GDPR

GDPR retention periods per document type: the complete cheatsheet

5 December 2025 · 9 min read · DeSnipperaar

The GDPR sets storage limitation in article 5(1)(e). Personal data may not be kept longer than needed. Sounds simple, but in practice it is full of exceptions. Some documents you actually need to keep for a long time on the basis of tax, employment or healthcare laws. Others must already be gone after four weeks. This cheatsheet collects the most important periods for Dutch practice, with reference to the statute they sit on.

Print this list, hang it by the archive cabinet, and plan a moment every year to destroy the oldest category. That is the only way to stay GDPR-compliant without having to think about it daily.

Tax and bookkeeping

The Algemene wet inzake rijksbelastingen (AWR), article 52, is the best-known source. You keep basic administration for 7 years. Certain categories longer.

General ledger, debtors, creditors, purchases, sales, inventory: 7 years (AWR art. 52).
Annual accounts: 7 years (AWR art. 52) and 7 years after dissolution of the legal entity (BW 2:10).
Payroll administration and employee copy-ID: 5 years after end of employment (Wage Tax Act art. 28).
Real estate (VAT adjustment period): 9 years after the year the building was first put to use.
VAT invoices: 7 years.

More on the 7-year tax period in practice is in our article on tax retention and what may go after.

Personnel and HR

HR knows the most varied periods. Applicant data has to go quickly, payslips kept for long.

Applicant data of rejected candidates: 4 weeks after rejection, or 1 year with written consent.
Personnel file general: 2 years after end of employment (AP guideline).
Employment contracts and amendments: 7 years after end of employment.
Payslips and annual statements: 5 years tax, 7 years recommended.
Absence data: 2 years after end of employment.
Reintegration files: 2 years after end of reintegration.
Copy-IDs: 5 years after end of employment, then mandatory destruction.
VOG applications: as long as the employee is employed, then 4 weeks.

Healthcare and medical

For medical data the WGBO applies (Book 7 title 7 section 5 BW). In 2020 the period was extended.

Medical file: 20 years from last change, or as long as "good caregiving" requires (WGBO art. 7:454 BW).
Files of minors: 20 years from the 18th birthday.
X-rays and image material: integral part of the file, so 20 years.
Donor registration: per caregiver guideline.
Dental file: 20 years after last consultation.

See also our article on the WGBO 20-year period in practice.

After a retention period has expired, keeping is no longer an option. Holding on to data "just in case" is a breach of GDPR article 5.

Legal and notarial

Lawyer's file: at least 5 years after closure, often 7 years. NOvA rule of conduct 16 prescribes careful retention.
Notarial deeds (original): 100 years, then to the National Archives (Wna art. 7 and 8).
Notarial drafts and scratch versions: no statutory term, recommendation 10 years then destroy.
Wwft client due diligence: 5 years after end of business relationship (Wwft art. 33).
Debt-collection files: 7 years after last action.

Financial and banking

Mortgage file: 7 years after expiry or redemption.
Investment advice: 7 years (Wft and MiFID II).
Insurance file: 7 years after end of policy.
Client identification (Wwft): 5 years.
Business loan: 7 years after end of loan.

Commercial and general

Client correspondence without tax relevance: 2 to 3 years after last contact.
Marketing lists: until withdrawal of consent or 2 years inactive.
Web cookies and analytics: at most 1 year, depending on consent.
Newsletter subscriptions: until unsubscription.
Camera footage: 4 weeks, longer only at an incident.
Complaints: 2 years after handling.

Retention periods up? Time to destroy.

We come to your site, shred to DIN 66399 P-5 and deliver a complete certificate. No hidden costs, no fuel surcharge.

Request a quote

Education and government

Student file primary education: 2 years after leaving school.
Student file secondary education: 2 years after deregistration, 5 years for exam data.
Subsidy files: 10 years (for EU subsidies often 10 to 15 years).
Tender file: 10 years.

How to anchor retention periods in your organisation?

A cheatsheet is not enough. The Autoriteit Persoonsgegevens expects you to explicitly include retention periods in your records of processing (GDPR art. 30) and your privacy notice. Good practice:

Make a table per processing activity: which category of data, which period, which law.
Link each period to a trigger: end of employment, date of last invoice, signing of a deed.
Plan an annual destruction moment after year-end, so you can dispose of the oldest year fiscally safe.
Keep certificates of destruction for 5 years as evidence towards the AP and the accountant.
Walk through the cheatsheet at each new type of processing, because some industries (healthcare, financial, legal) have divergent rules.

The exception to the exception

Sometimes you may keep data longer than GDPR storage limitation suggests. Examples: a pending dispute, a tax investigation, a legal claim, scientific research with safeguards, archive interest under the Archives Act. As soon as the reason lapses, the period starts running again. Always record those kinds of exceptions in writing, because without justification it is a GDPR breach.

Questions about a specific category? Call us or request a quote via desnipperaar.nl. We are happy to think along about retention periods and the planning of your destruction moments.