Summary
Business emails are subject to legal retention requirements (GoBD, HGB). In many cases, invoices, offers, and other business-related messages must be retained for several years – regardless of the mailbox or device.
In the following, we propose solutions.
In Germany, there is a Legal Retention Obligation
More and more invoices are sent and received via email. Legal retention requirements apply to such emails – as well as to so-called commercial letters, i.e., emails concerning specific business processes (§ 257 para. 2 HGB).
Emails without business relevance (for example, pure advertising or private emails) do not have to be retained. And internal email traffic is only relevant if it has a tax connection, for example, in the case of transactions between two companies.
The retention obligations apply not only to companies subject to accounting, but also to self-employed persons, freelancers and small businesses that keep an income surplus statement (EÜR) (source).
More detailed information can be found, for example, here or here (or simply via a current online search).
What Does that Mean in Practice?
In practice, with many daily emails, it is often difficult to assess which ones are actually subject to retention. Many companies therefore archive all emails as a precaution. However, this approach can conflict with the General Data Protection Regulation (GDPR) (Source), as personal data may not be stored indefinitely or “audit-proof” for years – for example, job applications after a rejection.
Ideally, such emails are specifically excluded from archiving – either rule-based (e.g., based on specific sender addresses) or manually. Private emails from employees may only be archived with explicit consent. Many companies therefore generally exclude private use of company email accounts to avoid conflicts with data protection.
Use Cloud Services or your Own Software?
It is generally recommended to use specialized software or cloud services for legally compliant archiving. Such solutions provide technical features to comply with retention periods while simultaneously excluding privacy-relevant content. We recommend using external, GDPR-compliant cloud services.
1. Cloud offers (German providers according to GDPR)
- Strato Mail Archiving – Archiving in the German cloud, automatable and GoBD-compliant.
These providers generally offer largely legally compliant email archiving with functions for excluding sensitive data and with corresponding proof of data protection and GoBD compliance.
2. Example for Apple / macOS
- Mail Archiver X Pro – advanced filter functions to exclude specific emails from archiving.
3. Example for Windows / PC
- MailStore – widely used solution for private and business use.
Manually Back up Email as Well?
Instead—or even in addition to automatic archiving—manual archiving in a local mailbox on a client computer selected for this purpose is recommended, for example, the PC or Mac that is primarily used. This also helps keep the used storage space on the server under control:
Legal Disclaimer
The information provided here is for general guidance and does not constitute legal advice. For questions regarding retention obligations or GDPR compliance, please contact your tax advisor or data protection officer.
We have no agreements with any of the software providers mentioned, and we have not tested all products ourselves. The information is based on the published information of the respective providers.
