Best practice

When storing documents containing personal data, what should an electronic document storage provider ensure?

  08. 05. 2019

When it comes to the electronic storage of documents containing personal data, it’s important to choose a suitable provider that will meet all the security standards and GDPR requirements regarding personal data processing. As we emphasise in the following points, the storage provider should ensure the integrity, credibility, availability, usability, durability of documents throughout their retention period.

1. Reliability and security are number one

A suitable long-term electronic storage provider should ensure that:

  • documents are accessible only to authorised persons, and only when needed
  • documents can be accessed quickly and used easily,
  • document contents are authentic and comprehensive, and content changes are possible only in exceptional cases and are traceable,
  • documents are stored in the appropriate long-term storage format (for example, PDF/A).

Long-term electronic document storage should involve much more than just uploading documents to a server, for example, labelling documents with metadata that are not part of the document contents, or adding additional security content.

Though the major web storage providers appear to offer realistic or inexpensive solutions at first glance, they soon turn out to be insufficient in meeting all of the above requirements. Two of the reasons why using such services is cheaper than using a certified electronic storage provider are:

  • accessing the document can take up to several minutes, while we usually provide the document within seconds,
  • they are not certified under the Slovenian uniform technological requirements and do not ensure the long-term usability and readability of documents.

Are you willing to accept such risks just to save some money?


2. Compliance with the GDPR

Inadequate document storage and unauthorised access to and sharing of documents containing personal data pose significant business risks.

When considering an electronic storage provider, did you think about theirs privacy policy, whether they maintain an audit trail, and whether they guarantee reliability and security?

Documents containing personal data should not normally be accessible to all a company’s employees. Therefore, when considering an electronic storage provider, consider that the provider should enable you to define authorised access to documents at all levels, and should record access information in an audit trail. In this way, you can also avoid the risk of unauthorised access to personal data.

The GDPR allows for the transferring personal data to third countries or international organisations, while ensuring a high level of personal data protection, so pay attention to where your documents are stored. Both the data controller and the data processor must comply with the provisions of the GDPR


3. Reliable references, years of experience and expertise

In order to ensure that your data is secure and coherent, it’s important that your electronic storage provider maintain a high level of IT security and regularly upgrade their monitoring systems in order to ensure high-quality and secure electronic storage. This can be demonstrated using ISO 27001 and other standards, as well as good practices in the field of IT security.

We recommend that you choose a provider that offers services and software certified by the Archives of the Republic of Slovenia. In this way, you’ll effectively avoid the risk that your chosen service provider does not comply with electronic storage legislation.

Also check the provider’s references and their experience with electronic document storage, including the volume of documents they store. For example, at Mikrocop, we electronically archived 44 million documents last year alone, and all together we’ve electronically archived nearly half a billion documents.

Special attention should be paid to the professionalism, experience, and competence of the provider’s archivists, which together demonstrate the integrity, security, confidentiality, and availability of the data and documents they store. You can check all these factors by visiting the provider in person. If you’re having trouble choosing an electronic storage provider, of if you need additional advice, please contact us.


Sanja Žaubi, Data protection officer (DPO) at Mikrocop