Skip to content
Close
en
de
Book a demo
en
de
Book a demo
About us
Certifications
Career
Newsroom
Events
Whitepaper
Technician configuring server in data center
Korbinian HermannMar 16, 2026 2:37:51 PM15 min read

Backup vs. Archiving: The Difference That Matters During Audits

The question rarely comes out loud. It usually creeps in - between a tax audit, a supplier dispute or a GDPR request. Then the auditor asks: "Can you provide complete and unalterable proof of the original data from 2019?" And the IT team looks at itself: "We have a backup."

What follows is not a technical problem. It's a legal problem. A backup is not an archive. This confusion is one of the most common - and most expensive - compliance errors in German companies.

This article explains what backup and archiving mean in technical and legal terms, why they are fundamentally different, and the specific consequences of the error in GoBD audits, GDPR audits and civil law proceedings.

THE MOST IMPORTANT FACTS IN BRIEF

  • A backup is used to restore data after loss. An archive is used for the permanent, unalterable and legally compliant storage of data - these are two fundamentally different purposes with completely different technical and legal requirements.
  • Backups are not audit-proof: they can be overwritten, changed or deleted - without a log. This means they do not structurally meet the requirements of GoBD, HGB §257, AO §147 and GDPR Art. 5.
  • In the event of an audit (tax office, tax audit, GDPR audit, court), only the archive counts. If you can only provide a backup, you risk assessment notices, fines and a reversal of the burden of proof.
  • Legally compliant archiving means: unchangeable, audit-proof, long-term readability, with retention period management - and manufacturer-independent, so that data remains accessible even after system termination.
  • CHRONOS from CSP offers audit-proof archiving and application retirement in one - compatible with Oracle, SAP, MS SQL, cloud and on-premise.

BRIEFLY SUMMARIZED

Definition: What is a backup - and what is it not?

A backup is a copy of data at a specific point in time - created with the aim of being able to restore this data in the event of loss. That is the complete definition. No more, no less.

Backups answer the question: "What happens if our data is lost?" They are emergency tools - for hardware failures, ransomware attacks, accidental deletion or system crashes. The technical logic behind this is: make regular copies so you can roll back.

WHAT A BACKUP TECHNICALLY DOES - AND DOESN'T DO

✓ Restore data after loss (full backup, incremental, differential)

✓ Restore a defined system state at a point in time

✓ Protection against accidental data loss due to hardware errors or human error

✗ No protection against manipulation: backup data can be changed

✗ No revision security: Who changed what and when? - Backups do not log this

✗ No retention period logic: backups are overwritten, older versions are lost

✗ No vendor independence: backups in proprietary format cannot be read without backup software

✗ No application retirement: to access backup data, the source system must often still be running

 

Definition: What is audit-proof archiving?

Audit-proof archiving is the permanent, unalterable, complete and machine-readable storage of data - with the aim of being suitable as evidence in the event of an audit or dispute. This is a legal, not a technical definition. The technical requirements follow from the legal purpose.

The term 'audit-proof' is made up of two requirements: 'revision' in the sense of audit (tax audit, audit, GDPR audit, court) - and 'secure' in the sense of unchangeable and verifiable. Audit-proof means that every change to archived data is logged - or is technically impossible.

THE 5 CORE FEATURES OF LEGALLY COMPLIANT ARCHIVING (GOBD)

  1. Completeness: All relevant data and metadata must be preserved - no selective archiving.
  2. Accuracy: The archived data must correspond to the original - no conversion that changes the content.
  3. Timeliness: Data must be archived promptly after its creation - retrospective archiving is tricky.
  4. Immutability: Once archived, it must not be possible to change or delete data - without an audit-proof log.
  5. Machine readability: The auditor must be able to read and analyze the data without special software or IT support.

 

The 8 key differences in direct comparison

The following comparison shows the technical and legal differences between backup and audit-proof archiving - structured according to the criteria that count in the event of an audit.

 

Classic backup

Audit-proof archiving

PRIMARY PURPOSE

Recovery after data loss - recovery tool for emergencies

Legally compliant long-term storage as evidence - Compliance tool for audits

IMMUTABILITY

Not given. Backup data can be overwritten, modified and deleted - without any protocol.

Technically ensured. Once archived, data cannot be changed. Every permitted correction is logged.

REVISION SECURITY

Not available. There is no change history, no proof of originality and no integrity check.

Core feature. Complete change history, cryptographic integrity check, complete audit trail.

GOBD CONFORMITY

Not compliant. The BMF letter (GoBD 2019) explicitly does not recognize backups as sufficient.

Compliant - if implemented correctly in accordance with GoBD requirements (completeness, accuracy, immutability, machine analyzability).

LONG-TERM READABILITY

Dependent on backup software, proprietary format and the source system. Often no longer readable after 10 years.

Manufacturer-independent, open format. Data can still be read in 20 years without special software - regardless of system changes.

RETENTION PERIODS

No logic. Backups are overwritten after defined cycles - older data is lost.

Automatic deadline management: tax law (10 years), commercial law (6 years), GDPR (proof of deletion) - controlled by data category.

DEPARTMENT ACCESS

Requires IT ticket: localize, export, convert, prepare backup - typically 1-3 days IT effort.

Self-service. Departments can retrieve archived data directly and independently - without IT involvement, without a ticket.

APPLICATION RETIREMENT

Not possible. In many cases, the source system must still be active or reactivatable in order to access backup data.

Enables complete shutdown of legacy systems. Data is permanently accessible regardless of the source system.

7

GoBD core criteria

BMF letter 2019

10 J.

Tax retention obligation

AO §147

0 from 5

Backup systems GoBD-compliant

Practical experience CSP

>300%

ROI CHRONOS

CSP customer data

 

Backup vs. archiving in the audit: 5 concrete scenarios

Abstract differences are rarely convincing. That is why this section shows five concrete audit and liability scenarios - with the typical reaction of a backup-only organization in direct comparison to an organization with legally compliant archiving.

 

AUDIT SCENARIO 1: Audit: GoBD conformity of accounting data

AUDITOR ASKS:

"Please provide us with all accounting data for the period 2017-2020 in machine-readable form. Proof of immutability required."

❌ With backup

IT exports data from the backup - proprietary format, not directly analyzable by machine. No proof of immutability possible. Auditor doubts GoBD conformity.

✓ With CHRONOS archive

Data is exported directly from the CHRONOS archive: complete, machine analyzable, with cryptographic proof of integrity. Auditor accepts the proof.

Result: Backup: Assessment decision at risk. Archive: Audit completed

 

AUDIT SCENARIO 2: GDPR audit: Proof of deletion of personal data

AUDITOR QUESTIONS:

"Please provide evidence that the personal data of the customer Müller, which was requested for deletion in 2019, has been completely and permanently deleted."

❌ With backup

Backup may still contain the data - there is no deletion logic in the backup system. Proof of deletion not possible. Data protection breach documented.

✓ With CHRONOS archive

CHRONOS Archive keeps a complete deletion log. The data record was deleted in accordance with GDPR requirements and this was logged in an audit-proof manner. Proof immediately retrievable.

Result: Backup: risk of fines. Archive: Compliance confirmed

 

AUDIT SCENARIO 3: Audit: Completeness of the annual financial statement documents

AUDITOR QUESTIONS:

"We require all accounting-related documents for financial year 2018. Please ensure that the documents are complete and in their original form."

❌ With backup

Backup from 2018 exists - but is opened on new system. Format conversion has partially changed metadata. Auditor cannot confirm originality.

✓ With CHRONOS archive

CHRONOS archives receipts with original metadata and hash value. Auditor can check integrity himself. Completeness verified by archiving log.

Result: Backup: Confirmation reservation in the audit report. Archive: Unqualified audit opinion.

 

AUDIT-SCENARIO 4: Product liability claim: Batch proof from old system

AUDITOR QUESTIONS:

"Please provide evidence that the production batch CH-2019-4471 complied with the specified process parameters. The production system was shut down in 2021."

❌ With backup

The production system has been shut down. The backup still exists - but without the original software, the format is no longer readable. The data is effectively lost.

✓ With CHRONOS archive

CHRONOS extracted the data from the old system during system retirement and archived it in an audit-proof open format. Immediate, complete, manufacturer-independent retrieval.

Result: Backup: Loss of evidence, liability risk. Archive: Complete proof of discharge

 

AUDIT-SCENARIO 5: Insolvency proceedings: Data access for insolvency administrators

AUDITOR ASKS:

"As insolvency administrators, we need access to all transaction data from the last 10 years. Former IT employees are no longer available."

❌ With backup

Backup exists - but the backup software is no longer licensed. The know-how for the restore lies with a former employee. Access takes weeks or fails.

✓ With CHRONOS Archive

CHRONOS Archive is completely self-explanatory and accessible without specialist knowledge. Insolvency administrator receives immediate self-service access via structured interface.

Result: Backup: Delay in proceedings, personal management liability at risk. Archive: Smooth processing
 

Why backups fail structurally with GoBD, HGB and GDPR

This is not a criticism of backup solutions. Backups are excellent tools - for the purpose for which they were developed: Recovery. The problem arises when they are used for another purpose for which they are structurally unsuitable: as legal proof.

The three central legal bases that ensure archiving obligations in German companies formulate requirements that backups cannot fulfill by definition.

 

GoBD: The principles of proper bookkeeping

The BMF letter on the GoBD (as of 2019) explicitly states: Tax-relevant data must be stored completely, correctly, in a timely manner and in an unalterable form - machine-readable and readable without the taxpayer's special software. A backup that cannot be read without the backup software or the source system does not structurally fulfill this requirement. A backup that can be overwritten is not unalterable. Point.

 

HGB §257 and AO §147: Commercial and tax law retention obligations

HGB §257 and AO §147 stipulate retention periods of 6 and 10 years respectively for various document categories. The decisive requirement is not just the duration - but the quality: documents must be available at all times, immediately readable and fully reproducible. Backup systems that were migrated to a format that no longer reads old backups after 5 years fail here.

 

GDPR Art. 5: Accountability and record keeping

The GDPR not only requires that personal data is handled correctly - it also requires proof of this. This is called the accountability principle (Art. 5 para. 2 GDPR). Proof must be actively provided. A backup that does not log proof of erasure or does not store proof of processing in an unalterable form cannot fulfill this obligation to provide proof.

Legal basis

What it requires

Why backups fail

What archiving solves

GoBD (BMF 2019)

Immutability, machine readability, readability without special software

Backup is not immutable; proprietary. Format; dependent on source system

Open format, unchangeable, directly analyzable

AO §147

10-year retention, available at any time and immediately readable

Backups are overwritten; format compatibility over 10 yrs. not certain

Automatic deadline management, long-term readability guaranteed

HGB §257

6-year storage of commercial letters, 10 yrs. Accounting

Backup cycles delete old data; no deadline logic

Retention periods stored and enforced for each data category

DSGVO Art. 5/17

Accountability, proof of deletion, verifiable handling of data

No deletion logs; no proof of processing; no accountability trail

Complete log of all archiving and deletion processes

§Section 147a AO (obligation to keep records)

Taxpayers with high income: special record-keeping obligations

Backup does not cover recording obligation

Audit-proof recording of all taxable transactions

 

Backups secure data for recovery - CHRONOS archives them in a legally compliant, tamper-proof and audit-proof manner, including deletion and retention periods.

-Korbinian Hermann Managing Director, CSP Intelligence GmbH

 

When does a company need both - and when is what enough?

The answer is almost always: both. Backup and archiving are not alternatives, but complementary systems with different tasks. If you only have a backup, you are equipped for an emergency - but not for an audit. If you only have an archive, you cannot restore quickly after a system failure.

 

The rule of thumb: What happens if ...

... the hard disk crashes? → Backup necessary. Archive optional.

... the tax office checks? → Archive necessary. Backup irrelevant.

... a legacy system is to be shut down? → Archive necessary. Backup not sufficient.

... a supplier complains and demands receipts? → Archive necessary. Backup not suitable as evidence.

... an employee accidentally deletes data? → Backup necessary. Archive as additional evidence.

RECOMMENDATION FOR IT MANAGERS: THE TWO-SYSTEM LOGIC

  • Backup system: For operational data security. Short retention cycles, fast recovery, technically optimized for RTO/RPO.

  • Archiving system (CHRONOS): For legal compliance. Long retention periods, audit-proof, manufacturer-independent, self-service for specialist departments.

  • The most common mistake: companies have a backup system and treat it as if it were both. This costs money during the first audit.

  • The good news is that both can be operated in parallel. CHRONOS complements existing backup infrastructure without replacing it.

 

CHRONOS: Audit-proof archiving in practice

CHRONOS is the archiving platform from CSP Intelligence GmbH - specializing in data archiving and IT compliance since 1991. The platform addresses exactly the difference described in this article: It is not a backup system. It is a legal security system.

 

For whom CHRONOS is particularly relevant

CHRONOS is most frequently used in three situations. Firstly, companies that have experienced an audit and have realized that their backup system is inadequate. Secondly, IT managers who want to shut down legacy systems but cannot lose the historical data they contain. Thirdly, compliance officers who need GDPR audit security and require complete proof of deletion and processing.

In all three situations, the result is the same: CHRONOS replaces 'We have a backup' with 'We can prove it.


Frequently asked questions about backup and archiving

 

Is a backup legally equivalent to archiving?

No. Backups and archiving serve different purposes and are subject to different legal requirements. Backups are optimized for operational recovery following data loss—not for audit-proof record-keeping. The BMF’s GoBD, HGB §257, and AO §147 require immutability, completeness, and machine-readability—properties that backup systems are structurally unable to provide.
What exactly does “audit-proof” mean?

Audit-proof means that archived data cannot be altered, deleted, or overwritten after the fact—and that every authorized correction is fully logged. This includes technical tamper-proofing (e.g., WORM storage, cryptographic hash values) and organizational process security (access rights, logging). In the event of an audit, the company must be able to demonstrate audit compliance.
What data needs to be archived?

Under German law, the following must be archived: all tax-related accounting records (10 years, AO §147), commercial letters and business correspondence (6 years, HGB §257), annual financial statements and inventories (10 years, HGB §257), payroll records for social security (in some cases 30 years), as well as all data for which proof of deletion is required under the GDPR. In regulated industries (medical, pharmaceutical, food), additional industry-specific retention requirements apply.
Can I retroactively convert an existing backup into an archive?

In many cases, yes—but with limitations. Retrospectively “converting” backups into audit-proof archives is technically possible if the original data is still available and complete. However, audit compliance for the period prior to archiving can only be demonstrated to a limited extent—since backups do not guarantee complete immutability. The sooner a legally compliant archiving system is implemented, the more robust the proof of compliance will be.
How long do emails need to be archived?

Business emails are considered commercial correspondence (Sections 238 and 257 of the German Commercial Code (HGB)) and must be retained for 6 years. Emails containing tax-related information are subject to a 10-year retention requirement under Section 147 of the German Fiscal Code (AO). The content is decisive, not the medium. Emails must be archived in an audit-proof manner—backing them up in the email system does not meet the requirements.
What happens if the backup system is discontinued and I still have archiving obligations?

This is one of the most common legacy scenarios in practice: A backup system is being phased out or the manufacturer changes its licensing terms, but the retention periods for older data are still in effect. This creates two problems: The data is still technically available, but the format is no longer readable without the backup software. CHRONOS solves this problem with vendor-neutral, open formats—data remains permanently accessible even after the system is discontinued.
Is cloud storage (e.g., AWS S3, Azure Blob) sufficient for audit-compliant archiving?

Not automatically. Cloud storage can be configured to be audit-compliant (e.g., Object Lock, WORM modes)—but simply storing data in the cloud does not meet GoBD requirements. Additional requirements include: integrity checks, proof of completeness, machine-readability, retention period management, and deletion logs. CHRONOS is cloud-compatible and adds the necessary compliance layer to cloud storage.
How does CHRONOS differ from a traditional DMS?

A document management system (DMS) is primarily a storage and workflow tool—it manages active documents. CHRONOS is an archiving system for inactive, historical data subject to compliance requirements. The key difference: CHRONOS can extract data from any database system (Oracle, SAP, SQL) and archive it in an audit-proof manner—regardless of whether a DMS is in place. And CHRONOS enables application retirement: the complete decommissioning of legacy systems.

 

The next audit is just around the corner.

Now you understand why your backup won’t protect you then—and what sets CHRONOS apart.

Request a free consultation
Download the free white paper on audit-proof archiving
avatar
Korbinian Hermann
CEO, CSP Intelligence GmbH
Korbinian Hermann founded CSP with the aim of providing manufacturing companies with the database they need in an emergency. He has 20 years of experience in industrial quality data infrastructure—from data collection to audit-proof long-term archiving.
COMMENTS

RELATED ARTICLES