Knowledge · documents
Document Management and GDPR: what you need to keep in mind
DMS and data protection: hosting location, data processing, access control and the tension between the obligation to delete and retention periods.
A document management system almost inevitably processes personal data – names on invoices, addresses in contracts, salary data in personnel files. This means the obligations of the GDPR apply: you need secure processing, regulated access, a contract with the provider and a concept that cleanly separates retention obligations and deletion obligations.
Why a DMS is automatically a data protection topic
The GDPR does not distinguish between a "database" and a "document repository". A scanned letter with a sender's name is just as personal as a CRM entry. Anyone who stores documents centrally, makes them searchable and shares them within a team processes this data – and must do so responsibly. This is not an argument against a DMS, quite the opposite: a central, regulated repository is significantly easier to operate in a GDPR-compliant way than scattered folders, local copies and private mail inboxes.
The five most important checkpoints when choosing
- Hosting location and applicable law: Where is the data physically located, which law applies to the provider? Hosting in Germany or the EU saves you from having to assess third-country transfers.
- Data processing agreement (DPA): The provider stores documents on your behalf and is therefore generally a data processor. Without a DPA, the contractual basis is missing.
- Access control: Not everyone on the team needs to see everything. Pay attention to roles and visibility rules – personnel files belong in different hands than incoming invoices.
- Encryption and secure login: Transmission encrypted, access protected – for example via one-time codes instead of shared passwords.
- Traceability: It should be clear what has happened with documents. This also helps with access requests from data subjects.
The tension: delete vs. retain
The GDPR requires personal data to be deleted when the purpose no longer applies. At the same time, tax and commercial law require records to be retained for years. The resolution: statutory retention obligations are a separate legal basis – tax-relevant documents remain in the archive until their period expires. After that, the obligation to delete applies. A good DMS supports exactly this lifecycle: defined retention instead of "it's just lying around". How immutable archiving works is explained in the article Audit-proof archiving.
How webRichtung documents implements this
webRichtung documents is developed and operated in Germany and is designed for data-protection-aware work: your organization's documents are stored centrally with clear access paths, login runs via one-time codes, and the GoBD archive retains documents immutably with Object Lock for 6, 8 or 10 years – with a defined end of period instead of an unlimited data dump. Details on how to use it can be found in the documentation.
A practical start
Start with a brief inventory: which types of documents with a personal reference do you have (records, contracts, personnel files)? Who needs access to what? Which retention periods apply per type? With these three answers you can evaluate a DMS in a structured way – and document the introduction cleanly in case the supervisory authority asks. Also define how access ends: when someone leaves the team, access must be able to be revoked centrally. This too speaks in favor of a platform with central accounts instead of locally copied folders whose whereabouts no one can trace anymore.
This article provides general information and does not replace legal or tax advice.
FAQ
Why is a DMS a GDPR topic?
Invoices, contracts and correspondence contain personal data of customers, suppliers and employees. As soon as a DMS stores and processes such documents, the obligations of the GDPR apply.
What should I pay attention to when choosing a DMS?
To the hosting location and applicable law, a data processing agreement (DPA), role-based access control, encrypted transmission and traceable logging of access.
How do the obligation to delete and retention periods fit together?
Statutory retention obligations take precedence over deletion: tax-relevant records must be retained, even if they contain personal data. Once the period expires, the obligation to delete then applies.
Do I need a DPA with my DMS provider?
As a rule, yes: if the provider stores documents with personal data on your behalf, it is a data processor – in which case the GDPR requires a data processing agreement.
Is a German data center mandatory?
No, the GDPR does not prescribe a location. However, hosting in Germany or the EU considerably simplifies the legal assessment, because no third-country transfer needs to be examined.