The GoBD (Grundsätze zur ordnungsmäßigen Führung und Aufbewahrung von Büchern, Aufzeichnungen und Unterlagen in elektronischer Form sowie zum Datenzugriff) is the German Federal Ministry of Finance's guidelines for maintaining and storing electronic accounting records. For any German business that issues, receives, or stores electronic invoices — which from 2025 means virtually every business — GoBD compliance is not optional.
What the GoBD Requires
The GoBD was issued in 2014 and last updated in 2019. It translates the general record-keeping obligations under the German Commercial Code (HGB) and Tax Code (AO) into concrete requirements for digital environments. The core principles are:
- Correctness (Richtigkeit): Records must accurately represent the underlying business transactions.
- Completeness (Vollständigkeit): No transaction may be omitted. All invoices received and issued must be captured.
- Timely recording (Zeitgerechtheit): Transactions must be recorded promptly — typically within 10 days of receipt for cash transactions.
- Order (Ordnung): Records must be organized so that a tax auditor can find any specific document within a reasonable time.
- Unchangeability (Unveränderlichkeit): Once recorded, a document must not be altered without a verifiable audit trail. This is the most critical requirement for electronic invoices.
- Traceability (Nachvollziehbarkeit): Every change to a record must be logged, showing who changed what and when.
The Unchangeability Requirement in Practice
The unchangeability requirement is where most businesses run into compliance challenges. An XRechnung or PDF invoice that is simply saved to a folder on a shared drive is NOT GoBD-compliant, because the file can be modified or deleted without any audit trail.
GoBD-compliant storage requires a Document Management System (DMS) or archive system that:
- Creates a cryptographic fingerprint (hash) of each document upon receipt.
- Prevents modification of archived documents (write-once storage).
- Logs all access attempts and administrative actions.
- Can reproduce the original document on demand for tax audits.
- Maintains an index that allows retrieval by invoice number, date, supplier, and amount.
Retention Periods
German law requires the following minimum retention periods under § 147 AO:
- 10 years: All books, inventories, opening balance sheets, annual financial statements, management reports, and all associated documents. This includes all invoices (both issued and received).
- 6 years: Business correspondence (including emails if they relate to business transactions), and all other tax-relevant documents.
- The retention period starts at the end of the calendar year in which the document was created.
Key Risk: Converting Formats
One of the most common GoBD compliance mistakes is converting an XRechnung XML file to PDF for storage. The GoBD requires that the original format be retained if it contains relevant information — and for XRechnung, the XML is the original. Converting to PDF destroys the structured data and may violate the unchangeability and completeness requirements.
If you want a human-readable archive copy alongside the XML, you must retain both — the original XML and any PDF rendering derived from it — and clearly document their relationship.
ZUGFeRD and GoBD
ZUGFeRD files are PDF/A-3 documents with embedded XML. Since the PDF/A-3 format guarantees long-term readability (it embeds all fonts and color profiles), ZUGFeRD is well-suited for GoBD-compliant archiving. The single file contains both the human-readable invoice and the machine-readable XML, and PDF/A-3 prohibits modifications — making it inherently unchangeable when stored correctly.
Tax Authority Data Access (GDPdU / GoBD Data Access)
During a tax audit, the German Betriebsprüfer (tax auditor) has the right to access your electronic records directly. The GoBD defines three levels of access:
- Z1 (Direct access): The auditor uses your system to review records.
- Z2 (Indirect read access): You extract specific data and provide it to the auditor.
- Z3 (Data carrier transfer): You provide a data export (typically in GDPdU/IDEA format) on a USB drive or similar medium.
How ToolKit Supports GoBD Compliance
Our Pro-tier GoBD Vault provides compliant storage for XRechnung files with automatic hash generation, immutable audit trails, and indexed retrieval. Every upload to the Vault is timestamped, hashed, and logged. We never modify stored documents. Files can be exported at any time in their original format for tax audits.
Frequently Asked Questions
Is saving invoices to Google Drive or Dropbox GoBD-compliant?
Generally no. Standard cloud storage does not prevent modification of files, does not maintain immutable audit trails, and does not guarantee the required access controls. Some enterprise-grade cloud storage solutions with version history and access logging may be compliant, but this requires careful configuration and documentation.
Do I need special software for GoBD-compliant storage?
You need software that implements the specific technical controls the GoBD requires. This can be a dedicated Document Management System (DMS), your accounting software's built-in archiving module (DATEV, SAP), or a specialized archive service. A standard file server or email archive is typically not sufficient.
What happens if we are not GoBD-compliant during an audit?
Non-compliance with GoBD can lead to the tax authority conducting an estimation (Schätzung) of your taxable income, which typically results in a higher tax assessment. In severe cases, it can also trigger suspicion of tax evasion.