Authored by: K Royal, technology columnist for, and vice president, associate general counsel of privacy, and compliance/privacy officer at CellTrust Corp.

This article was published as part of ACC’s “This Week in Privacy” series, a new column for in-house counsel who need advice in the privacy and cybersecurity sectors.


With all the data protection reform going on in Europe, I heard about something called the GoBD, which pertains to tax papers. What is that?


Unlike the General Protection Data Regulation (GDPR), the GoBD is not a well-known or oft-discussed topic. The German GoBD, or the “basic principles on the proper keeping and storage of financial books, recordings, and documents in electronic form as well as data access” (Grundsätze zur ordnungsmäßigen Führung und Aufbewahrung von Büchern, Aufzeichnungen und Unterlagen in elektronischer Form sowie zum Datenzugriff), became effective a little over two years ago and is specifically related to tax documentation. It replaced two prior requirements: one from 1995, the GoBS (principles of proper DV-based accounting systems), and one from 2001, the GDPdU (principles of data access and verifiability of digital documents).

The GoBD greatly increases the reach of the German Ministry of Finance, because not only are there many types of documents, records, and data that can be linked to tax purposes, but also because the Ministry requires a years’ worth of continuous documentation. The documentation is especially critical in cash-based businesses, like hair salons and restaurants, because cash transactions is highly subject to manipulation and inaccurate reporting.

In this digital age, many documents and records are created or retained electronically. Some records are still required to be kept in original paper, such as donation receipts and capital gains certificates. Otherwise, companies often desire to reduce the paper burden and retain digitized copies.

The GoBD facilitates that desire, but requires that the auditability and traceability of the original transactions remain. For example, a PDF/A-3 comprises both an image and XML filed linked to the information contained in the image. The tx authorities would need to be able to audit that electronic file. If it is transformed into a JPG, TNG, or PNG, then the XML information would be lost.

The GoBD also contains timeframe restrictions — cash transactions must be captured daily and non-cash transactions must be captured every 10 days. Certain transactions are permitted to be captured on a monthly basis, but there are limitations and requirements around regular scheduling of these digitization actions. The two specific provisions in the GoBD around electronic record-keeping are data immutability and security.

For more guidance on the GoBD, please visit one of the following links: VGD, SMACC, or Bundesministerium der Finanzen.

For further reading, download ACC’s White Paper on “What Every GC Needs to Know About Third Party Cyber Diligence.”