Practice

Certificate of Destruction: what should it contain and why?

6 March 2026 · 7 min read · DeSnipperaar

A Certificate of Destruction is a small A4 sheet with great value. It is the only hard proof you can use later to demonstrate that an archive, a batch of media or a stock of products was actually destroyed, on what date, to which standard and by whom. For your GDPR file, your accountant, a supervisor and your own peace of mind, this piece of paper is indispensable. This article sets out precisely what it should contain and the pitfalls of certificates that are too brief.

Audience: DPOs, office managers, compliance officers and buyers who sign off on a destruction order.

Why a certificate?

The GDPR nowhere literally mentions a ‘Certificate of Destruction’. Yet in practice it is indispensable for meeting three requirements:

GDPR art. 5(2) (accountability): the controller must be able to demonstrate compliance with the principles.
GDPR art. 32 (security): appropriate measures must be documented.
GDPR art. 30 (record of processing activities): destruction is a processing activity that should be logged.

In addition, the Autoriteit Persoonsgegevens uses the certificate during investigations. An organisation without certificates quickly runs into trouble during an audit.

A destruction certificate is not a formality. It is the contractual, technical and legal evidence in a single document.

The mandatory fields

At minimum, every certificate must contain the following fields.

1. Unique order number

A unique number per certificate. Used for reference, audit trail and any correspondence.

2. Date and time of destruction

Not only the date but also the time window. ‘6 March 2026, 9:15 to 11:20’ is better than just ‘6 March’.

3. Location of destruction

Address where the destruction took place. For on-site destruction: your own address. For offsite: the address of the destruction facility, with the seal code of the transport container if applicable.

4. Client

Full name, Chamber of Commerce number and address.

5. Operator

Company name of the destruction service, name of the operator, signature.

6. Type of media

Which category: paper, HDD, SSD, tape, USB, mobile phones, products. A separate line per category with quantity or weight.

7. Number of units or weight

For paper usually kilos. For media, number of items. For hard drives, preferably also the serial numbers (see next point).

8. Serial numbers (for media)

For HDD, SSD, phones and tapes a list of serial numbers. In an audit this is essential to prove that a specific device was destroyed. For large batches an appendix can suffice.

9. Method of destruction

Shredding, disintegration, melting, degaussing. List HDD and SSD separately, because these are different processes.

10. Applied standard and level

DIN 66399 with letter and number (P-4, P-5, H-4, E-5, T-5). For IT destruction also reference NIST 800-88 (Clear, Purge or Destroy). See our article on DIN 66399 P-levels.

11. Witness

If someone from the client observed: name and signature. Optional but very strong evidentially.

12. Operator signature

Physical or digital. Without a signature, the document is not a certificate but an internal note.

Why these fields together are essential

Imagine that two years after the destruction a question comes in: ‘Can you demonstrate that the drive with serial number X was destroyed?’. Without serial numbers on the certificate you can prove nothing. With serial numbers you can say: ‘Certificate #2026-0306-01, page 3 line 17, method H-5, the same day in my presence.’ That closes the matter.

Certificate with serial numbers and DIN level?

We deliver a complete certificate per order as standard, including serial numbers for media and DIN level. Audit-proof for healthcare, financial, legal and notaries.

Request a quote

Common certificate errors

No DIN level stated

‘Destroyed in accordance with GDPR standards’ is meaningless. GDPR does not prescribe a specific standard. Demand the inclusion of DIN 66399 with letter and number.

No serial numbers for HDD and SSD

‘50 hard drives destroyed’ without serial numbers is insufficient for audits. Demand a list.

No method for media

It matters whether an SSD was shredded, degaussed or destroyed via crypto-erase. State the method.

Certificate only weeks after the order

A good service delivers the certificate within 1 to 2 working days. Weeks of waiting is a sign of weak administration. Do not wait: ask for the document right after destruction.

Only PDF, no signature

A PDF without a digital signature is easy to manipulate. Demand a signed version, preferably via PDF signature or a dedicated portal.

How long do you keep the certificate?

At least 5 years after the order date, in your GDPR file. For certain sectors longer:

Notaries: until the end of the retention period of the related deed or at least 10 years
Healthcare: 20 years (analogous to the WGBO record period). See WGBO 20 years.
Legal practice: at least 10 years
Tax-relevant destructions: 7 years (analogous to AWR art. 52)

Digital or paper?

Both are acceptable. Digital has the advantage of searchability and audit trail. Paper is still requested by some sectors as a ‘hard copy’ in the folder. For digital: encrypted storage in your DMS or GDPR file.

Audit example

During an AP investigation, the following conversation can take place:

AP: ‘You stated in the record of processing activities that files from 2016 have been destroyed. Can you demonstrate this?’
Controller: ‘Yes, certificate number 2024-0115-03 shows 437 kilos of paper, DIN 66399 P-5, carried out on 15 January 2024 at our address, operator Jansen, witness Visser (the undersigned).’
AP: ‘Accepted.’

That is the difference between a correct and a sloppy certificate.

Audit coming up? Call us or request a quote via desnipperaar.nl. A complete certificate per order, digitally signed, in your inbox within a working day.