Germany: Are the GoBD Legislation?
Germany’s GoBD (“Principles for the proper management and storage of books, records and documents in electronic form, as well as data access”) set out requirements governing the accounting and storage of fiscally significant electronic data and paper documents with reference to the country’s generally accepted accounting principles (GoB). But what are the GoBD exactly? The layperson often accords them legal status, which is not strictly accurate. Although they do tend to read like legalese, the clue is in the name – the “G” stands for “Grundsätze” (“principles”), not for “Gesetz” (“law”).
The GoBD apply to all tax-relevant data. These include, among others,
- books and records, inventories, financial statements, management reports, the opening balance sheet, plus work instructions and other organizational documentation necessary to understand them,
- commercial or business letters received,
- copies of commercial or business letters dispatched,
- accounting records and
- other fiscally significant documentation.
To this can be added all correspondence relating to the preparation, execution, completion or reversal of a transaction, such as invoices, orders, letters of complaint, payment receipts and contracts. All this data must be archived in a legally compliant fashion, even if sent in the form of an email. Email attachments must also be archived if the email in question would be unintelligible or incomplete without them.
How did the GoBD come about?
The GoBD were introduced by Germany’s Ministry of Finance in a letter dated November 14, 2014. The letter summarizes the requirements of the fiscal authorities in respect of IT-supported accounting systems. The principles entered into force on January 1, 2015, replacing the GDPdU (“Principles of data access and auditability of digital documents”) and GoBS (“Generally accepted principles of computer-aided accounting systems”). They have been updated recently becoming effective on January 01, 2020.
So what are the GoBD?
As stated at the outset of this article, the GoBD are frequently accorded legal status. A typical feature of legislation, however, is its generalized nature: its abstract wording is intended to cover an indeterminate number of cases and individuals.
A distinction is made between
- legislation in the formal sense, understood to be any decision implemented by parliament in the form of a law as part of the legislative procedure
- legislation in the material sense, comprising any legal norm governing legal relations between citizens, between public authorities and citizens, or between public authorities (legal relations between a state and its citizens).
Besides legislation, there are also decisions taken on a case-by-case basis, notably administrative provisions. Under Art. 108(7) of the Basic Law (the constitution of the Federal Republic of Germany), these may be enacted by the Federal Government with the consent of the Federal Council, provided that they are administered by the revenue authorities of the Länder or by local government. Although general administrative provisions aim to ensure consistent application of the law by the authorities, they are directed only at the competent authorities rather than at citizens.
The GoBD constitute one such administrative provision. The administrative communication from the German Ministry of Finance of November 14, 2014 spells out the norms from Germany’s Tax Code (AO) and VAT Law (UStG) and explains how digital documents are to be stored so that they can be accessed readily, should the tax office conduct an audit.
In simple terms, therefore, the GoBD can be regarded as operating procedures for the tax authorities. For a company, this means that the likelihood of a tax office failing to accept its books and records is low provided that it complies with GoBD regulations. If it fails to comply with the GoBD, it hasn’t broken any laws – but it may soon have a tax inspector knocking at the door.
What does this mean in terms of audit compliance?
The term audit compliance often crops up in discussions involving GoBD and (digital) archiving solutions, such as MailStore Server. In simple terms, a technical solution (the software product) must be designed to comply with the requirements of a tax audit. In cases like these, specific characteristics of the solution suddenly become extremely relevant, for example:
- the immutability and completeness of the documents in question
- protection against tampering
- transparent storage guidelines
- logging capability
- export options to standard formats
- access options for external auditors
Even to a layperson, it soon becomes obvious that a backup is simply NOT enough.
Whether “legally compliant” has the same meaning is open to debate. And although the two terms are often used interchangeably, the focus could and should be broadened slightly, especially when “legal compliance” is being referred to. Correct handling of personal data has been an essential requirement of this type of system ever since the GDPR entered into force, if not before (to be honest, things were not much different under the German Federal Data Protection Act (BDSG) either). Data protection is essentially a process issue, but nevertheless entails a number of functional IT system requirements.