Berlin | Dusseldorf | Frankfurt | Hamburg | Cologne | Munich | Stuttgart
Header-Anwalt-Rechtsanwalt-Kanzlei-MTR Legal Rechtsanwälte
Contact
Berlin | Dusseldorf | Frankfurt | Hamburg | Cologne | Munich | Stuttgart
MTR Legal Rechtsanwälte Logo
Contact
Berlin | Dusseldorf | Frankfurt | Hamburg | Cologne | Munich | Stuttgart
Contact

Legal Lexicon

Wiki»Legal Lexikon»Rechtsbegriffe (allgemein)»EBDD

EBDD

Definition and Legal Classification: EBDD

The abbreviation EBDD stands for “European Database for Officially Confirmed Documents and Data” and refers to a database-based information system established by public bodies and certain authorities of the European Union for the management, verification, and exchange of official documents and datasets. The EBDD is used in particular in the context of cross-border cooperation, the digitalization of public procedures, and the prevention of document and data forgery.

Legal Foundations of the EBDD

Legal Framework at EU Level

The legal basis for the establishment and operation of EBDD systems is primarily derived from European secondary legislation, especially provisions on electronic identity management and EU-wide data protection regulations. Relevant legal acts in this context include, for example:

  • Regulation (EU) No. 910/2014 – eIDAS Regulation: The Regulation on Electronic Identification and Trust Services for Electronic Transactions in the Internal Market forms the basis for the cross-border recognition of electronic identification means and trust services. The EBDD can serve as a technical infrastructure to enable the electronic management of sovereign documents to be interoperable throughout the Union.
  • Regulation (EU) 2016/679 – General Data Protection Regulation (GDPR): The processing of personal data within EBDD systems is subject to the strict requirements of the GDPR regarding data security, data minimization, and data subject rights.
  • Directive (EU) 2019/1153: The Directive on the use of financial information and the strengthening of cooperation between authorities addresses aspects of access to and use of databases such as the EBDD for the prevention and prosecution of certain criminal offenses.

In addition, there are individual references and definitions in implementing acts at the national level, as well as in other Union legal instruments, for example in the area of judicial and administrative cooperation.

National Implementations and Special Laws

The implementation and application of the EBDD take place in the Member States based on national implementing laws. These especially regulate the responsibility of the connected authorities, detailed admission criteria, and the protection of particularly sensitive data. Depending on the country, there are different connection options for authorities dealing with registration, passports, and identification documents, for registry offices, or for the judiciary administration.

Areas of Application of the EBDD

Administration and Verification of Sovereign Documents

The EBDD is primarily used for the securing, storage, and authenticity verification of certificates, IDs, driver’s licenses, registration certificates, and other official documents. Authorities access the database to check whether a presented original or replacement document (e.g., in case of loss or reissuance of an ID) is recorded as legally authentic.

Cross-border Administrative Procedures

In cross-border administrative procedures – for example, in the recognition of certificates, diplomas, or driver’s licenses within the EU – the EBDD enables efficient transmission and authenticity verification of relevant evidence. This helps to reduce bureaucratic barriers and accelerates the recognition of legal acts and personal data.

Combating Data and Document Forgery

By centrally recording officially confirmed documents in the EBDD, unlawfully issued, forged, or manipulated data sets and certificates can be more quickly detected and marked as invalid internally by authorities. Thus, the EBDD fulfills an important preventive function against identity fraud, document forgery, and illegal access to official services.

Involved Actors & Access Rights

Authorized Institutions

Access to the EBDD is granted exclusively to predefined public bodies, including national and European authorities, registration offices, judicial authorities, registry offices, and ministries. Access rights are restricted to the respective area of responsibility, so that, for example, only certain authorities can access specific types of documents or datasets.

Rights of Data Subjects

According to the GDPR and relevant data protection regulations, data subjects have the right:

  • to receive information about the datasets stored about them in the EBDD,
  • to rectification of incorrect data,
  • to erasure of information that is no longer necessary or unlawfully stored,
  • to restriction of processing under certain conditions.

The exercise of these rights is generally handled by the responsible authority or the national data protection supervisory body.

Data Protection and Data Security in the EBDD

Technical and Organizational Measures

The protection of the data stored in the EBDD is ensured through comprehensive technical and organizational measures. These include:

  • Encrypted data transmission (e.g., via secure communication protocols)
  • Access control systems with authentication and authorization checks
  • Traceability and logging of all access and changes
  • Limited retention periods depending on the document type and the underlying procedure
  • Emergency measures for recovery and protection against data loss.

Data Protection Impact Assessment

Prior to the introduction or expansion of the EBDD, a data protection impact assessment in accordance with Art. 35 GDPR is generally required. Potential risks to the privacy of data subjects are identified and appropriate countermeasures defined in this process.

Legal Consequences and Remedies

Unauthorized access to or misuse of EBDD data can have administrative, civil, and criminal consequences. Data subjects may file official complaints with the responsible data protection supervisory authorities and, if necessary, assert civil claims (e.g., compensation for damages). Authorities that violate data protection regulations can face fines under the GDPR.

Conclusion

The EBDD system is a key element for digital administration and cross-border cooperation within the European legal area. The database-backed security and authentication of sovereign documents make a substantial contribution to administrative modernization, acceleration of procedures, and prevention of misuse – but the system is subject to strict data protection requirements and clearly regulated access rights. Continued development of the EBDD must comply with the legal framework at EU level as well as national data protection and administrative law.

Frequently Asked Questions

What legal requirements must be met for the implementation of an EBDD system in Germany?

For the introduction of an EBDD system (Electronic Document and Record Management System) in Germany, numerous legal requirements must be observed. First, the system must meet the requirements of the German Commercial Code (HGB) and the Fiscal Code (AO), particularly with regard to the principles of proper accounting (GoB) and the principles of proper management and storage of books, records, and documents in electronic form as well as data access (GoBD). This means that all documents and records must be archived in an immutable, traceable, and complete manner. Furthermore, the data protection component under the General Data Protection Regulation (GDPR) must be taken into account, particularly regarding the storage, processing, and deletion of personal data. It must also be ensured that the system guarantees the integrity, confidentiality, and availability of the data, and that an appropriate authorization concept is in place. Finally, process documentation is mandatory, describing the entire life cycle of documents and records.

How long must electronic records and documents be kept in an EBDD system according to legal requirements?

According to statutory provisions in Germany, especially Section 147 of the Fiscal Code (AO) and Section 257 of the Commercial Code (HGB), electronic records and documents generally have to be retained for six or ten years. Invoices, accounting records, inventories, and annual financial statements are usually subject to a ten-year retention period, while received commercial and business letters must be kept for six years. The retention period starts at the end of the calendar year in which the document was created or received. Throughout the entire retention period, the records must be readable, available, and machine-evaluable at any time. Deleting or altering data before the period expires is not permitted; any changes or addenda must be documented.

What legal requirements apply to the traceability and immutability of documents in the EBDD?

The legal requirements for traceability and immutability are primarily regulated in the GoBD. This means that all input, processing, and reading operations must be documented completely and in an audit-proof manner. Changes to stored documents are only permissible as a new version with clear logging; overwriting or deleting the original documents is not allowed. In addition, every procedure – from index-based allocation to user authentication and the granting of read and write rights – must be traceably included in process documentation. The system environment must also be secured against unauthorized access, for example by encryption and access control systems, to ensure the integrity of stored information.

What must be considered from a legal perspective regarding an EBDD system during an external audit?

In the context of tax audits, it must be ensured that auditors have full access to all relevant records and documents managed electronically within a reasonable period. According to GoBD, this includes direct data access rights (direct access to the system), indirect data access rights (provision of evaluations by the company), and the right to data media transfer. The EBDD system must therefore be capable of providing all stored data in the required format and in a form that can be evaluated by machine. Non-compliance with these access rights can, in the worst case, lead to the rejection of accounting and significant tax disadvantages.

What is the legal significance of process documentation for an EBDD system?

Process documentation plays a central legal role in the operation of an EBDD system. It is mandatory under GoBD and serves as proof that the system used complies with the principles of proper accounting. The process documentation must describe all processes, responsibilities, system architectures, and controls in detail – from the creation of a document to its archiving and possible deletion. If such documentation is missing or not up to date, significant legal consequences may arise during audits, including the rejection of electronic accounting.

What legal risks exist when outsourcing EBDD systems (e.g., cloud solutions)?

When outsourcing EBDD systems, particularly when using cloud services, specific legal requirements and risks arise. In particular, it must be checked whether the data storage location complies with the requirements of the GDPR and regulations concerning tax retention. Data stored outside Germany or the EU/EEA is subject to strict legal requirements and must be protected through appropriate agreements (such as standard contractual clauses) and technical measures. It must also be ensured that full data access is available at all times for the company itself and for auditors. The cloud provider must demonstrably have implemented appropriate technical and organizational measures for data protection and data security. The company remains legally responsible for compliance with all statutory requirements despite outsourcing (so-called “data processing agreement” as per Art. 28 GDPR).

How is data protection legally ensured when using an EBDD system?

Data protection must be comprehensively observed when using an EBDD system and legally strictly implemented in accordance with the requirements of the GDPR. This concerns both the lawful collection, processing, and storage of personal data and its protection against unauthorized access. Companies are required to take technical and organizational measures (TOMs) to protect the data, including encryption, pseudonymization, and access restrictions. Furthermore, rights of data subjects, such as access, erasure, and rectification, must be ensured. For processing by external service providers, for example when using cloud solutions, a data processing agreement according to Art. 28 GDPR is mandatory. Violations of these requirements may lead to significant fines and reputational damage.

Auf dieser Seite

Further term explanations