Cleaning companies: destroying customer data
A cleaning company gets in everywhere. In offices, practices, schools and homes. Along the way you process customer addresses, access and key data, alarm codes, contracts and work rosters, and of your own cleaners personal data and a certificate of conduct. Part falls under the tax retention obligation, part you keep only while the assignment runs, and sensitive access data should be kept as briefly as possible. This guide shows, by part, what you keep, when it may go and how to have it destroyed confidentially.
The quick version. Invoicing and administration fall under the seven-year tax rule. Contracts and work rosters you keep until the end of the assignment. Customer addresses, key lists and alarm codes you keep no longer than the access lasts. What may go disappears confidentially and with a certificate.
Two frameworks: the assignment and the GDPR
At a cleaning company two things run together. From the assignment you need certain data to do your work, from an address and an access code to a work roster. Alongside this the GDPR applies, which requires not keeping personal data longer than necessary. The assignment sets the floor for what you need during the work, the GDPR the ceiling for what you may not keep too long afterwards.
So treat the data by type. An invoice has a different status than a key list or an alarm code. A current contract is something other than an old work roster that has been out of date for months. If you make that distinction, you keep exactly what you must and clear out the rest on time.
Retention periods by part
The period differs per type of data. The overview below gives the main line. Count the tax period from the end of the financial year and the other periods from the end of the assignment or the end of employment.
| Part | Starting point | Period |
|---|---|---|
| Invoicing and administration | Tax retention obligation | 7 years |
| Contracts and work rosters | Until end of assignment and tax | purpose-bound + 7 years |
| Customer addresses and contact data | While the assignment runs | duration of assignment |
| Key, access and alarm data | As limited as possible | until access ends |
| Cleaner's personnel file | After leaving employment | usually 2 years |
| Cleaner's certificate of conduct | Only as proof | as briefly as possible |
Use this as a guideline, not a substitute for your own agreements and contracts. The general line per document type is in how long you keep documents, and the full list of legal periods is in the GDPR retention periods cheatsheet.
Access, keys and alarm codes: the most sensitive
The most sensitive data of a cleaning company is not about yourself, but about your customers' premises. A key list, a list of access passes and certainly an alarm code are worth their weight in gold to anyone with bad intentions. So manage that information as tightly as possible. Record only what you need, do not keep it on a stray note at the front desk and update it immediately when a cleaner leaves or an assignment ends.
When a customer leaves or a building's locks are changed, the old codes and key lists lose their purpose. If you keep them anyway, you hold on to a risk you no longer need. A clean desk policy that also covers destruction helps to keep those papers from lying around the office or the car. What you no longer use, you clear out confidentially instead of pushing it away in a drawer.
Customers at a distance and cleaners on the road
Many cleaning companies work from a small office or from home. Work rosters, address lists and customer contracts then travel along in bags, in cars and on phones. That is practical, but it increases the chance that confidential data is left somewhere. Treat paper on the road just as carefully as at the office. The points to watch for working from home with confidential documents apply here in full.
Agree where printed rosters and address lists go after use. Collect them centrally in a locked bin and have them destroyed at fixed intervals. That way you prevent an old customer list from ending up in the recycling or in a wastebasket on site.
Cleaners' personnel and certificate-of-conduct data
Of your own staff you process personal data, contracts, payslips and often a certificate of conduct (VOG). A VOG you keep as briefly as possible. You need it as proof that you saw the certificate at the start of employment, not to keep for years. The personnel file you largely clear out within two years of the employee leaving, with a tax part such as payroll data that lasts longer. The full breakdown per component is in the retention period of the personnel file under the GDPR.
Keep cleaners' files recognisably separate from the customer administration. That way, when clearing out, you know exactly what falls under a tax period and what may go after employment ends. What you print out, you clear out confidentially as soon as it has served its purpose.
How to handle it in 6 steps
- Split the data into administration, contracts, customer addresses, access data and personnel files.
- Limit access data to keys, passes and codes you really need.
- Update at every change as soon as a cleaner leaves or an assignment ends.
- Keep the administration for the seven-year tax period.
- Collect what may go in locked bins, not in the recycling.
- Have it destroyed confidentially with a certificate and record it in your register.
Destroy confidentially with a certificate
Customer and access data you have destroyed confidentially, because it contains addresses, key and alarm information and sometimes personnel data. The paper and any data carriers travel sealed and stay that way until destruction, so the chain is closed. An old scheduling computer, phone or USB stick with customer rosters belongs with it too.
Afterwards you receive a certificate of destruction with the date, quantity and level. That certificate is your proof towards the GDPR that you acted carefully. Record the destruction in your record of processing. We collect within 20 km of Amsterdam with no call-out charge, work nationwide through pooled collection rounds and charge a fixed price per box or roll container. Drop-off on site is not possible; it works by appointment through collection.
Customer and access data to be destroyed?
Tell us what you have and you get a fixed price. We collect it sealed, destroy it at the right DIN level and you receive a certificate for your GDPR file. No call-out charge within 20 km of Amsterdam.
Request a quoteCommon mistakes
- Leaving key lists and alarm codes lying around. Manage them tightly and update at every change.
- Keeping old codes after a lock change. Without access the purpose of that data lapses.
- Keeping certificates of conduct for years. A certificate belongs in the file as briefly as possible.
- Throwing customer addresses in the recycling. An address list on the street is a reportable data breach.
- Keeping no proof. Without a certificate you cannot demonstrate the destruction.
Frequently asked questions
How long does a cleaning company keep customer and contract data?
Invoicing and administration fall under the seven-year tax retention obligation. Contracts and work rosters you keep until the end of the assignment and as long as a warranty or dispute may still play out. Single customer addresses you keep no longer than the assignment runs.
What do I do with a customer's keys, access passes and alarm codes?
Manage that data as tightly as possible and update it immediately when a cleaner leaves or an assignment ends. Codes and key lists on paper you clear out confidentially as soon as the access is no longer needed.
How long may I keep a cleaner's certificate of conduct and personnel file?
A certificate of conduct you keep as briefly as possible, only as proof that you saw it at the start of employment. The personnel file you largely clear out within two years of the employee leaving, with a tax part that lasts longer.
How do I destroy this data in line with the GDPR?
Confidentially and with a certificate of destruction. Paper and data carriers travel sealed and the destruction is recorded in the record of processing.
Conclusion
A cleaning company works with customer addresses, key and alarm data, contracts and the personal data of its own cleaners, between the assignment and the GDPR. Keep the administration for seven years, keep contracts until the end of the assignment and be extremely restrained with access data. Update key lists and codes at every change and clear out certificates of conduct and old personnel files on time. What may go you have destroyed confidentially with a certificate as proof. That way you meet the GDPR and protect your customers' premises and data.
Read also: manufacturers: destroying business data, catering companies: destroying customer data, equipment rental: destroying customer data and the GDPR retention periods cheatsheet.
Have customer data collected? Request a quote via desnipperaar.nl. Within a few minutes you have a fixed price, including a certificate as proof.