Artikel | 16. April 2026
Audit-Proof Archiving and GDPR: Retention vs. Right to Erasure
The Two Sides of the Conflict #
Retention Obligations #
Across the EU, businesses must retain records for defined periods:
- VAT law: invoices must be retained for periods set by each member state under the EU VAT Directive, commonly 6 to 10 years.
- Accounting and commercial law: national rules require books, annual accounts, and supporting documents to be kept. In Germany, for example, commercial books and annual accounts must be retained for 10 years, accounting documents and invoices for 8 years (banks, insurers, and securities institutions: 10), and commercial correspondence for 6 years, following the 2025 reform of retention periods.
- Sector rules: MiFID II record-keeping in financial services, and healthcare retention of 10 to 30 years for patient records depending on member state and record type.
These records routinely contain personal data: names on invoices, contact details in correspondence, patient identities in medical records.
The GDPR Right to Erasure #
Art. 17 grants data subjects the right to erasure when data is no longer necessary, consent is withdrawn, or processing was unlawful. Art. 5(1)(e) (storage limitation) adds that personal data may be kept no longer than necessary for the purpose.
How the Conflict Is Resolved #
The resolves the conflict itself. Art. 17(3)(b) states that the right to erasure does not apply where processing is necessary to comply with a legal obligation. A statutory retention obligation is exactly such a legal obligation.
The resulting prioritization rule:
- During the retention period: the retention obligation takes precedence. An erasure request for an archived invoice is refused for that record, with the legal basis documented (Art. 17(3)(b) plus the applicable national retention rule).
- After the retention period expires: the legal basis for storage disappears, and the obligations take over. Now the data must be erased; continued retention without a purpose violates Art. 5(1)(e).
Both halves matter. Companies fail audits for deleting too early, and they collect findings (and fines up to EUR 20 million or 4% of global annual turnover) for keeping personal data indefinitely “just in case.”
What This Means for Archive Architecture #
Retention Management Is Mandatory #
A compliant archive needs deadline-based retention management:
- Every record carries a retention class (record type, applicable rule, expiry date)
- Different record types get different periods: a single global retention setting is almost always wrong
- When the period expires, deletion is executed and documented
WORM and Deletion Are Compatible #
Hardware seems to contradict erasure, but compliance-grade systems are built for exactly this lifecycle. Silent Cubes, for example, enforce immutability for the duration of the configured retention period; after expiry, records become deletable, and the deletion itself is logged. During the retention period nothing and no one (including administrators) can alter or remove the record, which is precisely what the integrity requirements demand ( Art. 5(1)(f), national bookkeeping standards such as the German ).
Accountability #
Art. 5(2) requires you to demonstrate compliance. For the archive, that means documenting:
- The retention schedule per record type, with legal basis
- The refusal process for erasure requests during retention (with the Art. 17(3)(b) justification)
- The deletion process after expiry, with execution logs
Practical Steps #
- Map record types to retention periods under the laws applicable in your member state(s); involve legal counsel for cross-border operations.
- Implement retention classes in the archive system so expiry is tracked per record, not per system.
- Automate deletion after expiry, with logging, so storage limitation is met without manual sweeps.
- Document the whole procedure as part of your archiving process documentation; auditors and data protection authorities both ask for it.
Further Resources #
→ Guide (/en/blog/revisionssicherheit-leitfaden/) → What Is ? (/en/blog/was-ist-revisionssicherheit/) → The 10 Criteria of (/en/blog/10-kriterien-revisionssicherheit/) → Silent Cubes: Hardware Archive Storage (/en/produkte/silent-cubes/)
GDPR
The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing).
GDPR
The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing).
GDPR
The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing).
GDPR
The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing).
GoBD
The GoBD (Principles for the Proper Management and Storage of Books, Records and Documents in Electronic Form as well as Data Access) is a German Federal Ministry of Finance letter that specifies how tax-relevant documents must be archived electronically in Germany — particularly regarding immutability, completeness and auditability.
WORM
WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.
WORM
WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.
GDPR
The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing).
Audit-Proof Archiving
Audit-proof archiving describes the legally required property of an archiving system that preserves documents completely, immutably, traceably and accessibly at all times — and that this can be demonstrated without gaps to tax authorities, auditors and data protection supervisory bodies.
Audit-Proof Archiving
Audit-proof archiving describes the legally required property of an archiving system that preserves documents completely, immutably, traceably and accessibly at all times — and that this can be demonstrated without gaps to tax authorities, auditors and data protection supervisory bodies.
Audit-Proof Archiving
Audit-proof archiving describes the legally required property of an archiving system that preserves documents completely, immutably, traceably and accessibly at all times — and that this can be demonstrated without gaps to tax authorities, auditors and data protection supervisory bodies.
WORM
WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.
GDPR
The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing).