There are many reasons why a company might choose to archive its email communications in a legally compliant manner. Legal requirements, protection against data loss, and quick and easy recovery are some of the most commonly cited motives for an email archive.
An email archiving obligation for electronic documents, emails, invoices and other company records results from several legal requirements.
These include, for example, the "Principles for the proper keeping and storage of books, records and documents in electronic form and for data access (GoBD)", §147 of the German Fiscal Code (AO), §257 of the German Commercial Code (HGB), §8 of the Money Laundering Act (GWG) and §50 of the German Federal Lawyers' Act (BRAO).
The archived data and e-mails must be stored in an audit-proof manner. The term audit-proof has become established in the field of electronic archiving and essentially summarizes the requirements as defined, for example, in §239 HGB. This states "The entries in books and the otherwise required records must be complete, correct, timely and orderly" and further "An entry or a record may not be changed in such a way that the original content can no longer be determined. Nor may such alterations be made whose nature makes it uncertain whether they were made originally or subsequently."
In addition to being forced to comply with legal requirements, email archiving is also an excellent tool for preventing data loss. Mistakes happen. Be it the accidental deletion of an email, a misconfigured inbox rule - but also the intentional deletion of emails for fraudulent reasons. Complete e-mail archiving via a dedicated archiving system reliably prevents such data loss.
You are looking for e-mails about a specific event that happened several years ago? No problem. An e-mail archiving system provides you with the appropriate search functions, even across mailbox boundaries. Detailed rights assignment ensures that only authorized persons have access to the relevant data.
There are many approaches to email archiving. Not every way leads to the desired goal. Choose the solution that works best for you. You can archive email in a number of ways. But beware, not all methods form the basis for a legally compliant solution.
A common method of email archiving is to store emails in mailbox files (PST files). Even older versions of Microsoft Outlook created such files automatically (archive.pst) in order to reduce the load on one's mailbox. Even though this method is simple and inexpensive, it does not meet the legal requirements for audit-proof e-mail archiving. This is because, like other data files, PST files can be modified or deleted at a later date.
Modern mail servers such as Exchange Online as part of a Microsoft 365 subscription have the option of creating an archive database for users. In principle, this is a modern version of auto-archiving via the old familiar PST file. Here, too, subsequent manipulation of the contents is possible and is therefore not suitable for meeting legal requirements.
Special e-mail archive systems take a different approach to archiving. Via the journaling function of the mail server, incoming and outgoing e-mails are sent to the archiving system as copies. This reliably prevents subsequent changes. But be careful, because if the systems are configured incorrectly, a situation can arise where the legal requirements for archiving e-mails are not met. For example, some systems allow the mailboxes to be read out at regular intervals for email archiving and any changes found to be transferred to the archive. Emails that are received or sent in this "blanking interval" and then immediately deleted are not archived in this type of configuration. Such a configuration does not comply with the principles of audit-proof email archiving and therefore also does not satisfy the above-mentioned legal requirements.
Litigation Hold or formerly "legal hold" is a function for preserving evidence. If Litigation Hold is activated on a mailbox, no email can be deleted anymore. Every incoming or outgoing email is copied to an archive that is invisible to the user. Even if this function can map the legal requirements, it is not suitable for a quick search in older inventories. If something is to be produced from the archive, you must first submit a search request to the system with the appropriate authorizations. Once the search request has been executed, you create an export request. If this job is also completed, you can download the results in a PST file to your local system via a special browser plug-in and open or import them via Outlook..
When implementing reliable email archiving, problems can arise that can be avoided with careful planning. Check in advance which emails need to be archived and which do not.
Not everything that comes in the form of an e-mail is automatically subject to the statutory retention requirement. If you receive application documents by e-mail, for example, there is no longer any need for further storage once the selection process has been completed. For example, the General Data Protection Regulation (DSGVO) also regulates the right to delete personal data. Keep this in mind when planning your e-mail archiving system.
Not all types of email accounts can be archived equally. Sometimes you need special server rules that automatically create a copy for the archive. In other cases, it is a setting at the provider that creates a copy of the emails. Archiving e-mails is easiest if it has already been considered in the planning of the e-mail system. Here is a brief overview of possible email accounts or email senders that you should consider in the planning:
When it comes to encrypted communication, it often happens that these emails are copied 1:1 into the archive just like the unencrypted emails, without taking the corresponding certificates or keys into account. As a result, the e-mails are still present in the archives, but can no longer be read because the corresponding key for decrypting the e-mails is missing. Therefore, you should also think about the certificates already when planning your archiving solution.
Spam filtering before archiving carries the risk that e-mails subject to the retention requirement will not be archived. A safer solution is to filter spam even before the mail server accepts the email. This also offers a significant reduction in the load on your e-mail infrastructure and less effort for your employees, as regular checking of the junk e-mail folder is no longer necessary. For more information, just ask us.