GDPR requirements for document destruction: what does an SME really have to arrange?
Every SME sits on boxes of paper: payslips, application folders, client contracts, copies of identity documents and bookkeeping. Anyone serious about privacy quickly discovers that the GDPR says plenty about processing and retaining, but barely anything concrete about destruction. Yet it is precisely at that last step that things so often go wrong. A skip with "old paper" that ends up at the charity shop, or an old laptop that gets a second life via Marktplaats. Those are the data breaches the Autoriteit Persoonsgegevens hands out fines for.
This guide walks through the GDPR obligations for document destruction in plain language, specifically for entrepreneurs without a privacy lawyer on staff. No wading through statutes, but a checklist you can act on tomorrow.
What does the GDPR actually say about destruction?
The GDPR mentions destruction explicitly in two relevant places:
- Article 5 (storage limitation). Personal data may not be kept longer than necessary for the purpose for which it was collected.
- Article 17 (right to be forgotten). A data subject may request deletion of their data, and you must comply within a month.
In addition, article 32 requires "appropriate technical and organisational measures" to protect personal data. That duty does not end at the waste bin. Only when the document is physically illegible does your duty of care end.
The fine for a data breach through poor destruction is no smaller than for a breach from your database. The Autoriteit Persoonsgegevens makes no distinction between paper and bits.
Retention periods: when may something go?
Nothing is so often done wrong as retention periods. The most common in SMEs:
- Tax administration: 7 years (Algemene wet inzake rijksbelastingen, art. 52).
- Real estate: 9 years (VAT adjustment period).
- Payroll administration: 5 years after end of employment.
- Applicant data: 4 weeks after rejection, or 6 months with the candidate's consent.
- Copies of identity documents: 5 years after end of employment (Wage Tax Act).
- Client correspondence without tax relevance: "as long as needed", in practice 2 to 3 years after last contact.
- Medical data: 20 years (WGBO, for healthcare providers).
Once a period expires, retention is no longer "permitted". The file has to go. There is no grey zone in which you think "I will keep it a bit longer, just in case". That is a GDPR breach.
Destroy yourself or outsource?
For small volumes of a few dozen folders a year, a decent office shredder suffices, provided it achieves at least cut size P-5 under DIN 66399. Important caveat: you have to document who, when and what was destroyed. Without a logbook the evidence is missing.
Once volumes grow or sensitive categories appear (identity documents, medical data, financial files), outsourcing usually becomes safer and cheaper. With an external party you do have to watch three things:
1. Destruction on-site or in a secured stream
The safest option is mobile document destruction, with the shredder truck on your car park and you watching along. Nothing leaves your building intact. An alternative is container transport in a sealed container. Then ask for seal numbers on the destruction certificate.
2. Standard and shred size
Ask for DIN 66399 security level P-5. For media the same scheme applies (H and E series) or, as an alternative, NIST 800-88 for the IT side.
3. Certificate of Destruction
After each job a certificate should follow stating: date, number of units (kilos or containers), applied standard, method, destruction location and a unique order number. This document is your evidence towards the AP if anyone ever asks how you handle archives.
The processor agreement: often forgotten, always required
As soon as you have personal data processed by a third party, a processor agreement must be in place. With outsourced destruction this is the case, because until the moment of shredding the data is still legible. GDPR article 28 prescribes what it contains:
- Subject, duration, nature and purpose of processing
- Types of personal data and categories of data subjects
- Duty of confidentiality of staff
- Security measures
- Arrangements for breach notification
- Right to audit / inspection
- What happens to data afterwards
A good destruction party has a standard processor agreement ready. Ask for it before the first job runs, not after. Without a signed agreement, you yourself are in breach, not the processor.
Media: no exception
Hard drives, SSDs, USB sticks, old phones and backup tapes usually contain more personal data than the paper side of the archive. Software wiping (via DBAN or similar) is often not enough. Modern SSDs hold data in reserve cells the operating system does not see. For special categories, or if the medium cannot be reliably wiped, NIST 800-88 prescribes "destroy": physical destruction through shredding, disintegrating or melting.
Certificate at every job. GDPR-compliant from the car park.
DeSnipperaar drives up, you watch along. Paper, drives, SSDs, phones and tapes are destroyed at your site, with a complete destruction certificate. Available within 24 hours across the Netherlands.
Request a quoteChecklist for tomorrow
- Inventory which archives you have (paper and digital) and attach retention periods.
- Put an annual destruction moment in the diary, preferably after year-end.
- Choose per category: do it yourself (up to roughly 50 folders / year) or outsource.
- Sign a processor agreement with your destruction party.
- Always request a certificate and keep it at least 5 years in your GDPR file.
- Explain in your privacy notice how you handle destruction. Transparency is itself a GDPR requirement.
The GDPR is not a sword above your head. It is a framework to show that you have your affairs in order. Destruction is the last, visible evidence of that.
Questions about your own archive situation? Call us or request a quote via desnipperaar.nl. We are happy to think along about retention periods, volume and the processor agreement.