The Grundsätze zur ordnungsmäßigen Führung und Aufbewahrung von Büchern, Aufzeichnungen und Unterlagen in elektronischer Form sowie zum Datenzugriff — universally known as GoBD — is the German Federal Ministry of Finance's definitive framework for how electronic records, including e-invoices, must be managed. First published in 2014 and updated in 2019, GoBD applies to every business operating in Germany, regardless of size or industry.
With the e-invoicing mandate now live (receiving since January 2025, issuance from January 2027 for businesses above €800K revenue), GoBD-compliant archiving is no longer a theoretical requirement — it's an operational necessity. An e-invoice that is correctly formatted but improperly archived can still result in rejected VAT deductions, estimated tax assessments, and penalties under the Abgabenordnung (AO).
What Is GoBD?
GoBD sets out the requirements for proper accounting, record-keeping, and data access in electronic form. It applies to all tax-relevant data — including invoices, receipts, contracts, and correspondence — and defines how such data must be captured, processed, stored, and made accessible for audit purposes.
The key regulatory references are:
Requirements for bookkeeping entries — must be complete, correct, timely, and orderly.
Retention obligations — defines what must be kept and for how long (6 or 10 years depending on document type).
Technical security requirements for electronic recording systems (TSE).
Commercial law retention periods — 10 years for commercial books and invoices, 6 years for commercial letters.
Invoice requirements under VAT law — defines what constitutes a valid invoice.
The 7 GoBD Principles
GoBD defines seven core principles that every archiving system must satisfy. Failure to comply with any single principle can render your entire bookkeeping "nicht ordnungsgemäß" (not proper) — with serious tax consequences:
Every transaction must be traceable from the original document through all processing steps to the final accounting entry — and vice versa. The audit trail must be complete and unbroken.
Once a document has been archived, it must not be altered, deleted, or overwritten. Any corrections must be documented as separate entries that reference the original, preserving the complete history.
All tax-relevant documents must be archived — no exceptions. Every invoice sent or received, every credit note, every correction must be captured in the archive.
Documents must be recorded and archived promptly — ideally at the time of the transaction or receipt. Delays in archiving can be treated as a GoBD violation.
Archived documents must be organised systematically so that any document can be retrieved within a reasonable time. Random or unstructured storage does not comply.
The Finanzamt must be able to access archived data during an audit without restrictions. This includes machine-readable access (Z1, Z2, Z3 data access levels) to structured data.
A written procedural documentation must describe your entire invoicing and archiving process — from document creation through storage to eventual deletion after the retention period.
Retention Periods
German law mandates two distinct retention periods, governed by different legislation. E-invoices typically fall under both, meaning the longer period (10 years) effectively applies:
Important: Retention Period Start Date
The retention period begins at the end of the calendar year in which the document was created or received. An invoice dated March 15, 2026, must be retained until at least December 31, 2036 (10 years from end of 2026). During an ongoing tax audit, the retention period is automatically extended until the audit is completed — even if the standard period has expired.
Format & Conversion Rules
One of the most critical — and frequently violated — GoBD requirements concerns the format in which documents must be archived:
Rule: Archive in the format received. If you receive an e-invoice as an XRechnung XML file, you must archive that XML file. Converting it to PDF for storage is a GoBD violation — the PDF version may be kept as an additional convenience copy, but the original XML must remain the authoritative archived document.
For ZUGFeRD invoices (hybrid PDF/XML), both the PDF rendering and the embedded XML data must be preserved together as a single archive unit. Extracting only the PDF visual layer and discarding the XML data would violate both the completeness and immutability principles.
Format conversion is permitted only if: the original format is preserved alongside the converted version, both versions are linked in the audit trail, and the conversion process itself is documented in the Verfahrensdokumentation. In practice, most tax advisors recommend avoiding conversion entirely and simply archiving the original format.
Audit Trail Requirements
GoBD requires a complete, unbroken audit trail (Belegfluss/Verarbeitungshistorie) for every document in the archive. The audit trail must record:
Timestamp of Receipt/Creation
The exact date and time when the document was first received or created in the system, with timezone information.
Document Identity
A unique, immutable identifier (hash or document ID) that links the archived version to the original transaction in the ERP.
Processing History
Every action performed on the document — viewing, forwarding, booking, payment matching — must be logged with user, timestamp, and action type.
Change Log
Any corrections, cancellations, or credit notes must reference the original document and be linked in the audit trail as a chain of related records.
Verfahrensdokumentation: Procedural Documentation
The Verfahrensdokumentation is perhaps the most overlooked GoBD requirement. This document must describe your complete invoicing and archiving process in sufficient detail that an independent third party (such as a Finanzamt auditor) could understand and verify your procedures. It must cover:
General description of the business and invoicing processes
Software systems used (ERP, e-invoicing solution, archiving system)
Data flow from invoice creation/receipt through processing to archival
Access controls and user permissions for the archiving system
Backup and disaster recovery procedures
Process for handling corrections, cancellations, and credit notes
Retention period management and eventual secure deletion procedures
Internal controls and quality assurance measures
The Verfahrensdokumentation must be kept current. Any changes to your invoicing or archiving processes — such as switching e-invoicing providers or migrating to a new archiving system — must be reflected in the document. During a Betriebsprüfung (tax audit), the auditor will request this document early in the process to understand your systems before examining individual records.
Cloud vs On-Premise Archiving
GoBD does not prescribe where data must be stored — cloud-based archiving is fully permitted, provided all GoBD principles are met. However, the choice between cloud and on-premise has important implications:
On-Premise Archiving
Full control over data location and access. Requires internal IT expertise for backup, security, and long-term accessibility. Risk of hardware failure or obsolescence over the 10-year retention period.
Cloud-Based Archiving
Managed infrastructure eliminates hardware risk. Must ensure the cloud provider meets GoBD requirements — particularly immutability, accessibility, and data sovereignty. Data must remain within the EU (DSGVO).
For most German businesses, a cloud-based solution with EU data residency offers the best balance of compliance, cost, and reliability. InvoStaq's archiving infrastructure is hosted on EU-based servers with WORM (Write Once Read Many) storage, ensuring that archived documents meet the immutability requirement by design.
DSGVO (GDPR) Interaction
A frequently asked question is how GoBD retention requirements interact with the DSGVO (Datenschutz-Grundverordnung / GDPR) — particularly the right to erasure (Art. 17 DSGVO). The answer is clear: tax law retention obligations take precedence over the right to erasure during the retention period.
Article 17(3)(b) DSGVO explicitly states that the right to erasure does not apply when processing is necessary for compliance with a legal obligation under EU or Member State law. GoBD retention requirements are exactly such a legal obligation. However, once the retention period expires, businesses must promptly delete personal data contained in archived invoices — failure to do so would then constitute a DSGVO violation.
Best Practice: Access Controls
To balance GoBD and DSGVO requirements, implement strict access controls on archived e-invoices. Only authorised personnel (accounting staff, auditors) should be able to access personal data within archived documents. Log all access events as part of the audit trail. This satisfies both the GoBD accessibility requirement and the DSGVO data minimisation principle.
Common Mistakes
Based on our experience helping German businesses achieve GoBD compliance, these are the most common archiving mistakes we encounter:
The most common violation. Receiving an XRechnung XML invoice via email and printing or converting it to PDF for archival destroys the machine-readable data and violates the completeness principle.
Keeping e-invoices only in email inboxes — even if the emails are backed up — does not meet GoBD requirements for systematic order, immutability, or machine-readable access.
Many businesses have never created a Verfahrensdokumentation or have not updated it since implementing e-invoicing. This is a standalone GoBD violation regardless of how good the actual archiving is.
GoBD requires that archived data be protected against loss. Irregular or untested backup procedures mean that a hardware failure could destroy years of tax-relevant records.
Just as you must archive documents for the required period, you must also have a process for secure deletion once the retention period expires — particularly for DSGVO compliance.
InvoStaq GoBD-Compliant Archiving
InvoStaq's archiving module is built from the ground up to satisfy every GoBD principle automatically. When an e-invoice is sent or received through InvoStaq, it is immediately archived in its original format with a complete audit trail — no manual steps, no format conversion, no compliance gaps.
WORM Storage
Write Once Read Many storage ensures archived documents cannot be altered or deleted during the retention period — satisfying the immutability principle by design.
Instant Audit Access
Full-text search and structured query access (Z1/Z2/Z3 levels) allows Finanzamt auditors to retrieve any document instantly during a Betriebsprüfung.
Cryptographic Hash Chain
Every archived document is assigned a SHA-256 hash. Sequential hashing creates an immutable chain that proves completeness and detects any tampering.
Auto Verfahrensdokumentation
InvoStaq generates and maintains your Verfahrensdokumentation automatically, updating it whenever your configuration or processes change.
GoBD-Compliant Archiving, Fully Automated
Stop worrying about retention periods, format rules, and audit trails. InvoStaq archives every e-invoice in full GoBD compliance — automatically, from inside your ERP.