructions for IT personnel
media)?
available that allow for proper performance
Has an emergency concept been prepared for
of controlled operation (e. g. backup and
a possible failure of the archiving solution (e. g.
restoration manual)?
disaster recovery and contingency plan)?
Is it ensured that the documentation of all
Are suitable data backup and data backup
effective procedures is archived as a
safekeeping procedures defined and are
document subject to retention?
regular verification tests scheduled concerning
Implementation and change effective data recovery?
Is ensured that the compliance and
Outsourcing
security of the applied systems and
When engaging an external service provider to
software are subject to functional and
operate the archiving solution (outsourcing), is
technical test procedures prior to the initial
it ensured that the requirements regarding
operation of the archiving solution?
compliance and security are guaranteed by the
Is a test procedure defined and
service provider?
documented and do the test cases allow
Appropriate contractual provisions and service
for a verification of the requirements
level agreements are required.
regarding compliance and security?
Is a release procedure defined and
documented that contains rules on release
competencies and are release approvals
for all components of the archiving solution
available?
14