HomeKnowledge base › Confidential paper destruction for businesses
GDPR

Confidential paper destruction for businesses: what you must do and how

· 11 min read · DeSnipperaar
Confidential paper destruction for businesses

Confidential paper destruction is not a choice for businesses but a GDPR obligation. Anything with personal data or sensitive business information should be made demonstrably illegible, with a certificate as proof. The material is collected and destroyed to the right DIN level.

Want to check quickly whether you have this in order? Run through this list:

  • Is there a locked bin for confidential paper, or does it end up in the wastebasket?
  • Do staff know which paper is confidential?
  • Is it destroyed to at least DIN 66399 P-4?
  • Do you receive a certificate of destruction?
  • Do you keep that certificate in your GDPR file?

If you hesitate on any of these, the sections below show how to set it up properly. We cover what counts as confidential, what the GDPR requires, the risks a paper leak brings, how collection works and what proof you keep.

What is confidential paper?

Confidential is any document with personal data or sensitive business information. In practice that covers far more than people think:

  • Personnel files with payslips, ID numbers, appraisals and copies of identity documents.
  • Client data such as addresses, order history, complaints and payment details.
  • Financial records, invoices, bank statements and annual accounts.
  • Contracts and quotes, with prices, terms and names.
  • Internal documents, minutes, strategy, draft versions and notes.

The rule of thumb is simple, if you doubt whether a document is sensitive, treat it as if it is. The full explanation of which documents are confidential is in destroying confidential documents.

What the GDPR requires of businesses

Two articles of the GDPR are decisive here. Article 5 requires storage limitation, you do not keep personal data longer than needed and clear it afterwards. Article 32 requires appropriate technical and organisational measures to protect that data. That protection duty does not stop at the archive but runs until a document is destroyed beyond legibility. A file past its retention period that nonetheless stays in the cabinet is therefore itself a breach. What this means concretely for SMEs is in GDPR requirements for SMEs.

How long to keep before you destroy?

You may only destroy once the retention period has passed, because some documents you are required to keep for a time. The tax retention obligation for records is seven years, for property data ten years. Personnel files have their own periods, part may go two years after the employee leaves, payroll tax data you keep longer. The practical approach is a fixed schedule, each year you review which files are past their period and those go in the next collection. That way you keep neither too long nor too short.

The risks of a paper leak

A data breach is far from always a hack. A box of old files that ends up with the waste paper, a full wastebasket put out on the street, a folder that falls out of a moving box. In all those cases someone can take personal data. The consequences can be serious:

  • Reporting duty. A serious data breach you report within 72 hours to the data protection authority. How that works is in reporting a data breach in 72 hours.
  • Fine. The supervisor can impose a fine for careless handling of data.
  • Reputation. A leak of client data damages trust, often longer than the fine itself.
  • Fraud. With an ID number or ID copy someone can commit identity fraud, at the expense of your employee or client.

Confidential destruction removes that risk. The paper goes along sealed and is made demonstrably illegible.

Who is responsible within the organisation?

Under the GDPR your organisation is the controller, not the individual employee. Still, in practice it stands or falls with clear arrangements. Appoint someone to keep the overview, for example the office manager or the data protection officer. Briefly record who does what. Who decides which files may go, who plans the collection and who keeps the certificates. Half a page of working arrangements prevents confidential paper from lingering because no one feels responsible.

How does confidential destruction work for businesses?

  1. Collecting. Confidential paper goes in a locked bin or in boxes, separate from ordinary waste paper.
  2. Request. You give the volume and choose one-off or periodic. You get a fixed price.
  3. Collection. We collect it at your location, sealed for sensitive documents.
  4. Destruction. The paper is shredded to the right DIN level and then recycled.
  5. Certificate. You receive a certificate of destruction for your file.

Which DIN level is needed?

The DIN 66399 standard sets out how finely paper must be shredded. The more sensitive the data, the smaller the particles.

LevelParticle sizeSuitable for
P-2StripsGeneral print without data
P-4Small particlesDocuments with personal data
P-5Very small particlesID numbers, medical and special data

For most office documents P-4 is the workable minimum. If you work with special personal data, such as a healthcare practice or an HR department with ID numbers, P-5 is indicated.

Confidential paper by sector

Almost every organisation produces confidential paper, but the emphasis differs. An accounting firm has annual accounts and client files, a law firm case files, a healthcare practice patient data, a webshop packing slips with addresses, an HR department personnel files. What they share is the duty to demonstrably destroy those documents after the retention period. The approach is the same for all, collect in a locked bin, have it collected and keep the certificate. Exactly which period applies differs by sector, but the duty to destroy demonstrably applies to everyone.

A locked bin at the office

The most practical solution for businesses that continuously produce confidential paper is a locked bin at the office. Staff put their confidential documents straight in, instead of in the ordinary wastebasket. No one can get at it on the way, because the bin is locked. Periodically the bin is collected and emptied, for example monthly or quarterly. That way it stays neatly arranged without anyone having to think of it each time. A good working method at the desk belongs with it, as described in clean desk policy and destruction.

Periodic or one-off?

If you have a one-off clear-out, for example after a year-end or a move, a one-off collection without a contract suffices. If you produce confidential paper continuously, a fixed frequency is handier. The trade-off depends mainly on how fast the paper piles up. Many SMEs combine both, a fixed bin for the daily flow and a separate collection when the archive cabinet is emptied.

Do you need a processor agreement?

If you have an external party structurally destroy personal data, a processor agreement is usual. It sets out what the processor may do with the data and how it secures it. For a one-off collection the certificate of destruction in practice often suffices as proof that the documents were destroyed correctly. What belongs in such an agreement is in the processor agreement checklist.

Don't forget the data carriers

Confidential information is not only on paper. In the same cabinet there are often old hard drives, USB sticks or a written-off laptop with years of business data. Deleting a file does not really erase that data and on an SSD software wiping is unreliable. For certainty, physical destruction of the carrier is needed, to the right level and with the serial numbers on the certificate. The practical advantage is that paper and data carriers can come in the same collection, each destroyed its own way. So you close both the paper and the digital flow in one go.

Confidential paper and working from home

Since more people partly work from home, confidential paper also arises outside the office. A printed quote, a note with client data, a printout left lying around. At home there is rarely a locked bin or a good shredder, so documents easily end up with the ordinary waste paper. So agree that staff take confidential paper back to the office and put it in the locked bin there. How to arrange that is in working from home with confidential documents.

The certificate of destruction

After every collection you receive a certificate of destruction with the date, quantity and the DIN level applied. That document is your proof towards the data protection authority, an auditor or a client asking what happened to their data. Without that proof you are empty-handed in an inspection, even if you had everything destroyed correctly. Keep the certificate for at least 5 years in your GDPR file.

What does confidential paper destruction cost?

You pay a fixed price per box or roll container, known in advance. The first box costs about 30 euro and for larger volumes a roll container by weight becomes cheaper. Within 20 km of Amsterdam we charge no call-out fee. The full pricing with worked examples is in what does archive destruction cost. For a locked bin with a fixed frequency you make an arrangement based on your volume.

What happens to the paper after destruction?

After destruction, shredded paper goes to a paper mill, where it is pulped into new fibres. Your old records become raw material for new paper, without anything legible remaining. Confidential destruction and sustainability therefore go together. For many businesses that is a welcome detail in the sustainability report, clearing out safely contributes to the paper cycle at the same time.

Shred yourself or outsource?

An office shredder seems cheap, but is slow, jams and rarely reaches a high DIN level. On top of that it produces no certificate, while that is precisely your proof. For a few sheets a day shredding yourself is fine, but as soon as it is boxes or a continuous flow, outsourcing is faster, safer and better demonstrable. The key difference is the proof, a service provider records what was destroyed and at which level.

A real-world example

Imagine an HR department closes the year and wants to clear out the personnel files whose retention period has passed. Those files contain payslips, appraisals and copies of identity documents, all special personal data. Shredding it yourself with the office device would take days and reaches no P-5. Instead the department collects the files in a locked bin, gives the volume and plans a collection. The documents are destroyed to P-5 and the HR manager receives a certificate that goes neatly into the GDPR file. At the next audit the proof is immediately at hand.

Make it policy

Separate actions work for a while, but rarely stick. Confidential destruction works best as a fixed part of your information security. Set out in a short guideline what is confidential, where it is collected, at what level it is destroyed and how often the bin is collected. Include it in the onboarding of new staff, so everyone knows from day one how it works. That way careful clearing-out becomes a habit instead of a yearly stress.

Common mistakes

  • Confidential paper in the ordinary wastebasket. Without a locked bin it disappears among the normal waste, with leak risk.
  • Keeping too long. A file past its retention period that stays put is itself a breach.
  • Not requesting a certificate. Without proof you cannot show you destroyed carefully.
  • Too low a level. For ID numbers and special data P-5 is needed, not P-2.
  • Not informing staff. If no one knows what is confidential, it still goes wrong.

Practical tips

  • Put a locked bin in a central spot, not tucked away in a corner.
  • Label clearly what goes in, so no one has to hesitate.
  • Plan a fixed clear-out round each quarter for files past their retention period.
  • Hand over data carriers such as old USB sticks and hard drives in the same collection.
  • Archive the certificates digitally, so you find them at once in an audit.

Have your confidential paper destroyed?

Tell us how much you have and choose one-off or periodic. You get a fixed price, we collect it and destroy it to the right level, with a certificate as proof. No call-out charge within 20 km of Amsterdam.

Request a quote

Frequently asked questions

What counts as confidential paper?

Any document with personal data or commercially sensitive information: personnel and client files, financial documents, contracts, quotes and internal notes. When in doubt, treat it as confidential.

Can a business put confidential paper out with the waste paper?

No. Throwing out paper with personal data unshredded is a data breach under the GDPR. It should be destroyed confidentially, with a certificate as proof.

Do I need a processor agreement?

For structural destruction of personal data a processor agreement is usual. For a one-off collection the certificate of destruction often suffices as proof.

How often must confidential paper be collected?

That depends on your volume. Many businesses choose a locked bin emptied monthly or quarterly, others plan a one-off collection during a clear-out.

Which DIN level do I need?

For ordinary office documents DIN 66399 P-4 is the minimum. For ID numbers, medical data and ID copies P-5 is indicated.

Conclusion

Confidential paper destruction is an obligation for businesses that follows from the GDPR. Arrange a locked bin, have it collected and destroyed to the right DIN level and keep the certificate as proof. That way you prevent a paper leak, meet the reporting duty and can show at every inspection that you handle data carefully. A good working method takes little effort and removes a considerable risk. Start small with a bin and a fixed collection round, the rest follows by itself.

Ready to clear out your confidential paper safely? Request a quote via desnipperaar.nl. You give the volume and you get a fixed price with a certificate.