GDPR

BSN numbers in old administration: how to handle them?

30 May 2026 · 7 min read · DeSnipperaar

In Dutch organisations with a history of more than 10 years, BSN numbers run through all kinds of records: copies of identity documents, old payslips, dismissal letters, customer intakes from the era before strict GDPR enforcement. The Citizen Service Number is not an ordinary personal data item. It is a statutorily regulated identification number with strict rules of use. What do you do with all those old entries?

The BSN under the General Provisions Citizen Service Number Act

The BSN may only be processed in situations that the Act provides for. For employers, healthcare providers and temp agencies that is generally permitted and even required (wage tax, duty of care). For other organisations, BSN processing is often not allowed, and a BSN may not sit in an administration without a basis.

The law also has a use restriction: the BSN may not be used as a general customer number or identifier for purposes outside the statutory basis.

Common places where BSN still circulates

• Payroll administration and HR archive: copy-IDs, payslips, annual statements, application files of hired candidates.
• Temp agency administration: candidate intake with BSN for wage tax.
• Healthcare files: patient administration and billing.
• Education administration: student numbers linked to BSN.
• Old invoices to private individuals (where BSN was wrongly used as a reference).
• Copies of identity documents in archives of companies that should not have kept them.

At every archive clean-up, BSN entries are a priority: not just because of the GDPR retention period, but also because of the extra sensitivity to identity fraud.

Retention periods for BSN-bearing documents

Different periods apply per category, but the rule is usually short:

• Employee copy-ID: 5 years after end of employment (Wage Tax Act art. 28). Then mandatory destruction.
• Payslips and annual statements: 5 years tax, 7 years recommended, then destroy.
• Patient files: 20 years (WGBO). See WGBO 20 years.
• Applicant data of rejected candidates: 4 weeks (without consent) up to 1 year (with consent). BSN does not belong in a rejection file and must go straight away.
• Wrongly retained BSN entries: destroy immediately.

For a broader overview, see the GDPR retention periods cheatsheet.

Destruction method: extra care

BSN-bearing documents deserve the highest DIN level that is reasonably achievable:

• DIN P-5 minimum. Standard for special-category personal data.
• P-6 or P-7 to consider for healthcare and confidential documents.
• For hardware (HDD with BSN in DB): DIN H-5 or H-6.
• For cloud backups: cryptographic erasure plus physical sanitisation of any on-premise copies.

For the details on DIN classifications, read DIN 66399 P-5 and P-6 explained.

What if you find BSN entries in active files?

Sometimes during a clean-up you discover a BSN in places where it should not have been. For example, a customer administration of a non-healthcare institution containing a BSN entry. Steps:

1. Stop further processing of those BSN fields.
2. Assess whether there was a legitimate basis (was there a statutory obligation for inclusion?).
3. If not: remove or destroy the BSN entries.
4. Document in the data breach register if there was structural misuse.
5. Update internal procedures to prevent a recurrence.

Specific attention: copies of identity documents

A common mistake: organisations without a statutory basis nonetheless copy identity documents "just in case". The AP has repeatedly warned about this:

• Employers: ID copy is mandatory for payroll administration. Allowed.
• Insurers with a Wwft basis: allowed.
• Landlords, sports clubs, businesses without a basis: not allowed.
• Notaries, lawyers, banks for identification: allowed, provided that BSN is blacked out on the copy straight after verification.

The AP offers a "KopieID" app that automatically blacks out the BSN on copies of identity documents. Distribute that app among employees who make copies.

Separate stream in destruction

During pickup and destruction we ask organisations to supply BSN-bearing documents separately. The benefit: this stream automatically gets the highest DIN level, without the whole clean-up having to be at P-6. On the certificate a separate line then states "BSN-bearing documents, P-5 / P-6".

Recommended approach

1. Inventory all places where BSN appears.
2. Test per place: is there a statutory basis? Which retention period?
3. Remove unjustified BSN entries immediately.
4. Destroy old BSN-bearing documents at DIN P-5 or P-6.
5. Document in the records of processing. Read records of processing.
6. Train staff in BSN discipline (no unnecessary capture, use the KopieID app).

---

A collection of copy-IDs or payslips to destroy? Email us via desnipperaar.nl. We schedule a separate BSN stream in the same run.