EU General Data Protection Regulation

GDPR-compliant document management infrastructure

A document archive holds some of your most sensitive personal data: invoices, contracts, HR files, and correspondence. When you store that data, your document management system is a GDPR data processor. We ensure yours is compliant.

Request a DPA View compliance overview

What is the GDPR?

A document management system sits on top of your most sensitive records. Every invoice, contract, and HR file you archive may contain personal data. GDPR applies to every system that processes that data, not just the database where it rests. That includes your archive.

In force since

25 May 2018

Scope

Any org processing EU personal data

Max fine

€20M or 4% of global turnover

Breach reporting

72 hours

Key GDPR obligations for document archives

A document management system is a data processor. It stores personal data on your behalf across thousands of files. These six articles govern what obligations that creates.

Art. 5: Principles of processing

Archived documents must only be kept for legitimate purposes and no longer than needed, balanced against legal retention duties. We support configurable retention and document-type rules so your archive holds what it should, for as long as it should.

Art. 6: Lawful basis

Storing employee and customer documents requires a valid lawful basis, often legal obligation or legitimate interest. Your archive is a processing activity and should appear in your Record of Processing Activities (Art. 30).

Art. 17: Right to erasure

When a data subject requests deletion, you must remove their personal data, unless a legal retention duty requires you to keep the document. We support selective deletion, redaction, and legal-hold so you can honor erasure without breaking retention rules.

Art. 28: Data Processor

We act as your data processor for any personal data stored in managed document services. Our DPA covers Paperless-ngx, Docuseal, Stirling-PDF, and Mayan EDMS, and the infrastructure sub-processors involved.

Art. 32: Security of processing

An archive needs the same security as any data processor. Our deployments use encrypted storage, isolated tenant environments, and access controls to protect the personal data inside every document.

Art. 33: Breach notification

If a breach affects personal data in your managed archive, we notify you within 72 hours so you can meet your reporting obligation to your supervisory authority.

GoBD vs. GDPR: retention meets erasure

German law pulls in two directions. GoBD and §147 AO require you to retain invoices and booking records for up to 10 years, tamper-evident and retrievable. GDPR Art. 17 requires you to erase personal data on request. A document archive has to satisfy both, and that is exactly what we help you set up.

Retention: apply document-type retention rules so invoices and booking records are kept for the legally required period and not deleted early
Erasure with legal hold: when retention law applies, restrict access and redact non-required personal data instead of deleting the whole record, then purge once the retention period ends
Documentation: record your archive in your RoPA, with retention periods, lawful basis, and the GoBD process documentation that backs an audit