Book extract IG 2021 (2): Examination & Certification (GeBüV)

Testing & certification of digitization solutions (providers & users)

In the context of digitization, the question is repeatedly raised as to whether the planned solution is legally compliant. The Business Records Ordinance ( GeBüV ) is the authoritative framework for keeping and storing electronic information in Switzerland. Almost all laws in Switzerland refer to them for implementation. But when does a system actually meet the legal requirements ? To answer this question, krm has been conducting structured audits since 2017 and produces a report with or without a certificate.

Example of tests ( certified products are published on the krm homepage ) :


  • ECM / DMS products ( On Premise, Cloud )
  • Scanning processes / digitization
  • Scan Products
  • Archive systems


  • Accounts Payable Workflow
  • ECM / DMS / archive systems, regulated industries
  • ECM / DMS / archive systems, non-regulated industries

There are a large number of cases in which a GeBüV audit may be considered. A distinction must be made between the user and the supplier perspective :










The basis of the assessment is formed by the fundamentals collected by krm and updated over the years from the laws such as OR, GeBüV, VAT laws, data protection laws as well as from our reference books. The long experience
of the krm experts helps to identify the right test basis. Depending on the customer’s needs, we obtain additional frameworks ( e.g. ISO standards, industry-specific specifications ) and contracts
with third parties ( cloud, outsourcing ). Of course, corporate governance principles and security requirements as well as the ICS are also taken into account.

Revision security does not exist
The rationale for this can be found in 4.12. The legal basis in Switzerland differs from other countries such as Germany in the following points :

The Business Records Ordinance ( GeBüV ) contains detailed requirements on technical
Level. For example, the requirements for immutability are described in detail. There are also requirements for logging access, data migration and data separation (management vs. storage).
pursuant to Art. 958 f of the Swiss Code of Obligations ).

Continue reading in book chapter 6.4 on p.278



Submit a Comment

Your email address will not be published. Required fields are marked *

Related articles

On 16.3. is Digital Cleanup Day

On 16.3. is Digital Cleanup Day

Tidying up is clearly not everyone's cup of tea, but we all know the good feeling that a tidy room, a tidy desk or ... a tidy drive! You can feel proud with a clear conscience, because deleting data also has an important effect on energy consumption. I have calculated...

read more
Dealing with data risks: Data breach notification

Dealing with data risks: Data breach notification

A data breach notification or "data breach notification" refers to the process by which an organization or company is required to notify the relevant data protection authorities and, if applicable, data subjects of a data breach that is likely to result in a high risk...

read more