S 2.245 Determination of the legal influencing factors for electronic archiving

Initiation responsibility: IT Security Officer

Implementation responsibility: Archive Administrator, IT Security Officer

There are different legal requirements for the retention of certain information, the non-compliance of which may have consequences under civil or criminal law. Therefore, the persons in charge should obtain information as to the legal requirements applicable in their case. This will identify the requirements for the design of the archiving concept that must be taken into consideration when planning electronic archiving. Amongst other things, these refer to:

• the minimum retention periods resulting for tax, budgetary, or other reasons,
• the maximum retention periods for data protection reasons,
• access rights for outsiders such as tax authorities, for example, as well as
• quality of digital signatures.

The applicable basic legal principles must be clarified on a case-by-case basis.

Some sources typically to be taken into consideration in Germany are mentioned below:

• German Civil Code (Bürgerliches Gesetzbuch - BGB)
  
  This particularly contains requirements regarding the authenticity of documents in civil law. The BGB also defines the statutory periods of limitation, e.g. applicable to tort claim.
• Code of Civil Procedure (Zivilprozessordnung - ZPO)
  
  In analogy to the BGB, the ZPO defines which documents must be acknowledged as certificate, for example due to a genuine signature or a qualified digital signature.
• German Commercial Code (Handelsgesetzbuch - HGB)
  
  The HGB contains requirements regarding the correctness and auditing capacity of the business operations. This also includes certain retention periods for business documents.
• Generally Accepted Information Processing Principles (Grundsätze ordnungsmäßiger Datenverarbeitung - GoDV)
  
  The GoDV is not a statutory provision, but is derived from the Generally Accepted Accounting Principles defined in the HGB. They must be deemed de facto standards for information processing auditing in companies.
• Principles of Data Access and Auditability of Digital Documents (Grundsätze zum Datenzugriff und zur Prüfbarkeit digitaler Unterlagen - GDPdU)
  
  The Federal Ministry of Finance defined the auditing requirements specified in the GoDV more precisely within the framework of the GDPdU. This mainly refers to all fiscally relevant digital documents.
  
  One of the requirements includes that all information required for interpreting the data, e.g. file structure, data fields, internal and external links, must be available in a computer-processable form.
• laws and regulations regarding the protection of personal data
  
  If personal data is archived, the applicable laws and regulations must be followed. These include, above all, the German Federal Data Protection Act (BDSG) and the corresponding state laws.

Furthermore, there are laws and regulations to be observed specifically in government agencies and in the administration, for example:

• Federal Archive Act (Bundesarchivgesetz) and the corresponding state archive acts,
• Registration Guidelines for Processing and Managing Written Material in Federal Ministries (Registraturrichtlinie für das Bearbeiten und Verwalten von Schriftgut in Bundesministerien - RegR),
• recommendations of the Federal Archive regarding the disposal of electronic files in the concept for disposing of electronic files of the coordination and counselling office of the Federal Government for information in Federal Administration (series of the KBSt, edition 40).

Moreover, numerous further legal and organisation-internal regulations (e.g. regulations for social insurance carriers, hospitals, pharmaceutical industry, military, or banking) to be determined on a case-by-case basis are applicable specifically to each organisation. Normally, the retention period and the confidentiality and integrity requirements constitute essential regulation criteria, with the latter also including the period of protection requirement along with the intensity.

Furthermore, the public administration is subject to the statutory obligation of also offering digital documents to the competent archives (duty to offer).

Review questions:

• Have the legal specifications been determined and taken into consideration when planning electronic archiving?
• Have the minimum retention period, the maximum retention period, and the access rights to documents to be archived been determined?
• Public administration: Are digital documents offered to the competent archives (duty to offer)?