Debt collection agencies: destroying debtor data
A debt collection agency processes data about people at their most vulnerable moment: outstanding claims, payment data, payment plans and sometimes the reason behind a debt. These files demand care, both in keeping and in destroying. Keep it too long and you hold sensitive data without a purpose. Keep it too short and you miss documents in a dispute. This guide shows, by type of data, what you keep, when it may go and how to destroy it confidentially.
The quick answer: the administration you keep for seven years for the tax retention obligation. The debtor file you keep until the claim has been settled and the limitation period has expired, after which it may go. If it contains medical or social data, you treat that separately. What may go disappears confidentially and with a certificate.
Why collection files demand care
A collection file is about money, but often says more. It contains the claim, the payment data and the correspondence, and sometimes a debtor's explanation of why paying is not possible: a divorce, illness or loss of work. That explanation can contain medical or social information, which makes the data more sensitive than just an outstanding amount. The people involved are moreover vulnerable.
So the GDPR storage limitation weighs heavily here. Do not keep longer than necessary, but do account for the long tail of a claim that only becomes time-barred after years. Those two sides make a good retention period per type of data important.
Retention periods by type of data
The period depends on the type of data. The overview below gives the main line. Count the tax period from the end of the financial year and the other periods from the settlement of the claim.
| Type of data | Starting point | Period |
|---|---|---|
| Administration and invoicing | Tax retention obligation | 7 years |
| Debtor file with a running claim | Until settlement | + limitation |
| Settled or uncollectible claim | Purpose lapsed | destroy confidentially |
| Payment data and plans | Tied to the claim | purpose-bound |
| Medical or social explanation | Special-category data | destroy finely |
| Correspondence and drafts | No retention obligation | clear out at once |
Use this as a guideline, not a final legal ruling. When in doubt about a specific file, consult your data protection officer or legal adviser. The tax side is in the 7-year tax retention obligation.
Limitation of a claim
The moment you may destroy a debtor file is linked to the limitation of the claim. Many monetary claims become time-barred after five years, others after a different period, and limitation can be interrupted by writing to the debtor. As long as the claim can still be enforced, there is a valid purpose to keep the file.
Only once the claim has been fully settled, or definitively declared uncollectible and the period has expired, does that purpose lapse. Then this file too should be destroyed confidentially. Assess per file whether the claim really has been closed before anything goes, so you do not destroy too early.
Medical and social data separately
Where a debtor has explained health or social reasons when agreeing a payment plan, the file contains special-category personal data. Keep it recognisably separate, allow it only to those who need it and destroy it at a fine level as soon as it is no longer needed. That way you avoid a whole file inheriting the longest period of its most sensitive part.
Debtors often also appear at other parties, such as a debt counsellor or an energy company with a payment arrangement. How those sides handle it is in debt counselling and administration: destroying client files and energy and utilities: destroying customer data.
How to handle it in 6 steps
- Split the file into administration, debtor file and special data.
- Clear out drafts and correspondence without a retention obligation confidentially at once.
- Assess per claim whether it has been settled and limitation has expired.
- Treat medical and social data separately and at a fine destruction level.
- Collect what may go in sealed containers, not in the paper bin.
- Have it destroyed confidentially with a certificate and record it in your register.
Destroy confidentially with a certificate
Collection files are destroyed confidentially, because they contain payment data, a national ID number or address and sometimes special data. The paper and the data carriers travel sealed and stay that way until destruction, so the chain is closed. In a system migration or when clearing out old servers, the digital carriers belong with it too.
Afterwards you receive a certificate of destruction with the date, quantity and level. That certificate is your proof towards the GDPR that you acted carefully. Record the destruction in your record of processing. We collect within 20 km of Amsterdam with no call-out charge, work nationwide through pooled collection rounds and charge a fixed price per box or roll container. Drop-off on site is not possible; it works by appointment through collection.
Collection files to be destroyed?
Tell us what you have and you get a fixed price. We collect it sealed, destroy it at the right DIN level and you receive a certificate for your GDPR file. No call-out charge within 20 km of Amsterdam.
Request a quoteCommon mistakes
- Keeping files just in case. After settlement and limitation the purpose lapses.
- Destroying too early. As long as a claim is still running, you need the file.
- Not treating medical and social explanation separately. That is special data.
- Throwing away unshredded. A debtor file on the street is a reportable data breach affecting a vulnerable person.
- Keeping no proof. Without a certificate you cannot demonstrate the destruction.
Frequently asked questions
How long does a debt collection agency keep a debtor file?
The administration falls under the seven-year tax retention obligation. The debtor file you keep until the claim has been settled and the limitation period has expired, after which it may go. Keeping just in case is not a valid ground.
When does a monetary claim become time-barred?
Many monetary claims become time-barred after five years, some after a different period, and limitation can be interrupted. Only count on destruction once the claim has genuinely been settled or is definitively uncollectible and the period has expired.
Do collection files contain special-category personal data?
Sometimes. A debtor occasionally explains medical or social reasons when agreeing a payment plan. That data is special-category personal data and requires extra care and a fine destruction level.
How do I destroy collection files in line with the GDPR?
Confidentially and with a certificate of destruction. Paper and data carriers travel sealed and the destruction is recorded in the record of processing.
Conclusion
A collection file is about money, but often contains sensitive data of vulnerable people. Keep the administration seven years, keep the debtor file until the claim has been settled and limitation has expired, and treat medical or social explanation separately. What may go you have destroyed confidentially with a certificate as proof. That way you keep nothing too long and nothing too short, and stand with proof in hand in a dispute or audit.
Read also: bailiffs: destroying attachment files, call centres: destroying recordings and customer data, debt counselling and administration: destroying client files and the GDPR retention periods cheatsheet.
Have collection files collected? Request a quote via desnipperaar.nl. Within a few minutes you have a fixed price, including a certificate as proof.