Long-term archiving of emails and data in Microsoft 365

The minimum order quantity is 10 user licences. For extension licences, the end of the term is identical tothe endof the term for the existing user licences.

I business related data is not archived, this constitues a failure to comply with accounting obligations. Accordingly, a company without an appropriate archive is non-compliant. In addition for possible penalties for tax evasion (Section378 AO) or tax fraud (Section 370 AO), thetax officemay, as a practical measure, restrict input tax deductibility. For SMEs, these measures can be expensive and even threaten their existence. For managing directors, personal liability can become an issue here if duties of care have been violated. Furthermore, sanctions under the GDPR can be imposed, which can result in much higher penalties. There are de facto two different laws in Germany that require data archving.

Compliance archiving has various advantages over other providers of archiving solutions abd has established itself in recent years as THE compliance archive. Furthermore, compliance archiving offers the creation of separate archiving locations for sensitive data, which can only be opened in accordance with the dual control principle and are therefore initially excluded from standard enterpreise searches. Unlimited data volume and storage in German ISO-certified data Centers are also included.

Sensitive archiving locations are specially protected areas in which data is archived via standard rules or manual categorisation of data using folders or categories. This is useful, for example, for separately archiving the communication of sensitive groups within the company, such as works council communication, management communication or HR communication. In addition, employees can be allowed or at least tolerated to use the system for private purposes, as they are given the opportunity to classify this private communication. In this way, sensitive data can only be searched if there is a justified need to do so and the previously defined persons authorise access. This can be done in various ways and can be defined individually with the customer.

With the entry force of the GDPR, companies should establish clear rules regarding the handling of private messages via business email accounts or teams. Compliance Archiving offers a wide range of options to support customers in both permitting and prohibiting the private use of business communication tools.

A licence for compliance archiving is required if the archived mailbox belongs to an active Exchange mailbox in which at least one item is archived. An active mailbox is a service that can be accessed by the user, such as a regularly archived email mailbox, resource or shared mailbox. Mailboxes that cannot be accessed by a user on the archive system are not counted. The minimum purchase are 10 licences. Former employees whose archive data is accessed via proxy access, are not activemailboxes and do not require a licence.

Compliance archving involves tamper-proof data storage. Raising awareness and training employees is essential and mandatory.We therefore recommend offering appropriate training, particularly when introducing a compliance archive and during the onboarding process for new employees. It is also advisable to raise awareness among all employees on a regular basis.

The obligation to archive emails in an audit-proof manner arises from the GoBD, the principles for the proper management and storage of books, records and documents in electronic form and for data access, which haven been in force since January 2017. Since then, digital business documents must be archived digitally for six to ten years. These regulations were updated in spring 2024 to include, in particular, stricter data security requirements and detailed regulations for cloud services.
With the entry into force of the GDPR, email archving is also experiencing a revival, as it is an important component in meeting all compliance requirements. Companies have a duty to ensure order and transparency when handling personal data with regard to technical and organisational measures. Audit-proof data archving ensures that ptential data protection violations or non-compliance with requirements are detected, especially in digital correspondence.

Data protection requirements and the GDPR oblige companies to delete applicants documents after a certain period of time if the applicant is not hired. Even if the statutory retention periods are shorter, it is generally recommended to delete this data after a maximum of 6 months.

Therefore, processes must be created to prevet the archving of apllicant data. For example, applicants can only be accepted in a central applicant mailbox that is excluded from cloud archving, internal conduct guidelines can also stipulate that forwarding apllicant emails between employees is prohibited, as otherwise the applicant data will end up in email mailboxes that are part of an archive. Appropriate regulations must also be implementes fpr handing outsied of Exchange.