An auditor from the tax office asks for receipts from 2018. A supplier files a complaint and requests invoice history as proof. An insolvency administrator needs transaction data from a legacy system that has been switched off for three years. A data protection authority asks for proof of deletion of personal data from the last decade.
In each of these cases, there is exactly one question that decides the outcome: Can you provide the proof?
Many companies answer this question with 'yes, we have a backup'. This is the wrong answer - legally, technically and financially. Backups are not archives. They can be manipulated, are not audit-proof, cannot be read in the long term and do not fulfill the legal obligation to provide evidence in any of the scenarios mentioned.
This article shows the concrete costs of missing or inadequate archiving in the event of liability - in fines, reversal of the burden of proof, additional tax payments, IT costs and lost legal disputes. And how you can permanently avoid these costs with legally compliant archiving.
|
THE MOST IMPORTANT FACTS IN BRIEF
|
|
BRIEFLY SUMMARIZED
|
The archiving obligation is not an optional quality feature. It is a legal obligation that applies to almost every company in Germany - regardless of size, industry or degree of digitization. Violations are actively punished, not just at the next audit, but retroactively for up to ten years.
The most common misconception in practice: IT managers confuse data backup with archiving. These are two fundamentally different concepts - with completely different legal consequences in the event of non-compliance.
|
Legal basis |
Data category |
Time limit |
Format requirement |
Sanction for violation |
|---|---|---|---|---|
|
HGB §257 |
Trading books, inventories, annual financial statements, invoices |
6 / 10 years |
Unalterable, legible, complete |
Tax back payment, estimate |
|
AO §147 |
Tax-relevant accounting documents, business letters |
10 years |
Audit-proof, machine analyzable |
Assessment notice, additional payment + interest |
|
GoBD (BMF 2019) |
All tax-relevant data including metadata |
10 years |
Unchangeable, complete, timely |
Rejection of accounting, risk of tax audit |
|
DSGVO Art. 5/17 |
Personal data |
As long as necessary + proof of deletion |
Verifiable proof of deletion |
Up to 4% annual turnover or € 20 million |
|
GoBS (IDW RS FAIT 1) |
Data from IT-supported accounting |
Minimum auditability period |
Audit-proof, unalterable |
Refusal to audit, liability |
|
Professional law (e.g. ÄrzteO) |
Patient data, treatment records |
At least 10, in some cases 30 years |
Legible, complete |
Professional liability, damages |
|
InsO / HGB Insolvency law |
All accounting-relevant documents |
At least 10 years after liquidation |
Complete, reconstructible |
Personal liability of managing director |
|
THE DECISIVE CRITERION: AUDIT-PROOF Audit-proof means: data cannot be subsequently changed, deleted or overwritten - and every change (if permitted) is logged. A backup does not structurally fulfill this criterion: backup data can be overwritten, deleted or changed - without a log, without a trace. The tax office and the courts know this. Anyone who can only present a backup in the event of an audit proves that the requirements of the GoBD have not been met. |
The confusion between backup and archive is the most expensive mistake in data storage. It arises because both concepts appear to pursue similar goals at first glance: Preserving data. The difference lies in why and how - and it is precisely this difference that is decisive in the event of liability.
|
Criterion |
Classic backup |
Legally compliant archiving |
|---|---|---|
|
Primary purpose |
Recovery after data loss |
Legally compliant long-term storage |
|
Immutability |
Not guaranteed - backup can be overwritten |
Technically ensured - no manipulation possible |
|
Revision security |
Not given |
Core feature: complete change history |
|
Long-term readability |
Dependent on backup software and format |
Format-independent, open format readable for decades |
|
Retention period management |
Manual, error-prone |
Automatically controlled according to legal basis |
|
Database dependency |
High - backup is DB format-dependent |
Vendor-independent - data detached from source system |
|
GoBD conformity |
Not compliant |
Compliant (with correct implementation) |
|
Access by specialist department |
Requires IT support for export/conversion |
Self-service access without IT ticket |
|
Application Retirement |
Not possible - system must be running for backup access |
Allows complete system shutdown |
|
Audit suitability |
Verifiably not sufficient |
Fully auditable and verifiable |
A lack of archiving is not an abstract compliance gap. It manifests itself in concrete, measurable costs - immediate, medium-term and long-term. The following overview shows the six cost blocks that IT managers and compliance officers need to be aware of.
|
SCENARIO 1 Tax risk |
Tax audit without complete documentation Typical amount of damage: unlimited (estimate) (AO §162, GoBD) If the tax office does not consider the accounting to be GoBD-compliant, it may estimate the tax base - always to the detriment of the company. If tax-relevant documents are missing for several years, back tax payments plus interest (1.8% p.a. according to §238 AO) can quickly run into six figures. |
|
SCENARIO 2 Data protection |
GDPR fine: lack of proof of deletion or unauthorized storage Typical amount of damage: up to €20 million or 4% annual turnover (GDPR Art. 83 para. 5) If personal data is stored for longer than permitted (no erasure management) or if no proof of proper processing can be provided in the event of liability, fines may be imposed in accordance with GDPR Art. 83. The reverse is also costly: If data was deleted too early and is needed as proof of exoneration in the event of a dispute. |
|
SCENARIO 3 Loss of rights
|
Loss of litigation due to reversal of the burden of proof in civil law Typical amount of loss: amount in dispute + legal costs (ZPO §286, BGB §280) Anyone who is unable to provide evidence in a civil law dispute generally loses - regardless of whether they are factually in the right. Missing invoice history, unverifiable fulfillment of contract, missing proof of communication: Any gap in documentation can lead to a complete reversal of the burden of proof. Dispute values in the B2B sector are typically between 50,000 and several million euros. |
|
SCENARIO 4 Operating costs |
Additional IT costs: manual data reconstruction and special exports Typical amount of damage: € 3,000-20,000 per individual request (empirical values from CSP projects) Every official inquiry or litigation request that has to be processed manually through IT research, backup extraction, data conversion and export costs time and money. For complex legacy systems or data dating back several years, a single request typically takes 3-5 days of IT effort. With several requests per year, this adds up to full-time equivalent costs. |
|
SCENARIO 5 Infrastructure costs |
System dependency: Legacy costs for compliance operations Typical amount of damage: €50,000-500,000 p.a. (depending on system size) Legacy systems that are only operated in order to access historical data in the event of an audit incur ongoing costs: license fees (Oracle, SAP, proprietary systems), maintenance contracts, infrastructure, security patches and the tied-up expertise of internal IT employees who still know the system. These costs are completely eliminated as soon as the data is archived in a legally compliant manner and the system can be switched off. |
|
SCENARIO 6 Strategic risk |
Reputational damage and loss of customers in the event of a public compliance breach Typical amount of damage: difficult to quantify (market and customer relationship effect) A data protection breach that becomes known or a tax audit assessment is no longer a purely internal event Public GDPR fines, insolvency proceedings with data problems and official searches (in the event of suspected accounting manipulation) end up in specialist media. For B2B companies with DAX customers, such reporting can cost tender successes and existing customer relationships. |
|
Cost category |
Immediate costs (0-6 months) |
Medium-term (6-24 months) |
Long-term (24+ months) |
|---|---|---|---|
|
GoBD violation / tax audit |
IT audit costs: € 5,000-20,000 |
Assessment notice + interest: € 20,000-500,000 |
Repeat audit, risk of criminal liability §370 AO |
|
DSGVO fine |
Legal and consulting costs: €10,000-50,000 |
Administrative decision: up to €20 million |
Reputational damage, customer migration |
|
Litigation loss under civil law |
Legal and court costs: € 5,000-30,000 |
Judgment incl. amount in dispute: € 50,000-5 million |
Internal follow-up processes, supplier dispute |
|
Special IT expenses |
5,000-20,000 € per individual case |
15,000-80,000 € p.a. for several cases |
1-2 full-time IT positions permanently tied up |
|
Legacy system operation |
First quarterly invoice after decision |
50,000-250,000 € p.a. per system |
Technology debt, digitalization blockade |
|
Insolvency / personal management liability |
Immediate freezing of ongoing processes |
Personal liability of GmbH managing directors according to §64 GmbHG |
Private assets, occupational disability |
|
10 years GoBD retention obligation AO §147 |
up to €20 million GDPR maximum fine DSGVO Art. 83 |
>300% ROI with CHRONOS CSP customer data |
6-12 Wo. Project duration Go-Live Experience value CSP |
In German civil law, the principle applies that whoever claims a fact must prove it. For companies, this means the following in the event of a dispute: Invoicing proven? Service rendered proven? The content of the contract documented? Without proof, there is no relief - even if the facts are clear.
The most dangerous form is the procedural reversal of the burden of proof: if a court finds that documentation obligations have been breached, the burden of proof can be completely transferred to the company - and 'proving that something did not happen' is not possible in practice.
SCENARIO1: SUPPLIER LAWSUITA supplier sues for payment of an invoice that the company disputes. The company claims that the service was not provided in full. Without archived communication (emails, acceptance protocols, system logs) from the relevant period, the company has no way of proving its claim. The court rules in favor of the supplier. Costs: amount in dispute + court costs + legal fees of both parties. |
SCENARIO 2: TAX AUDIT WITH ESTIMATIONThe tax office carries out a tax audit. The accounting data from the legacy SAP system can no longer be read out completely by machine because the system has been switched off in the meantime - and only a backup exists that has not been converted in accordance with GoBD. The auditor questions the correctness of the bookkeeping and uses the right of estimation in accordance with Section 162 AO. Costs: Additional tax payment after estimation, retroactive for up to 10 years, plus interest. |
|
SCENARIO 3: PRODUCT LIABILITY CLAIM WITH MISSING BATCH HISTORY A customer sues for damages due to an allegedly defective product. The company claims that the batch complies with the specifications. The production logs from the quality system can no longer be retrieved - the system has been replaced, the data only exists as a backup in the old database format, which can no longer be read without a license for the discontinued system. Costs: Compensation, recall costs, loss of reputation. |
Other providers thought the project was impossible - CSP implemented it professionally. Reliable, efficient, absolutely recommendable.
-Markus Bartsch Director Residual Processing Schlecker
The following customer projects from CSP practice illustrate how archiving problems arise and how CHRONOS solves them. The case studies show concrete results - not theoretical scenarios.
There's a cost category that isn't listed as 'archiving costs' in most IT budgets, but that's exactly what it is: legacy systems that continue to operate because historical data hasn't been properly archived. These systems incur monthly costs - and they are growing because outdated technology is becoming more expensive to maintain, not cheaper.
|
Cost category |
Analog system expense |
With CHRONOS archiving |
|---|---|---|
|
Oracle database licenses for legacy systems |
100,000-500,000 € p.a. per instance |
0 € - System can be switched off completely |
|
SAP maintenance costs for systems in read mode |
18-22% of the license value p.a. |
0 € - Data archived independently of manufacturer |
|
IT staff for legacy system support |
0.5-2 FTE per system |
< 0.1 FTE for CHRONOS maintenance |
|
Security patches for discontinued software |
Expensive or impossible |
Not applicable - system shut down |
|
Database performance problems |
Growing with data volume |
Production system relieved |
|
Access management for specialist departments |
IT ticket per request |
Self-service by specialist department |
|
Disaster recovery costs for legacy systems |
Proportional to the number of systems |
Not applicable for decommissioned systems |
The calculation is simple: How much does an Oracle database operation for a legacy system that only runs for occasional archive queries cost over 10 years? And what is the cost of a one-off CHRONOS implementation that completely replaces this system in a legally compliant manner? In almost all CSP projects, the archiving solution pays for itself within 12-24 months through savings in system license costs alone.
CHRONOS is the archiving platform from CSP Intelligence GmbH - developed for IT managers who need legal security, technical flexibility and economic relief at the same time. The platform goes far beyond traditional archiving solutions: it enables complete application retirement - the legally compliant shutdown of legacy systems without losing access to data.
How a CHRONOS project works
|
Phase |
Title |
Project content |
Result |
|---|---|---|---|
|
1 |
Initial meeting & demo |
Non-binding appointment with technical consultant. Understanding needs, systems and goals. |
Clarity about use case and effort |
|
2 |
Technical workshop |
Analysis of existing data structures and system landscape. Definition of archiving goals. |
Technical concept and data mapping |
|
3 |
Project offer & planning |
Calculation, resource planning and binding timeline. Decision and approval. |
Signed offer, project kickoff |
|
4 |
Implementation & test |
Installation, interface connection, first archiving runs, internal tests & validation. |
Validated system in test environment |
|
5 |
Go-live & handover |
Productive operation, handover to your team, transition to regular operation. |
Decommissioned legacy system, running archive |
|
+ |
Care & support |
Ongoing technical support, updates, personal support, SLA agreements. |
Long-term compliance security |
CHRONOS projects can be implemented within 6-12 weeks - depending on the scope of the system. And your infrastructure generally does not need to be adapted.
- Korbinian Hermann Managing Director, CSP Intelligence GmbH