Follow ACC Docket Online:  

This Week in Privacy: What You Need to Know About the GoBD

"This Week in Privacy” is a new column for in-house counsel who need advice in the privacy and cybersecurity sectors. K Royal is a director at TrustArc. To have your legal privacy questions answered, email with “This Week in Privacy" in the subject line.

Q: With all the data protection reform going on in Europe, I heard about something called the GoBD, which pertains to tax papers. What is that?

A:  Unlike the General Protection Data Regulation (GDPR), the GoBD is not a well-known or oft-discussed topic. The German GoBD, or the “basic principles on the proper keeping and storage of financial books, recordings, and documents in electronic form as well as data access” (Grundsätze zur ordnungsmäßigen Führung und Aufbewahrung von Büchern, Aufzeichnungen und Unterlagen in elektronischer Form sowie zum Datenzugriff), became effective a little over two years ago and is specifically related to tax documentation. It replaced two prior requirements: one from 1995, the GoBS (principles of proper DV-based accounting systems), and one from 2001, the GDPdU (principles of data access and verifiability of digital documents).

The GoBD greatly increases the reach of the German Ministry of Finance, because not only are there many types of documents, records, and data that can be linked to tax purposes, but also because the Ministry requires a years’ worth of continuous documentation. The documentation is especially critical in cash-based businesses, like hair salons and restaurants, because cash transactions is highly subject to manipulation and inaccurate reporting.

In this digital age, many documents and records are created or retained electronically. Some records are still required to be kept in original paper, such as donation receipts and capital gains certificates. Otherwise, companies often desire to reduce the paper burden and retain digitized copies.

The GoBD facilitates that desire, but requires that the auditability and traceability of the original transactions remain. For example, a PDF/A-3 comprises both an image and XML filed linked to the information contained in the image. The tx authorities would need to be able to audit that electronic file. If it is transformed into a JPG, TNG, or PNG, then the XML information would be lost.

The GoBD also contains timeframe restrictions — cash transactions must be captured daily and non-cash transactions must be captured every 10 days. Certain transactions are permitted to be captured on a monthly basis, but there are limitations and requirements around regular scheduling of these digitization actions. The two specific provisions in the GoBD around electronic record-keeping are data immutability and security.

For more guidance on the GoBD, please visit one of the following links: VGD, SMACC, or Bundesministerium der Finanzen.

To contact global consulting firms, visit TrustArc, Deloitte & Touche, and PwC.

About the Author

K RoyalK Royal is the technology columnist for, and director at TrustArc. @heartofprivacy

The information in any resource collected in this virtual library should not be construed as legal advice or legal opinion on specific facts and should not be considered representative of the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing practical advice and references for the busy in-house practitioner and other readers.