@girish there is nothing to complain about selfhosted services in general, at least in terms of GDPR. According to TMG (Telemediengesetz) It's binding to have an imprint (at least in Germany) and an data protection agreement if you serve websites and stuff to the public. At some point (size or field of operation) you need to have an data protection officer for your company.
Regarding GoBD however, there is the problem that (if you host the software yourself) you usually have the possibility to manipulate data because you own the server or storage. GoBD is all about storing your business-related communication and financial data in a tamper-proof manner. It's the "principles for the proper management and storage of books, records and documents in electronic form as well as for data access." This is why the "best" solution seems to be SaaS. The law is even relevant if you're self employed but auditors proceed according to proportionality and traceability if you are "small". For example: Software such as Invoice Ninja is not GoBD compliant in Germany because you can edit/delete things afterwards. How do you do it right you may ask? It's complicated...
Modern DMS can counteract this issue because they store your data securely and document all changes you made. Sadly this sometimes conflicts with GDPR article 15, 16 and 17 (30 maybe too). A DMS must therefore also be GDPR compliant.
While being good in theory, these laws/rules are extremely difficult to implement and follow in practice.
Hope you don't regret that you've asked.
@subven Sounds like something that could be solved by having DB backups to a Git repo, since the history is an immutable ledger.
It would be a nasty situation to ever get into but it would be an even nastier person or auditor that tried to manipulate past data.
With the principle of innocent until proven guilty, I'm certain it would be sufficient to provide "access" (not a copy) of the DB backups Git repo for forensic analysis if they really thought there was something amiss.
In my opinion, it's more effort to be 99% honest than 100% honest though, and generally the dishonest are also lazy, so having put in place Git backups to show immutable records, it would be as likely as meeting aliens to find someone that then tried to tamper with them as well.
Personally, I'm surprised the whole legal industry hasn't moved to Git for documenting anyway, since the law is a freeform codification of social contracts.
@necrevistonnezr I expect is our resident expert here?
Indeed, GoBD and GDPR seem to contradict each other:
- The GDPR requires a purpose for the storage of personal data and its deletetion if such purpose does not exist (anymore).
- The GoBD deals with the retention of documents in order to comply with tax obligations.
Important: The GoBD does not stipulate if certain documents should be retained, only how. The "if" - the obligation to keep accounts and records - results from a variety of commercial and tax law regulations.
- The GoBD does not set any time limits for the retention of data but merely states: If there are obligations to retain data, such data must be retained in a certain way.
- The GDPR does not contain any concrete time limits for the retention or subseqent deletion, either. It rather stipulates general principles of storage limitation and data minimization: According to Art. 5 GDPR, data may only be stored for as long as it is necessary and appropriate for a previously defined, clear and legitimate purpose; such purpose can also consist of precisely those storage obligations that GoBD deals with.
In other words: If there's a legal obligation (e.g. pursuant to tax law) to keep records, the GoBD stipulates how to keep those records and, pursuant to Art. 5 GDPR, such legal obligation legitimizes the retention of data (i.e. the invididual may not request the deletion of data for the legal retention period).
Therefore, GoBD and GDPR are not really competing sets of rules. The applicable test is:
- Is there a tax law obligation to retain documents?
- Does the GDPR principles of of storage limitation and data minimization require that documents be deleted?
- It's possible that not all data of a document is relevant for the purpose of storage. In such cases, one solution is to redact certain information in the document to comply with both GoBD and GDPR. In order to avoid a (unreasonable) individual case examination for each document, some DMS apply a deletion concept based on e.g. legal retention periods.
Just wanted to give an update. I have started to prepare this for release. I added the tests and required meta information now and the app works well so far.
Mayan supports email sending setup as well as receiving documents via an inbox. I am currently trying to get both auto-setup. The current package still requires manual setup from the corresponding env variables made available from the addons.
I have hit some road blocks with the current packaging. While it basically works, I only now found out that the original image would put the actual code/virtualenv into
/app/datawhich is wrong. To proceed here I tried to reach out to upstream devs at https://gitlab.com/mayan-edms/mayan-edms/-/issues/947 lets see how we can proceed with hopefully some input there.