The legal burden on organisations is becoming increasingly heavy. For one thing, files that are relevant to taxation may have to be archived for ten years or more; and they must be kept in a form that ensures they can be audited. Moreover, management can also be held personally responsible for the security of data and systems that are important to their business operations. For reasons of strategic legal security, it is absolutely essential that electronic business mail be kept in an orderly form that ensures it will be available at all times. This is particularly important to enable the company to produce the necessary evidence in the event of any legal dispute.
However without suitable operating regulations the unrestricted archiving of entire communications can quickly encroach on the rights of employees. In this area of conflict where workforce interests and the company’s legal obligations are diametrically opposed, it is all too easy to lose sight of the situation as a whole. If there is no recognised way of organising electronic business transactions, frequently there is the unfortunate consequence that management and workforce simply “muddle along”. But the state will not stand idly by where its fiscal interests are concerned. The legal disadvantages and sanctions imposed on violations of archive-relevant retention, confidentiality and data protection obligations are already considerable. In particular, careless handling of e-mail against the backdrop of data protection legislation, management’s commercial duties and the principles of sound accounting practice can prove to be very damaging. Other problems and peculiarities arise when using e-mail in the context of electronic billing. From an economic viewpoint, the main risk is posed by the consequences of civil liability in the event of business-critical information not being available. This article has been written to give readers an idea about the legal situation and technical and organisational duties they give rise to.
The Dependence on the availability of information and IT
Studies prove that even a ten-day outage of key IT systems can have such a damaging effect on a company that it has a 50-per-cent probability of disappearing from the market within five years1. From this knowledge derives the duty to implement an effective risk management system at the national and international level (including the availability of business-critical information such as electronic mail, development documentation, business and trade secrets, business-critical and other documentation needed for evidence purposes, etc.). Balanced against this is the fact that electronic archiving in Germany is still in its nascent stages compared to practices in the US. Only a quarter of decision-makers surveyed said that their company archived to the letter of the law, while a third were not aware of any obligation to do so2. But how do these diametrically opposed results – independence from IT performance in general and the availability of business-critical information on the one hand, and neglecting to implement the mandatory measures technically and organisationally on the other – go together? Many companies still restrict compliance and information management to audits and tax inspections, at most adding operational data protection. They are faced with the risk of state-imposed sanctions or pecuniary disadvantages (e.g. fines, punitive assessments, loss of tax relief such as input tax) in relation to the calculable costs connected with a reorganisation of IT, but neglect to realise that nowadays the information and its availability represents an essential corporate resource (know-how, documentary evidence) … and thus in relation to any tax implications represent the far more damaging source of liability3
Is there a legal obligation to safeguard IT security?
In our private life we have long been accustomed to taking extensive precautions against the loss of, or damage to, our possessions. We do so, for example by means of alarm systems, safes, banks, and insurance policies. We are now experiencing similar security requirements in the IT environment. Given the legal duty to maintain general protection and duty of care4, the organisation must provide an infrastructure that is in keeping with technology development and must set out the appropriate organisational guidelines as well.
This applies to communication and data-processing systems, which are particularly susceptible to damage, and are frequently the most important resources in the company. The IT and procurement departments should have the necessary budget for firewalls, filter systems (viruses, spam, URL, and content), together with suitable backup and archiving procedures. From the organisational point of view, management, for its part, must provide an efficient system of risk management5. IT insurance, the various certification methods, the establishment of operational user and security policies, and the regular training of employees in the use of electronic media are other ways of creating legal security.
The need for convergence between technology and law – which, in technical jargon, we come across under the keyword “Compliance”6 – is becoming increasingly important, particularly from the point of view of securing relief from liability. If the set limits are transgressed, the company will be held primarily responsible for the legal consequences laid down by the state. However, the various bodies acting for the company (such as the managing board and the executive directors) may also have to bear such responsibility personally.
IT risk management
IT security is mainly a matter of maintaining the integrity and confidentiality of data. As a result, the legal obligations that companies have to comply with concern, for example, the secure input and output of electronic information ( such as e-mails, postings and purchase orders)7 and the safekeeping and protection of data about customers and employees8.
Over and above these general requirements, the law that governs controlling and transparency in business transactions (KonTraG, the Law on Controlling and transparency) demands an efficient system of risk management9 that is unanimously regarded as providing monitoring and early identification, together with the relevant response scenarios in the event of any damage. The bodies belonging to joint-stock companies and larger corporations10 must draw up and put into practice suitable measures to safeguard IT security in their company, and to protect systems and items of data that are important for their business operations. If damage does occur, it will be presumed to be their fault11. It is particularly worth noting that the Law on Controlling and Transparency states that the managing bodies will personally have to pay compensation for any damage that is caused by IT mismanagement in the company12.
As might be expected, legal judgments also assume that there is a legal obligation to back up data promptly, comprehensively and reliably13. Failure to meet this obligation can result in the loss of insurance cover. Firstly, this applies to cases of gross negligence. Alternatively, a claim of contributory negligence lodged by the opposing insurer can lead to a reduction of one’s own claims for damages to zero in extreme cases if deficiencies in IT compliance have enabled, caused or increased the damage.
More specific laws and guidelines on data backup are set out in the German Commercial Code14 and the Fiscal Code15 and in the Principles of Proper DP-based Accounting Systems (GOBS of 1995)16 and the Principles Governing Access to Data and the Verifiability of Documents Produced Originally in Digital Form (GDPdU of 2002)17, which everyone responsible for making postings must comply with.
The legal obligations that have been mentioned therefore refer to the secure dissemination and storage of information. The obligations always refer to sensitive information in the form of data, and they include the requirement to make such information available in a particular way for a particular length of time. In brief – and to stick to the jargon – it is a matter of information lifecycle management. The obligations in this area cover, among other things, the need to make certain that the data is archived in a way that is technically and legally secure, and to ensure its integrity and availability at all times. The consequences of liability are incurred if there is no concept for protecting – or, if necessary, recovering – the data, or if the concept that does exist is unsuitable.
To sum up, it can be seen that the existence of an effective risk management system kept constantly up-to-date has now become established above and beyond the special legal regulations indicated as part of the “commercial duty of care” into a general and central principle of proper business practices whose infringement can lead to claims against those organisationally responsible under the laws of liability for the “cardinal duty” of IT security. This duty of care, beyond compliance with certain peremptory retention criteria (in particular in tax and trade legislation and duties to provide documentation imposed on the makers of certain products), includes an organisational obligation to retain all business-critical data relevant to guarantee and warranty periods, the statute of limitations on claims or liability (in Germany up to 30 years) etc. in an orderly and complete manner for the purposes of securing evidence. The success of the chain of evidence is primarily influenced by the evidential quality of the documents available. This above all affects questions of compliance in relation to legislation, and, where privacy is concerned, national and international regulations governing the collection, use, processing and transmission of personal data.
Focus on legally secure e-mail archiving
The need to back up data as part of IT security applies in particular to e-mails. The legal nature of e-mails can take many different forms.
E-mails as electronic statements with legal relevance
E-mails can, for instance, be electronic declaration of intention such as proposal or acceptance, etc. For this reason, it is necessary to check the accounts each day in business transactions18. This is because the simple receipt of an e-mail – that is to say, the ability to be retrieved from the e-mail server – can have legal consequences for the business recipient (or its employees), even though it does not know what the e-mail actually contains19. Care must therefore be taken with the use of e-mail addresses on business cards, the Internet, and business letters. When an electronic invoice20 or warning is received, for instance, payment or delay sequences are set in motion, as the case may be. And in commercial transactions between sales executives, the contractual partner must either respond to an offer without delay by sending a so-called commercial letter of confirmation, or it must reject the offer, whichever is appropriate. If it fails to do so, it will have to abide by the contents of the contract confirmed by its contractual partner, even though it had assumed that something quite different had been agreed. In keeping with commercial practice, silence will be interpreted as consent21. All those who give their business e-mail address as a means of contact in their day-to-day business must therefore make certain that they check their mailbox every day.
E-mails as a means of providing evidence in the documentation of important operational processes
In addition to the contractual component, e-mail is also the means of essential ( or at least commercially requisite) documentation. The example of e-mail shows particularly clearly that it is in the interest of the company to collect, save and analyse as much information as possible, and to keep it on hand for future use, both for the sake of its own legal security and to enable it to produce legal evidence when required. This frequently results in the desire to record all business correspondence automatically until the limits of storage capacity are reached, and to save the material over a fairly long period, because, in a court case, each party has to present and prove the facts that are favourable to its own case. In principle, an e-mail has no greater evidential value than, say, a printout from the Internet, or a copy of a paper document, or a photograph. (This does not, however, apply to an e-mail that has a valid electronic signature in accordance with the Signature Act.)22 As the object of free evidential assessment23, therefore, it is only subject to inspection by the court. Nevertheless, it normally has a “competitive edge” as a piece of legal evidence. This is because the printout of an e-mail is frequently the only evidence that the court has available to help it reach its verdict. The e-mail provides evidence of the genuineness of its contents, and shows the sender, the recipient, the date of dispatch, and the date of receipt. In addition, it can be a valuable aid to memory when witnesses are being examined. Because of its duty to tell the truth in court, the party seeking to defend itself by disputing the facts of the case cannot make a sweeping denial of any details that are documented in the e-mail24. Any objection to the effect that the e-mail did not come from the person concerned, that it had not been received, that it had the wrong dates, or that its contents had been falsified would be therefore have to be fully substantiated by the party raising the objection.
The limits of documentation: e-mails and the protection of employees
As mentioned earlier, however, the law on data protection, and the confidentiality of employees’25 telecommunications, set a limit to how far such precautions can go. Thus, where private e-mails are permitted or tolerated, their contents cannot, in principle, be monitored without the consent of the employees or their agents (that is to say, the staff council). It is furthermore important to note that private e-mails belong to the employees concerned, and the employees can demand to hold on to them, including, in principle, after they leave the firm. There are also problems in suppressing or deleting private e-mail by means of spam filters26. To overcome these conflicts of interest, legal organisational measures will ultimately have to be introduced. These include concluding individual contractual agreements with employees, reaching works agreements, introducing security and user policies, and running regular training and qualification courses for employees.
E-mails as elements in the legally mandatory documentation of business transactions
It is not widely known that companies are obliged under the principles of commercial law and tax law to archive their business correspondence ( “commercial or business letters”). This applies to documents that may be important for giving an overview of a particular business transaction (that is to say, its preparation, execution or cancellation), irrespective of the form in which they are available (letters, faxes or e-mails). Such documents therefore include, for example, orders and their confirmation, delivery documents, invoices and copies of invoices, complaints and the related statements, credit notes and payment vouchers, bank statements, decisions about tax and fees, cash documents, product and price lists ( including relevant circulars providing information to customers), contracts, and documents relating to salaries. The background to this wide-ranging obligation is the requirement for transparency and auditing security – that is to say, the archiving of all vouchers and documents that may be of importance for checking business operations and in the normal courts27.
Permissible forms of archiving
Under the terms of commercial and tax law28, posting vouchers, and business and commercial letters that have been received and sent, can also be archived for reproduction later on an image medium or on other data media, provided this complies with the Principles of Proper Accounting (GOBS), and so long as the following requirements are met:
- The appearance of the reproduction or data must tally with that of the commercial letters and posting vouchers that have been received, and its content must tally with that of the other documents when it is turned into a readable form.
- The documents stored in this way must be available throughout the entire retention period.
- It must be possible to turn them into a readable form at any time within a reasonable period, and it must be possible to analyse them mechanically for taxation purposes.
Commercial and tax law therefore stipulate that the entrepreneur must ensure transparency, together with auditing and data security. The Principles of Proper Accounting provide the regulatory framework for the commercial-law principles of order, comprehensibility, and security against falsification, while the Principles Governing Data Access and the Verifiability of Documents Produced Originally in Digital Form (GDPdU), which were developed when changes were made to the Fiscal Code, ultimately extend these principles to all documents relevant to tax law that were originally produced in digital form.
In addition to providing suitable safety precautions against unauthorised access to archived programmes and data inventories, against the inability to trace these programs and inventories, and against their destruction and theft, the Principles of Proper Accounting and the Principles Governing Data Access and the Verifiability of Documents Produced Originally in Digital Form also set out regulations for archiving digital documents and for accessing them when external audits are being conducted. It must be possible to verify and provide evidence for all business transactions, for the comprehensibility of any cancellations and changes, for data security, for internal controlling and for compliance with the statutory retention periods. Comprehensive procedural documentation taking into consideration these procedures is also necessary. It must describe in detail how the relevant items of information have been created, arranged, saved, indexed and protected, and how they can be traced again later and reproduced without any loss29. It must be possible to make the archived data available in a form that can be reproduced, mechanically read, and analysed. It must be possible for the checking software being used at the time for financial administration to evaluate the information within the correct period. The party with an obligation to pay tax must cooperate in this process30. When e-mails are archived, care must be taken to ensure that their attachments are also archived with them. And if they are signed and encrypted, the encrypted and decrypted versions must be stored as well, together with the keys.
This applies to all documents relevant to taxation – that is to say, all documents containing information that may be of importance in creating, removing or reducing fiscal charges in a tax assessment. On the other hand, it has to be admitted that the obligation to keep documents – as has already been shown – does not just apply in the narrow sense to those that are relevant to taxation; it also applies to other documents that have to be kept in compliance with the requirements of commercial law. These include items of “mere” business correspondence, and the relevant organisational documents belonging to the company (such as minutes of the foundation meeting, audit reports, decisions by the supervisory board, contracts of employment, employees’ documents relating to wages and national insurance, and contracts concluded during current business operations, together with the associated correspondence, irrespective of the form it takes)31.
The problem of archiving periods
Invoices32 and other posting vouchers, certain customs documents and books of account, together with all records33, must be kept in some countries for ten years. Other documents that are relevant under commercial and tax law (such as commercial or business letters and other documents if they are of importance for taxation purposes) must be kept for six years34.
In an automated procedure, however, it is not really possible to distinguish between commercial or business letters and other documents that are relevant to taxation (which have to be archived for at least six years), and, in particular, posting vouchers, which must be kept for at least ten years. Even an expert individual check will still have considerable legal uncertainty, unless it is carried out by a specialist tax consultant or auditor. For practical reasons, it is therefore advisable not to break down commercial and business letters into those that are “relevant to taxation” and “others”. Instead, it makes sense to abide strictly by the ten-year retention period for all documents. To do otherwise would result in unacceptable additional expenditure in terms of organisation, and would involve a considerable risk of making mistakes.
When an e-mail can also function as a voucher, it is not always possible to lay down hard and fast rules about what constitutes an accounting document relevant to taxation. This is because the e-mail does not just contain information, but is also used, for example, for invoicing or order processing. If there is any doubt, all electronically archived e-mail documents should therefore be available in a form that ensures they can be audited during the ten-year retention period.
When the six-year or ten-year retention period is being calculated, it is important to note that the period does not start until the end of the calendar year in which the business transaction concerned takes place. It is therefore necessary to establish when the posting voucher was created, or when the e-mail relevant to the transaction was sent or received. It is possible to make an extension by using open assessment periods for which there is still no final tax demand. This must therefore also be taken into account by the company when it is calculating the periods during which its documents have to be retained35. In individual cases, this can extend the retention periods by several years.
Admissible archive types
The trading and tax laws of most European countries now allow received and sent business letters and accounting records to be archived on image or other data media if it complies with and guarantees the principles of proper accounting practices. Further:
- that the reproduction or the data match the received trading letters and accounting records visually and, for the other documents, content-wise when made readable;
- that they are available during the retention period;
- and that they can be viewed at any time given a reasonable period to do so and can be
- machine-processed for taxation purposes.
In the meantime the retention requirement affects all tax-relevant documents, in other words, all information which could be significant for an assessment involving the imposition, removal or reduction of a tax burden. On the other hand, as already mentioned, retention obligations do not merely apply to tax-relevant documents in their narrower interpretation, but also to “purely” business correspondence requiring retention under commercial law and the company’s pertinent organisational documents (e.g. articles of incorporation, audit reports, board decisions, as well as employment contracts, employees’ salary and social security documents and contracts concluded as part of regular business with the correspondence associated with it, regardless of their form).
Commercial and tax law consequently require transparency and audit and data security from the company’s executives. Besides suitable security precautions against unauthorised cognizance, untraceability, destruction and theft of secured programs and databases, regulations stipulate the archiving of digital documents and access to them in the course of company audits. The auditability and verifiability of all business transactions, transparency of any cancellations and changes, data security, internal control and compliance with statutory retention periods must be assured.
Moreover, comprehensive procedural documentation is required with due regard for these processes and comprehensibly describing how the relevant information was created, organised, saved, indexed and protected and how it can be retrieved later and reproduced in its entirety. The archived data must for the most part be available in a reproducible, machine-readable and usable form. Their periodical evaluation by the latest check software issued by the tax authority must be assured. In this regard, the taxpayer shall be under obligation to cooperate.
When archiving e-mail, it must also be ensured that attachments and – if signed and encrypted – the encrypted and decrypted documents must be retained with keys. The proper handling of e-mail is a principal element of internal information management. As electronic business correspondence, they fall under the law governing retention obligations. In less frequent cases e-mails and their attachments may also be relevant to taxes. In particular, the cases of electronic invoicing, electronic document management, expenses and travel cost accounting or, in the opinion of Germany’s Finance Ministry, even tax-relevant contractual arrangements must be borne in mind.
Proper retention of business e-mail pursuant to commercial law means that electronic post must be archived on a data media by transferring the content and formatting data and adding an unalterable index. In tax law, it is also decisive for electronic retention whether the e-mail itself contains tax-relevant information or whether it functions merely as a data media for tax-relevant information. In the context of external digital audits, the obligation to retain e-mails with tax relevance is also concerned with the ability to locate and read such e-mails and their attachments where necessary. Tax relevance can obviously be said to exist when an invoice is sent by e-mail. In many countries, Germany included, a “qualified electronic signature” is required if the option of an input tax deduction should remain open. The basis for this is provided by an EU directive (2001/115/EG) which recommends that signatures be used to guarantee “authenticity of origin” and “integrity of content”. This should actually provide a pan-European standard, but is only partially the case because national implementations of it vary considerably, some countries for example not demanding a “qualified” signature to ensure maximum security.
With IDW ERS FAIT 3, the IT Committee (FAIT) of the Institute of Auditors (IDW) redefined the principles of proper accounting when using electronic archiving procedures in mid-2006. The risks linked to the use of these procedures can therefore be divided into those of a legal, technical or organisational nature. Legal risks result from the non-observance of statutory retention periods. As a consequence, the archiving process should guarantee that documents can be read throughout the entire retention period while maintaining their evidentiary effect when stored digitally. If the accounts can no longer be considered sufficiently conclusive as a result of inadequate IT security measures, tax risks can be added to the equation. The same applies if the tax authority cannot be granted access as required by the law. Technical and organisational risks include a lack of access controls and rules governing responsibilities, and insufficient migration concepts. The legal representatives are responsible for ensuring records are reliable. Proper accounting requires compliance with the relevant security criteria. Confidentiality (protection against unauthorised viewing, forwarding and publishing), integrity (indexing the saved documents and data without errors and protection against unwanted changes), availability (legibility and auditability throughout the entire retention period), authorisation (granting exclusive and specific rights and activities to a pre-assigned group of people) and authenticity of the archiving system (whereby archived documents are assigned a clear link to the pertinent business transactions). Besides these security requirements, IDW ERS FAIT 3 adds the requirements of completeness (recording of all accounting-related documents and data in their entirety), accuracy (depending on the required degree of legally required conformity with the original), timeliness (i.e. the timely transfer of documents and data to the archive system), audibility (ensuring that individual business transactions and the archiving procedure applied, including the procedural documentation, remain stored in a comprehensible way throughout the retention period) and unchangeability of electronically archived documents and data.
The consequences of a breach of the obligation to archive
It often happens in practice that folders and mailboxes are analysed at regular intervals “on one’s own initiative”. At such times, old items are moved to the archive folder, and e-mails that are considered out of date (and therefore no longer relevant to business) are deleted. This is frequently contrary to the regulations mentioned above. Contravention of the rules results in the introduction of compulsory measures, the issuing of estimates, the imposition of civil or criminal punishment, and the withdrawal of statutory tax allowances.
A breach of the retention obligations can also have consequences that go well beyond taxation. For example, the company and its various bodies may be held liable if the loss of, or the inability to trace, an e-mail makes it difficult for the financial authorities to obtain a full and complete overview of the company’s assets ( and thus to gain a coherent picture of its business transactions). For instance, anyone who is obliged under commercial law to retain books of account or other documents, but who disposes of them, conceals them, destroys them, or damages them before the retention period has expired, and who thereby makes it difficult to obtain an overview of assets, will be held to be guilty of a breach of the accounting obligation, and will be punished with up to two years’ imprisonment or a fine36. Similar situations can result in fines or in a term of imprisonment of up to five years if accounting documents are destroyed, damaged or withheld ( suppression of documents)37, or if, contrary to law, the financial authorities are not informed about important tax details, and the tax assessment is thereby reduced, or unjustified tax advantages are obtained (or tax is avoided)38. A reckless reduction in a tax assessment is in any case punishable with fines of up to 50,000 euros.
Backing-up and archiving are now an integral part of everyday life in a company. This paper has discussed the provisions regarding business e-mails that have to be complied with. One of the challenges that face the company is how these provisions are to be implemented in order to meet legal and auditing requirements, and how they can be incorporated in practice into day-to-day work. The archiving system, and the degree of complexity of the operational organisation used for implementation, must be selected in line with the value of the information concerned. From the point of view of the entrepreneur, however, it is essential not just to concentrate on meeting statutory requirements with reference to the archiving of data that is relevant under commercial and tax law; for this is only one aspect of the value of information. It is just as important to ensure there is a full record of business transactions so that the relevant evidence can be produced and information can be managed within the company. Above all, then, efficient archiving systems that make auditing possible will demonstrate their particular effectiveness when they are not just employed commercially, but are also used to save and document all items of electronic information within a company.
Pursuant to SEC rules a $10 million fine was levied against a US investment bank as early as 2000 for its failure to implement retention management for its e-mails; this was followed in 2004 by a fine of $7.5 million against another bank for its failure to surrender internal e-mails detailing business transactions. Far more wide-ranging, however, were the consequences of nonavailability of e-mails (resulting in an apparent shift in the onus of proof based on the nondeliverance of electronic business correspondence), which in the US in 2005 resulted in an order to pay damages of $1.45 billion imposed on a US bank. In Germany too, damages in the millions have been awarded on the basis of the burden of proof whereby, according to the general rules of presentation and evidence, the nonavailability of evidentiary correspondence can be decisive to a trial and judged in addition as an infringement making management liable for recourse under the general rules of due care (see also below).
The integrity of well-ordered data that is important to operations, and its availability according to regulations, are protected by the legal system. In the contractual area (especially the protection of customers and employees), Articles 311, 241 II of the German Civil Code (BGB) apply; outside the contractual area, Article 823 I of the German Civil Code applies.
Special regulations on this can be found, for example, in the law on controlling and transparency in the corporate area (the Law on Controlling and Transparency, KonTraG), in force since 01.05.1998), in the annex to Article 9 of the German Federal Data-Protection Act (BDSG), in the act regulating banking and credit business (KWG Article 25a), in the new Basel agreement on equity capital (Basel II) and in the Principles of Proper DP-Based Accounting Systems (GoBS) Tz. 5.
„Compliance“ essentially means compliance with the minimum legally binding requirements with reference to the security and availability of information. These have been refined further in new sets of rules such as the current SEC rules (Sarbanes-Oxley Act) in the USA, the new Basel agreement on equity capital (Basel II) and the German Law on Controlling and Transparency.
The relevant legal obligations are derived from the provisions of trade-and-industry law, the requirements relating to electronic business transactions (Article 312e of the German Civil Code), and the general protection and duty of care set out in Articles 823 I and 311, 241 II of the German Civil Code.
Rules governing protection can be found in numerous regulations, such as, for instance, the German Federal Data Protection Act (for example Articles 5, 7, 8, 43 and 44, and the annex to Article 9), Article 89 of the Telecommunications Act (TKG), Article 17 of the German law on unfair competition (UWG) and Articles 202, 202a, 203 to 206 of the Penal Code.
This requirement arises from the judgments relating to faxes handed down by the Federal Supreme Court. It must always be assumed that a statement conveyed by fax will be noted during business hours. The recipient has a corresponding duty to check to see what faxes have been received (see the judgment of 21.01.2004, Az. XII ZR 214/00).
In 2001, the „electronic form“ was made equivalent to the written form. Since then, for example, contracts in the form of e-mail have been legally effective provided they have a valid electronic signature (Article 2 para. 3 of the Signature Act). At the same time, the new Article 292a of the Code of Civil Procedure (ZPO) standardises what is prima facie evidence for the genuineness of such declarations, and Article 130a ZPO sets out the procedural framework for the admissibility and utility of electronic documents.
Under Article 200 I of the Fiscal Code 200, the party subject to tax must submit, among other things, records, books, business papers, and other documents for inspection and checking. This applies irrespective of the form of archiving (electronic or paper).
Including, for example, inventories, annual financial statements, situation reports, the opening balance, and the work instructions and other organisational documents that are needed for the sake of clarification.