Have the honor

The legal situation regarding web-used e-mail traffic seems to be confusing in Germany. Although terms such as private mails or audit-proof archiving are probably familiar to most administrators and managers, it is generally not so clear which measures are required by law and which of them should actually be carried out. To make matters worse, some of the legal requirements also contradict each other.

I would like to give an answer to the following questions:

1. Do I have to archive e-mails in my company?
Yes! Here, for once, the law is quite clear. Every company has always kept all business documents in paper form and keeps the heavy folders in the basement for years. In principle, this applies to electronically transmitted documents.

2. Which e-mails need to be archived?
All documents that would have been packed into a folder as a paper document must also be archived as an electronic document. In detail, these are the following documents: trading books, inventories, annual financial statements, consolidated financial statements and group management reports, as well as work instructions and other organisational documents,
commercial letters or accounting documents received and sent.
Any informal e-mail correspondence can also be considered a “commercial letter” as soon as it serves to prepare, execute and conclude or reverse a transaction. This probably includes almost all e-mails sent and received for business.

3. How long does archiving have to be carried out?
This depends on the content of the email. Analogous to documents in paper form, commercial letters must be kept for six years and all other (above-mentioned) documents even for ten years.

4. Do private e-mails play a role?
Definite! Private e-mails make the handling of company e-mails much more complicated. As long as it cannot be completely ruled out (!) that private e-mails are among the company e-mails, the company is subject to the obligations of telecommunications secrecy according to the Telecommunications Act. The company is then only allowed to access the e-mail inboxes to ensure technical provision, and even for this consent would have to be obtained from the employees or the works council. In any case, the employees have the right to have private e-mails removed from the archive or deleted at any time.
Many people are not aware that the entire mailbox is absolutely taboo for every other employee as soon as private emails could be involved. This is already problematic when handling a vacation replacement.
Private e-mails should therefore be excluded from any archiving, according to the official statement. However, they do not explain how this is to be done.
In larger companies, it is therefore advisable to prohibit the private use of the e-mail system completely. However, this would have to be agreed in writing and regularly checked.

6. What characteristics are required by law

• The retrievable storage of the e-mails provided for this purpose
• The immutability of all archived e-mails.
• The release of relevant data to the tax office if it is requested
• The deletion of illegal content
• The possibility to archive only selected e-mails (e.g. due to data protection)
• The signature of the e-mails with the S-MIME standard.

7. What technique is prescribed?
The technology itself is not regulated. You are free to choose the system and its provider. For the legislator, it also does not matter whether the archiving is carried out in-house or externally, e.g. together with a spam filter, as long as the handling complies with the rules.

8. Are there any advantages?
No disadvantage where there would not also be an advantage! In addition to the legal component, there are also a few practical ones.

• All e-mails are backed up.
• e-mails remain available for at least six years
• As a rule, such e-mail archives are completely indexed and enable a full-text search
• Mailboxes can be reduced in size by moving older emails to the archive earlier. This can save infrastructure and load.
• Internal business procedures and processes can gain transparency through such measures.

9. What’s the problem?
There are some contradictions that cannot be reconciled and thus stand in the way of 100% legal certainty.
For example, the archived content must be both unchangeable and erasable. A tricky affair!
In practice, it would look like this, for example, if you really want to do everything right:
An employee leaves the company in a dispute and wants to harm it. He asserts his claim to the release and deletion of his private e-mails in the company account. Since the sending of private e-mails was not effectively prohibited, he can enforce the claim in court and the State Prosecutor’s Office demands that the company delete the e-mails in question or destroy the entire archive.
Since the immutability of the archive is given, the company cannot solve the dilemma itself. Next, it is agreed with the manufacturer of the archiving software used that the change protection will be lifted for a period of about 30 minutes. During this time, the company would now have the opportunity to carry out the deletion together with a lawyer for documented documentation and, if necessary, a data protection officer …
Many smaller companies would probably be bankrupt by now at the latest! 🙁

Result:
Doing nothing at all is not enough – but it is very difficult to get waterproof. There is therefore no way around e-mail archiving. Because the regulation is clear and plausible. In detail, however, the jumble of regulations cannot be implemented in a practical way.
For these reasons, our admins are currently tasked with creating a suitable solution for us and our customers. It is expected that the SecuMail^® spam filter will be expanded to include a corresponding function.

Addendum on 30.5.2011:
We offer a suitable solution!

IT remains exciting!

Yours, Hannes Wilhelm

Sources:
http://www.e-mail-archivierung-wissen.de
http://www.searchstorage.de/themenbereiche/management/compilance/articles/265753/index.html
http://www.searchstorage.de/themenbereiche/archivierung/e-mail/articles/256037/
http://de.wikipedia.org/wiki/E-Mail-Archivierung