Skip to content
Close
en
de
Book a demo
en
de
Book a demo
About us
Certifications
Career
Newsroom
Events
Whitepaper
Network administrator with notebook computer sitting in data center room and working with networking device on rack cabinet
Korbinian HermannMar 16, 2026 2:35:31 PM18 min read

The Cost of Not Archiving: What Missing Records Cost

An auditor from the tax office asks for receipts from 2018. A supplier files a complaint and requests invoice history as proof. An insolvency administrator needs transaction data from a legacy system that has been switched off for three years. A data protection authority asks for proof of deletion of personal data from the last decade.

In each of these cases, there is exactly one question that decides the outcome: Can you provide the proof?

Many companies answer this question with 'yes, we have a backup'. This is the wrong answer - legally, technically and financially. Backups are not archives. They can be manipulated, are not audit-proof, cannot be read in the long term and do not fulfill the legal obligation to provide evidence in any of the scenarios mentioned.

This article shows the concrete costs of missing or inadequate archiving in the event of liability - in fines, reversal of the burden of proof, additional tax payments, IT costs and lost legal disputes. And how you can permanently avoid these costs with legally compliant archiving.

THE MOST IMPORTANT FACTS IN BRIEF

  • A lack of archiving usually costs more than the archiving solution itself - through fines (up to €10 million under the GDPR), additional tax payments due to tax audit estimates, litigation losses due to a reversal of the burden of proof and additional IT work for manual data reconstructions.
  • The most common misconception: a backup is not an archive. Backups are neither audit-proof, tamper-proof nor permanently readable. They do not meet the requirements of GoBD, GoBS, HGB §257, AO §147 and GDPR Art. 5.
  • Three main cost blocks: (1) direct costs due to authorities and courts, (2) indirect costs due to IT effort and system dependency, (3) strategic costs due to blocked modernization and legacy systems.
  • Legal obligation: Tax-relevant documents 10 years, commercial letters 6 years, payroll documents up to 30 years, personal data according to GDPR as long as necessary, but verifiably deleted when no longer necessary.
  • CHRONOS as a solution: Audit-proof data archiving and application retirement - vendor-independent, audit-capable, with a proven ROI of over 300%.

BRIEFLY SUMMARIZED

What archiving obligations mean in legal terms - and which standards apply

The archiving obligation is not an optional quality feature. It is a legal obligation that applies to almost every company in Germany - regardless of size, industry or degree of digitization. Violations are actively punished, not just at the next audit, but retroactively for up to ten years.

The most common misconception in practice: IT managers confuse data backup with archiving. These are two fundamentally different concepts - with completely different legal consequences in the event of non-compliance.

 

The most important legal bases at a glance

Legal basis

Data category

Time limit

Format requirement

Sanction for violation

HGB §257

Trading books, inventories, annual financial statements, invoices

6 / 10 years

Unalterable, legible, complete

Tax back payment, estimate

AO §147

Tax-relevant accounting documents, business letters

10 years

Audit-proof, machine analyzable

Assessment notice, additional payment + interest

GoBD (BMF 2019)

All tax-relevant data including metadata

10 years

Unchangeable, complete, timely

Rejection of accounting, risk of tax audit

DSGVO Art. 5/17

Personal data

As long as necessary + proof of deletion

Verifiable proof of deletion

Up to 4% annual turnover or € 20 million

GoBS (IDW RS FAIT 1)

Data from IT-supported accounting

Minimum auditability period

Audit-proof, unalterable

Refusal to audit, liability

Professional law (e.g. ÄrzteO)

Patient data, treatment records

At least 10, in some cases 30 years

Legible, complete

Professional liability, damages

InsO / HGB Insolvency law

All accounting-relevant documents

At least 10 years after liquidation

Complete, reconstructible

Personal liability of managing director

THE DECISIVE CRITERION: AUDIT-PROOF

Audit-proof means: data cannot be subsequently changed, deleted or overwritten - and every change (if permitted) is logged.

A backup does not structurally fulfill this criterion: backup data can be overwritten, deleted or changed - without a log, without a trace.

The tax office and the courts know this. Anyone who can only present a backup in the event of an audit proves that the requirements of the GoBD have not been met.

 

Backup vs. archive: The decisive difference in the event of liability

The confusion between backup and archive is the most expensive mistake in data storage. It arises because both concepts appear to pursue similar goals at first glance: Preserving data. The difference lies in why and how - and it is precisely this difference that is decisive in the event of liability.

Criterion

Classic backup

Legally compliant archiving

Primary purpose

Recovery after data loss

Legally compliant long-term storage

Immutability

Not guaranteed - backup can be overwritten

Technically ensured - no manipulation possible

Revision security

Not given

Core feature: complete change history

Long-term readability

Dependent on backup software and format

Format-independent, open format readable for decades

Retention period management

Manual, error-prone

Automatically controlled according to legal basis

Database dependency

High - backup is DB format-dependent

Vendor-independent - data detached from source system

GoBD conformity

Not compliant

Compliant (with correct implementation)

Access by specialist department

Requires IT support for export/conversion

Self-service access without IT ticket

Application Retirement

Not possible - system must be running for backup access

Allows complete system shutdown

Audit suitability

Verifiably not sufficient

Fully auditable and verifiable

 

 

The 6 concrete cost blocks of missing archiving

A lack of archiving is not an abstract compliance gap. It manifests itself in concrete, measurable costs - immediate, medium-term and long-term. The following overview shows the six cost blocks that IT managers and compliance officers need to be aware of.

SCENARIO 1

Tax risk

Tax audit without complete documentation

Typical amount of damage: unlimited (estimate) (AO §162, GoBD)

If the tax office does not consider the accounting to be GoBD-compliant, it may estimate the tax base - always to the detriment of the company. If tax-relevant documents are missing for several years, back tax payments plus interest (1.8% p.a. according to §238 AO) can quickly run into six figures.

SCENARIO 2

Data protection

GDPR fine: lack of proof of deletion or unauthorized storage

Typical amount of damage: up to €20 million or 4% annual turnover (GDPR Art. 83 para. 5)

If personal data is stored for longer than permitted (no erasure management) or if no proof of proper processing can be provided in the event of liability, fines may be imposed in accordance with GDPR Art. 83. The reverse is also costly: If data was deleted too early and is needed as proof of exoneration in the event of a dispute.

SCENARIO 3

Loss of rights

 

Loss of litigation due to reversal of the burden of proof in civil law

Typical amount of loss: amount in dispute + legal costs (ZPO §286, BGB §280)

Anyone who is unable to provide evidence in a civil law dispute generally loses - regardless of whether they are factually in the right. Missing invoice history, unverifiable fulfillment of contract, missing proof of communication: Any gap in documentation can lead to a complete reversal of the burden of proof. Dispute values in the B2B sector are typically between 50,000 and several million euros.

SCENARIO 4

Operating costs

Additional IT costs: manual data reconstruction and special exports

Typical amount of damage: € 3,000-20,000 per individual request (empirical values from CSP projects)

Every official inquiry or litigation request that has to be processed manually through IT research, backup extraction, data conversion and export costs time and money. For complex legacy systems or data dating back several years, a single request typically takes 3-5 days of IT effort. With several requests per year, this adds up to full-time equivalent costs.

SCENARIO 5

Infrastructure costs

System dependency: Legacy costs for compliance operations

Typical amount of damage: €50,000-500,000 p.a. (depending on system size)

Legacy systems that are only operated in order to access historical data in the event of an audit incur ongoing costs: license fees (Oracle, SAP, proprietary systems), maintenance contracts, infrastructure, security patches and the tied-up expertise of internal IT employees who still know the system. These costs are completely eliminated as soon as the data is archived in a legally compliant manner and the system can be switched off.

SCENARIO 6

Strategic risk

Reputational damage and loss of customers in the event of a public compliance breach

Typical amount of damage: difficult to quantify (market and customer relationship effect)

A data protection breach that becomes known or a tax audit assessment is no longer a purely internal event Public GDPR fines, insolvency proceedings with data problems and official searches (in the event of suspected accounting manipulation) end up in specialist media. For B2B companies with DAX customers, such reporting can cost tender successes and existing customer relationships.

Cost category

Immediate costs (0-6 months)

Medium-term (6-24 months)

Long-term (24+ months)

GoBD violation / tax audit

IT audit costs: € 5,000-20,000

Assessment notice + interest: € 20,000-500,000

Repeat audit, risk of criminal liability §370 AO

DSGVO fine

Legal and consulting costs: €10,000-50,000

Administrative decision: up to €20 million

Reputational damage, customer migration

Litigation loss under civil law

Legal and court costs: € 5,000-30,000

Judgment incl. amount in dispute: € 50,000-5 million

Internal follow-up processes, supplier dispute

Special IT expenses

5,000-20,000 € per individual case

15,000-80,000 € p.a. for several cases

1-2 full-time IT positions permanently tied up

Legacy system operation

First quarterly invoice after decision

50,000-250,000 € p.a. per system

Technology debt, digitalization blockade

Insolvency / personal management liability

Immediate freezing of ongoing processes

Personal liability of GmbH managing directors according to §64 GmbHG

Private assets, occupational disability

10 years

GoBD retention obligation

AO §147

up to €20 million

GDPR maximum fine

DSGVO Art. 83

>300%

ROI with CHRONOS

CSP customer data

6-12 Wo.

Project duration Go-Live

Experience value CSP

 

When the reversal of the burden of proof becomes a question of existence

In German civil law, the principle applies that whoever claims a fact must prove it. For companies, this means the following in the event of a dispute: Invoicing proven? Service rendered proven? The content of the contract documented? Without proof, there is no relief - even if the facts are clear.

The most dangerous form is the procedural reversal of the burden of proof: if a court finds that documentation obligations have been breached, the burden of proof can be completely transferred to the company - and 'proving that something did not happen' is not possible in practice.

 

Three scenarios in which the lack of evidence becomes critical to the company's existence

SCENARIO1: SUPPLIER LAWSUIT

A supplier sues for payment of an invoice that the company disputes. The company claims that the service was not provided in full. Without archived communication (emails, acceptance protocols, system logs) from the relevant period, the company has no way of proving its claim. The court rules in favor of the supplier.

Costs: amount in dispute + court costs + legal fees of both parties.

SCENARIO 2: TAX AUDIT WITH ESTIMATION

The tax office carries out a tax audit. The accounting data from the legacy SAP system can no longer be read out completely by machine because the system has been switched off in the meantime - and only a backup exists that has not been converted in accordance with GoBD. The auditor questions the correctness of the bookkeeping and uses the right of estimation in accordance with Section 162 AO.

Costs: Additional tax payment after estimation, retroactive for up to 10 years, plus interest.

SCENARIO 3: PRODUCT LIABILITY CLAIM WITH MISSING BATCH HISTORY

A customer sues for damages due to an allegedly defective product. The company claims that the batch complies with the specifications. The production logs from the quality system can no longer be retrieved - the system has been replaced, the data only exists as a backup in the old database format, which can no longer be read without a license for the discontinued system.

Costs: Compensation, recall costs, loss of reputation.

Other providers thought the project was impossible - CSP implemented it professionally. Reliable, efficient, absolutely recommendable.

-Markus Bartsch Director Residual Processing Schlecker

 

 

Case studies: What missing - and existing - evidence means in real terms

The following customer projects from CSP practice illustrate how archiving problems arise and how CHRONOS solves them. The case studies show concrete results - not theoretical scenarios.

CLIENT PROJECT

BMW Group

CHALLENGE

Enormous volumes of production data must remain available for many years due to legal and operational requirements. Database performance was suffering from data growth, and storage costs were rising steadily.

“A typical use case for CHRONOS: reducing costs, improving performance, ensuring compliance—all without disrupting existing systems.”

— Korbinian Hermann, CEO of CSP Intelligence GmbH

CUSTOMER PROJECT

KLS Martin Group

CHALLENGE

Global manufacturer of surgical instruments. Multiple mergers had increased the volume of data without a unified archiving strategy. The company required long-term data availability and legally compliant retention, along with software consolidation.

“Working with CSP has been a great experience. Deadlines are met, and everything runs smoothly.”
— Wojciech Wypior, Head of Business Applications, KLS Martin Group

CLIENT PROJECT

Schlecker – Data Archiving Under Insolvency Law

CHALLENGE

Formerly one of Europe’s largest drugstore chains with thousands of locations. Following insolvency in 2012, a clean winding-up of all data and IT systems was required. Insolvency administrators must keep all data accessible for the tax authorities, pension funds, and courts in a manner that complies with legal requirements over the long term—without former employees having access.

“Other providers thought the project was impossible—CSP executed it professionally. Reliable, efficient, and highly recommended.”

— Markus Bartsch, Director of Restock Processing at Schlecker

 

 

Legacy systems: The hidden archiving costs no budget meeting reaches

There's a cost category that isn't listed as 'archiving costs' in most IT budgets, but that's exactly what it is: legacy systems that continue to operate because historical data hasn't been properly archived. These systems incur monthly costs - and they are growing because outdated technology is becoming more expensive to maintain, not cheaper.

Cost category

Analog system expense

With CHRONOS archiving

Oracle database licenses for legacy systems

100,000-500,000 € p.a. per instance

0 € - System can be switched off completely

SAP maintenance costs for systems in read mode

18-22% of the license value p.a.

0 € - Data archived independently of manufacturer

IT staff for legacy system support

0.5-2 FTE per system

< 0.1 FTE for CHRONOS maintenance

Security patches for discontinued software

Expensive or impossible

Not applicable - system shut down

Database performance problems

Growing with data volume

Production system relieved

Access management for specialist departments

IT ticket per request

Self-service by specialist department

Disaster recovery costs for legacy systems

Proportional to the number of systems

Not applicable for decommissioned systems

The calculation is simple: How much does an Oracle database operation for a legacy system that only runs for occasional archive queries cost over 10 years? And what is the cost of a one-off CHRONOS implementation that completely replaces this system in a legally compliant manner? In almost all CSP projects, the archiving solution pays for itself within 12-24 months through savings in system license costs alone.

 

CHRONOS: What legally compliant archiving looks like in practice

CHRONOS is the archiving platform from CSP Intelligence GmbH - developed for IT managers who need legal security, technical flexibility and economic relief at the same time. The platform goes far beyond traditional archiving solutions: it enables complete application retirement - the legally compliant shutdown of legacy systems without losing access to data.

How a CHRONOS project works

Phase

Title

Project content

Result

1

Initial meeting & demo

Non-binding appointment with technical consultant. Understanding needs, systems and goals.

Clarity about use case and effort

2

Technical workshop

Analysis of existing data structures and system landscape. Definition of archiving goals.

Technical concept and data mapping

3

Project offer & planning

Calculation, resource planning and binding timeline. Decision and approval.

Signed offer, project kickoff

4

Implementation & test

Installation, interface connection, first archiving runs, internal tests & validation.

Validated system in test environment

5

Go-live & handover

Productive operation, handover to your team, transition to regular operation.

Decommissioned legacy system, running archive

+

Care & support

Ongoing technical support, updates, personal support, SLA agreements.

Long-term compliance security

CHRONOS projects can be implemented within 6-12 weeks - depending on the scope of the system. And your infrastructure generally does not need to be adapted.

- Korbinian Hermann Managing Director, CSP Intelligence GmbH

 

 

Frequently asked questions about the archiving obligation and its costs

 

What is the actual cost of failing to archive documents?

The costs vary significantly depending on the scenario. In the tax sphere, companies face the risk of assessment notices under Section 162 of the German Fiscal Code (AO)—back taxes may be due retroactively for up to 10 years, plus interest under Section 238 AO (1.8% per annum). In the area of data protection, GDPR fines can amount to up to 20 million euros or 4% of global annual revenue. In civil law, companies without documentary evidence often lose legal disputes, regardless of the facts of the case. Added to this are ongoing IT costs for legacy systems that are now operated solely for “compliance reasons.”
Is a backup sufficient as proof for the tax office?

No. Backups generally do not meet the requirements of the GoBD. The BMF’s GoBD (Principles for the Proper Maintenance and Retention of Books, Records, and Documents in Electronic Form) requires immutability, audit-proofing, and machine-readability throughout the entire retention period. Backups can be overwritten, deleted, or altered—without a log. The tax office does not recognize backups as proof of archiving.
What is the difference between archiving and application retirement?

Archiving refers to the legally compliant, long-term storage of data in an unalterable format. Application retirement is the process of completely decommissioning a legacy system—after its data has been archived in compliance with legal requirements. CHRONOS enables both: Data is extracted from the legacy system, archived in an audit-proof manner, and made accessible via a vendor-neutral interface. The legacy system can then be completely decommissioned—without data loss and without compliance risks.
How long do companies have to retain data?

Retention periods vary depending on the data category and legal basis: Tax-related documents (accounting records, invoices) must be retained for at least 10 years in accordance with Section 257 of the German Commercial Code (HGB) and Section 147 of the German Fiscal Code (AO). Business letters and correspondence must be retained for 6 years. Payroll records, in some cases up to 30 years (pension insurance). Patient data for at least 10 years after the completion of treatment. Personal data under the GDPR for as long as necessary for the purpose of processing—but with verifiable deletion management.
Can CHRONOS also archive legacy systems that are no longer in use?

In many cases, yes. CSP assesses the existing infrastructure and, if necessary, migrates existing archive data to the open CHRONOS format. If the legacy system has already been completely shut down and there is no longer any access to the database, the effort required depends on the format in which the data is still available. The sooner CHRONOS is implemented—while the legacy system is still running—the smoother and more cost-effective the migration will be.
What does “vendor-neutral archiving” mean?

Vendor-neutral archiving means that the archived data is not tied to a proprietary format or software. Whether Oracle changes its licensing terms, SAP is discontinued, or the archiving provider itself goes bankrupt—the data remains readable. CHRONOS stores data in open, standardized formats that can be read even without CHRONOS. This is a fundamental prerequisite for long-term archiving security.
What is the ROI of a CHRONOS implementation?

The ROI depends on the system costs saved. For companies with one or more expensive legacy systems (Oracle, SAP), CHRONOS typically pays for itself within 12–24 months through license and maintenance savings alone. CSP reports a proven ROI of over 300%—calculated based on license, storage, and maintenance savings over the system’s lifecycle. Added to this are savings that are more difficult to quantify: IT capacity, reduced compliance risk, and accelerated modernization.
Does the archiving requirement also apply to cloud infrastructures?

Yes. Legal archiving requirements (GoBD, HGB, GDPR) apply regardless of whether data is stored on-premises, in the cloud, or in a hybrid environment. In fact, the cloud exacerbates the problem in some cases: If the cloud provider discontinues the service (cloud exit risk), data must still remain accessible. CHRONOS is cloud-compatible and can store data locally or in certified data centers.

 

Knowledge is good. Proof is better.

Make sure you fully understand why a backup isn’t enough—before the tax office explains it to you.

Request a free consultation
Download the free white paper on audit-proof archiving
avatar
Korbinian Hermann
CEO, CSP Intelligence GmbH
Korbinian Hermann founded CSP with the aim of providing manufacturing companies with the database they need in an emergency. He has 20 years of experience in industrial quality data infrastructure—from data collection to audit-proof long-term archiving.
COMMENTS

RELATED ARTICLES