Accountants and GDPR: shredding client files the privacy-proof way
Every payslip carries a BSN. So does every income tax return. So does every payroll journal, every absence record and every pension statement. An accountancy firm structurally processes large volumes of special and ordinary personal data, often for hundreds of clients at the same time. Once the retention period for those documents has expired, destruction is not an option but a GDPR obligation. This article explains how to do that in a privacy-proof way.
Aimed at office managers, HR accountants and payroll administrators who handle client data on paper.
BSN: a separate risk level
Under art. 46 of the Dutch GDPR Implementation Act, the Citizen Service Number is a special personal data item that requires a specific legal basis. A data breach involving BSNs weighs more heavily with the Autoriteit Persoonsgegevens than a breach without them. Fraud sensitivity, identity theft and tax-related damage are real risks. A stack of old payslips in the office bin is therefore not only sloppy but potentially notifiable.
For doubts about the procedure around a possible breach, see our article on the 72-hour notification plan.
The accountant as processor or controller
Accountants play a hybrid role under the GDPR. For their own office records (employees, debtors) they are controller. For payroll administration on behalf of a client they are usually a processor: the client determines the purpose and means, the firm carries it out.
This has two practical consequences:
- There must be a processor agreement with every client for whom you act as processor.
- Destruction of those client data happens on the client's instruction, not unilaterally on an office whim.
You can find a practical checklist for the contractual part in our processor agreement checklist.
Destruction policy per client or per document category
Two approaches work in practice:
- Per client: each client receives an agreements sheet with retention periods and a destruction moment. When the relationship ends, the five-year Wwft period starts, after which destruction follows.
- Per document category: the firm applies a firm-wide policy based on the longest statutory term per document type (tax: 7 years, VAT on real estate 9 years, Wwft 5 years).
In both cases the policy must be in writing and executed periodically. A policy without execution is, for the AP, the same as no policy.
Storage limitation (GDPR art. 5(1)(e)) is the least popular of the six principles because it demands active clean-up. That is precisely why an annual destruction moment is indispensable.
DIN 66399 P-5 as the office standard
The DIN 66399 standard distinguishes security classes and destruction levels. For financial client data containing BSNs, P-5 is the appropriate floor: a maximum particle size of 30 mm², which makes reconstruction practically impossible. For hard drives and backup media from old client-related systems, H-4 or E-4 is the appropriate level.
A typical office shredder reaches P-2 or P-3. That does not meet the bar for BSN-bearing documents. External destruction, preferably on-site, is therefore not a luxury but the norm.
Why on-site destruction fits here
Accountancy files should not leave the building while still intact. On-site destruction means that the boxes from the archive leave the room, cross the threshold to the car park and go straight into the shredder. No intermediate step in an unmarked van, no "central location" where a container sits outside overnight.
At the same time you get:
- Visual oversight: you can follow the destruction via camera or side window.
- Certificate: immediately after completion, showing date, location and volume, usable as GDPR evidence.
- No contract: accountants often do an annual or biennial round. A contract adds nothing.
- Chain reduction: the shorter the chain, the smaller the data breach risk.
Scheduling an annual destruction round?
We bring a mobile shredder to your office. You watch along, we hand over the certificate on the spot. DIN 66399 P-5 for paper, H-4 or E-4 for media. Simply pay per job.
Request a quoteCertificate and office file
Include the certificate of destruction in the GDPR records of processing as evidence that storage limitation has actually been carried out. In the event of an AP inspection or a disciplinary procedure, this is one of the simpler pieces of evidence: paper file X for client Y was destroyed on date Z using method P-5, certificate number ABC.
More information about accountants and the mobile destruction service is on our accountants industry page.
Bottom line: accountants are processors of sensitive client data. GDPR-compliant destruction requires policy, execution, the correct standard and evidence. On-site destruction wraps up all those requirements in a single session.