On 18 October 2024, the Federal Council approved the “Fourth Act to Reduce Bureaucracy for Citizens, Business and the Administration”. The aim: less effort for business, more time for the core business. A central element of the law is the shortening of the retention period for accounting documents under commercial and tax law from ten to eight years.
What initially sounds like a noticeable relief, however, also has a data protection component that companies should not underestimate.
What will change in concrete terms
According to Section 257 (1) No. 4 HGB, accounting documents – such as invoices, delivery notes, payment receipts and internal records – only have to be kept for eight years from 1 January 2025. For banks, insurers and securities institutions, the new regulation will only take effect one year later.
The change affects all documents whose ten-year deadline has not yet expired at the beginning of next year. For all other documents – such as balance sheets or trading books – the previous ten-year period will remain in place.
Relevance under data protection law: Deletion obligations under the GDPR
Even if the retention obligations primarily originate from commercial and tax law, they are of central importance for data protection. This is because accounting documents regularly contain personal data, such as the names and account details of customers, employees or business partners.
According to Art. 5 para. 1 lit. e GDPR, personal data may only be stored for as long as it is necessary for the purpose for which it was collected. As soon as this purpose – in this case the statutory retention obligation – ceases to apply, the obligation to erase the data takes effect.
The statutory retention period therefore also determines the storage period in processing directories, data protection declarations and erasure concepts. A change to this period requires adjustments at a technical and organisational level.
Challenges for data protection management and IT
What does the new deadline mean for companies in concrete terms?
- Revision of deletion concepts: Existing regulations, which previously assumed a ten-year storage period, must be changed to eight years.
- Adaptation of IT systems: Automated erasure functions, archiving processes and deadline monitoring must be technically revised.
- New documentation in directories in accordance with Art. 30 GDPR: Storage periods and their legal basis must be documented in an updated form.
This need for adaptation should not be underestimated, especially for large companies with complex IT infrastructures – the hoped-for relief could therefore be associated with increased effort in the short term.
Conclusion: Relief with side effects
Shortening the retention period for accounting documents is undoubtedly a step towards reducing bureaucracy – at least on (hopefully digital) paper. From a data protection perspective, however, there is a not inconsiderable need for adjustment, which requires careful implementation.
Those who fail to adapt their erasure concepts and IT systems risk breaching data protection laws. After all, once the statutory retention period has expired, there is an obligation to erase.
Contact us – we will be happy to support you in adapting your erasure concepts, updating your processing directories and technically implementing data protection regulations.