Paperless GoBD explained simply – What to store, where, and for how long
Paperless and legally compliant – Germany, Austria, Switzerland, and abroad for private individuals, small businesses, companies, and associations. Who has to keep what for how long.
1. Where Does the GoBD Apply?
The GoBD (“Principles for the Proper Management and Retention of Books, Records and Documents in Electronic Form and for Data Access”) is a German tax regulation issued by the Federal Ministry of Finance (BMF).
It applies only within Germany – specifically to:
- Businesses, freelancers, associations, and sole proprietors that are tax-liable in Germany,
- as well as private individuals who keep tax-relevant records (e.g. rental income, capital gains).
👉 The GoBD does not apply in Austria, Switzerland, or other EU countries — those have their own legal frameworks (e.g. BAO, OR, VAT law, GDPR).
Note
I have chosen the GoBD (Germany) as an example – also to show a little bit how “overly bureaucratic” Germany is. The information in this article refers to the GoBD and may differ from the BAO, OR and other countries!
In other EU countries, the whole thing is not quite so strict. As mentioned, the BAO, OR, UStG, and GDPR apply there. Outside Europe—i.e., abroad—your competent authority will provide you with information about what you need to bear in mind… if there is anything to bear in mind at all.
If you are still liable for tax in Germany, even if you have already emigrated, you should continue to comply with the GoBD – until your tax liability in Germany has officially ended. After that, of course, the retention periods after the end of tax liability must also be observed.
Video: Paperless GoBD explained simply – What to store, where, and for how long
Language: 🇩🇪🇬🇧
☝️ Use YouTube subtitles for all languages.
Briefly Explained: GoBD, BAO, OR, UStG and GDPR
GoBD, BAO, OR and UStG define “how long and how securely” documents must be stored — with a focus on tax traceability.
The GDPR defines “who may see what and when it must be deleted” — focusing on data protection and access control.
Paperless-ngx can cover both aspects if:
- audit logs, OCR, and PDF/A are enabled,
- access is managed through user permissions,
- and regular backups and deletion procedures are documented.
GoBD = mandatory for Germany
BAO / OR = national equivalents in Austria & Switzerland
UStG = tax regulation (especially for invoices)
GDPR = data protection framework for all EU member states
With the right configuration, Paperless-ngx can be operated in full GoBD-like or legally compliant mode in all three countries — as long as immutability and proper documentation are ensured.
☝️ TIP!
In general, it’s best to get in touch with your local tax authority and submit the following documents for review and approval:
- Audit Checklist (GoBD compliant)
- Process Documentation
This way, you can make sure that your setup fully meets the legal requirements and avoid any unpleasant surprises later on.
You’ll find templates for download at the end of this article.
Implementing Guidelines in the Private Sector
If you want to be 100% certain that no one can question the authenticity of your digital documents, I recommend applying the GoBD principles – or the equivalent regulations in your country – even in your private records.
Even if you don’t coordinate this with the authorities, doing so provides security and traceability for your documents.
ata Backup – Not GoBD Compliant
A particularly important point is the regular backup of your data.
The loss of your documents can have serious consequences – both privately and professionally.
You can use this type of data backup if you have decided to use Paperless-ngx in a non-GoBD-compliant way, i.e., for private use only.
The reason is that the script used here only keeps the last three backups. However, the GoBD regulations require that tax-relevant data remain accessible to the tax authorities (Z1: direct access, Z2: machine analysis, Z3: data export) – this is not covered in this script.
For Paperless-ngx, this means that exports must be prepared in advance to allow for a quick response during an audit. This point is also not addressed by the script.
This post focuses exclusively on data backup that is not GoBD compliant:
Data Backup – GoBD or Legally Compliant
A detailed post about compliant data backup will be published at a later time.
At this point, I cannot say what the final solution will look like – whether it will be a Docker container or a script.
As a temporary solution, you can use the non-compliant backup script and simply disable the deletion function for old backups.
That should be sufficient until the post on legally compliant data backup is released.
2. Retention Periods at a Glance
Depending on the type of documents and the entity, the required retention periods vary.
Here’s a concise overview:
| Category | Private Individual | Small Business / Freelancer | Association | Company (Corporation) |
|---|---|---|---|---|
| Tax records / accounting documents | 10 years (if rental or business income) | 10 years | 10 years | 10 years |
| Contracts (rental, service, suppliers) | until 3 years after termination | 6–10 years if tax-relevant | 6 years | 10 years |
| Insurance documents | until contract end + 3 years | 6–10 years (if business-related) | 6 years | 10 years |
| Correspondence of tax relevance | 3–6 years | 6 years | 6 years | 6 years |
| Invoices / payment receipts | 2 years (private) | 10 years | 10 years | 10 years |
| Bank records / statements | 3 years (private) | 10 years | 10 years | 10 years |
| Immobilien | up to 30 years | up to 30 years | up to 30 years | up to 30 years |
💡 Tip: If private documents are relevant for taxes (e.g. home office, property rental), keeping them digitally for 10 years is strongly recommended.
3. Making Paperless GoBD-Compliant
Paperless-ngx is an excellent digital archiving tool.
To make it GoBD-compliant, a few practical measures are necessary — varying by use case.
Required Measures Overview
| Category / Document Type | Private | Small Business | Association | Company |
|---|---|---|---|---|
| Contracts | No | Yes | Yes | Yes |
| Insurances | No | Yes | Yes | Yes |
| Accounting, Tax & Finance | Optional (if tax-relevant) | Yes | Yes | Yes |
| Technical GoBD Features (audit log, OCR, WORM, backup) | Recommended | Required | Required | Mandatory |
| Digital annual archiving | No | Yes | Required | Yes |
| Process Documentation | No | Yes | Yes | Yes |
Short Explanation – Key Measures
- Activate audit log: Track all changes with date and user.
- Use WORM or object-locked storage: Prevent document alterations.
- Enable OCR & PDF/A output: Ensure readability and long-term archiving.
- Set up secure backups: Perform regular restore tests and log them.
- Digital annual archiving that you can provide as evidence in the event of a tax audit or system failure.
- Create a short process documentation: Especially for associations and businesses.
Disclaimer
The information provided in this post has been compiled with great care and is intended for general informational purposes only.
It does not constitute legal, tax, or financial advice and cannot replace professional consultation from a qualified tax advisor, lawyer, or relevant authority.
All details are provided without any guarantee of completeness, accuracy, or timeliness.
Tax and legal regulations – such as GoBD, BAO, OR, VAT Act, or GDPR – may change over time or be interpreted differently depending on the country.
The author accepts no liability for any damages or disadvantages arising from the use of, or reliance on, the information contained in this post.
Anyone with specific questions about their tax situation should always seek advice from a qualified professional or the appropriate authority.
Step-by-Step Guide: Making Paperless GoBD-Compliant
1. Enable the Audit Log
- Open your container environment variables.
- Add:
PAPERLESS_AUDIT_LOG_ENABLED=true - This ensures every document change is tracked (who, when, what).
2. Schedule the Sanity Checker
- Activates integrity verification for stored files.
- Add:
PAPERLESS_SANITY_TASK_CRON="30 0 * * SUN" - Runs weekly to detect altered or missing files.
3. Use WORM / Object-Locked Storage (Immutability)
- Point
MEDIA_ROOTto write-once storage (e.g. AWS S3 with Object Lock, WORM NAS, or a read-only mount):PAPERLESS_MEDIA_ROOT=/data/media - Prevents deletion or overwriting of original documents.
4. Enable PDF/A and OCR
- Ensure long-term readability and machine processing:
PAPERLESS_OCR_OUTPUT_TYPE=pdfaPAPERLESS_OCR_MODE=skip - Converts all scanned files into searchable, GoBD-compliant PDF/A documents.
5. Control User Rights & Deletion
- Create roles such as Accounting, Viewer, Admin.
- Only admins may delete documents — and all deletions are logged.
- Avoid automatic trash purging.
6. Perform Audit-Proof Backups
- Back up your database and media daily to a separate, immutable location (e.g. Object-Locked S3 or external drive).
- Perform and log restore tests monthly.
7. Digital annual archiving
- Depending on requirements or internal specifications, archiving can be carried out monthly, quarterly, or annually.
- Example command line:
- docker exec -it paperless-webserver \
paperless-manage document_export –tags Steuer Steuerbelege 2024 \
–output /usr/src/paperless/export/steuer_2024.zip –format pdfa - It is recommended to schedule the execution automatically, e.g., via a cron job or external backup automation.
8. Write a Short Process Documentation
- Describe how documents are captured, processed, backed up, and verified.
- Include responsibilities, backup frequency, deletion rules, and review intervals.
9. Conduct Regular Internal Audits
- Every 6–12 months:
- Review logs
- Check the sanity report
- Test backup restores
- Record findings (date, responsible person, results).
✅ Done!
With these eight steps, your Paperless setup will meet the key GoBD compliance requirements — technically and organizationally — whether used privately or professionally.
📄 Downloads
For those who would like to dive a bit deeper into the topic, here are two useful resources:
👉 Download: Audit Checklist (GoBD compliant)
👉 Download: Sample Process Documentation
These documents can help you organize and review your own digital archive or accounting setup.
They don’t replace professional advice, but they do provide a solid framework to keep the most important points in mind.
Good luck with your setup — and remember: a little order today can save you a big audit tomorrow 😉
Conclusion
The GoBD is not just for corporations —
even private individuals can benefit from clear, compliant digital archiving.
With Paperless-ngx and a few simple procedures, GoBD compliance is realistic, practical, and future-proof — whether for home, club, or business use.
Link to support / donation for the channel
PayPal Link
Bank transfer, Bitcoin and Lightning
#GoBD #DigitalCompliance #PaperlessNGX #TaxAudit #DataIntegrity #RecordKeeping #Germany
